749820 – Use after free in acl_reset

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 749820 - Use after free in acl_reset

Summary: Use after free in acl_reset

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Markus Armbruster
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-10-28 15:15 UTC by Markus Armbruster
Modified:	2013-01-10 00:28 UTC (History)
CC List:	10 users (show)
Fixed In Version:	qemu-kvm-0.12.1.2-2.211.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Monitor command acl_reset has a use-after-free bug. Consequence: qemu-kvm can crash (hasn't been observed in the field, though). Fix: Avoid the use of freed memory there. Result: Doesn't crash.
Clone Of:
Environment:
Last Closed:	2012-06-20 11:35:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0746	0	normal	SHIPPED_LIVE	qemu-kvm bug fix and enhancement update	2012-06-19 19:31:48 UTC

Description Markus Armbruster 2011-10-28 15:15:38 UTC

Description of problem:
Monitor command acl_reset reads memory after free.

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. $ MALLOC_PERTURB_=234 upstream-qemu --nodefaults --enable-kvm -vnc :0,acl,sasl -S -m 384 -monitor stdio
2. (qemu) acl_add vnc.username fred allow
3. (qemu) acl_reset vnc.username

Actual results:
Segmentation fault

Expected results:
Prints "acl: removed all rules"

Additional info:

Comment 2 Markus Armbruster 2011-10-28 15:45:42 UTC

Upstream patch
http://lists.nongnu.org/archive/html/qemu-devel/2011-10/msg03577.html

Comment 5 Markus Armbruster 2011-11-02 08:42:15 UTC

Fixed in upstream commit 0ce6a434.

Comment 11 Chao Yang 2012-02-10 03:27:33 UTC

Reproduced this issue with qemu-kvm-0.12.1.2-2.209.el6.x86_64
Verified with qemu-kvm-0.12.1.2-2.225.el6.x86_64

Steps:
1. MALLOC_PERTURB_=234 /usr/libexec/qemu-kvm -M rhel6.2.0 -enable-kvm -m 2048 -smp 2,sockets=1,cores=2,threads=1 -name test -uuid 3d4aff0c-f8f0-4341-872d-4aabca9d5293 -rtc base=localtime,clock=host,driftfix=slew -boot menu=on -drive file=/home/RHEL-Server-5.8-64-virtio.qcow2,if=none,id=drive-virtio-0-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,drive=drive-virtio-0-0,id=virt0-0-0 -netdev tap,id=net -device virtio-net-pci,netdev=net,id=net0,mac=64:31:50:23:49:89 -usb -device usb-tablet,id=input1 -vnc :0,acl,sasl -monitor stdio -balloon none
2. (qemu) acl_add vnc.username fred allow
3. (qemu) acl_reset vnc.username

Actual Result:
---- with qemu-kvm-0.12.1.2-2.209.el6.x86_64, 
after step 3, core dumped:
Core was generated by `/usr/libexec/qemu-kvm -M rhel6.2.0 -enable-kvm -m 2048 -smp 2,sockets=1,cores=2'.
Program terminated with signal 11, Segmentation fault.
#0  qemu_acl_reset (acl=0x1c15e20) at acl.c:106
106	        QTAILQ_REMOVE(&acl->entries, entry, next);
...
(gdb) bt
#0  qemu_acl_reset (acl=0x1c15e20) at acl.c:106
#1  0x0000000000414b29 in do_acl_reset (mon=0x1245a80, qdict=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:2470
#2  0x00000000004177c9 in handle_user_command (mon=0x1245a80, cmdline=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4144
#3  0x000000000041781a in monitor_command_cb (mon=0x1245a80, cmdline=<value optimized out>, opaque=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4697
#4  0x00000000004aba2b in readline_handle_byte (rs=0x1c6e340, ch=<value optimized out>) at readline.c:369
#5  0x0000000000417a3c in monitor_read (opaque=<value optimized out>, buf=0x7fffcea3cda0 "\r", size=1)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4683
#6  0x00000000004be14b in qemu_chr_read (opaque=0x1035020) at qemu-char.c:170
#7  fd_chr_read (opaque=0x1035020) at qemu-char.c:664
#8  0x000000000040c43f in main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4024
#9  0x000000000042aefa in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2225
#10 0x000000000040de85 in main_loop (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4234
#11 main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6470

---- with qemu-kvm-0.12.1.2-2.225.el6.x86_64, 
after step 3:
(qemu)  acl_add vnc.username fred allow
acl: added rule at position 1
(qemu) acl_reset vnc.username
acl: removed all rules



Conclusion:
Based on above info, this issue has been fixed.

Comment 13 Michal Novotny 2012-05-03 17:51:36 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause:
Run a guest and add and reset qemu ACLs.

Consequence:
Qemu-kvm fails with segmentation fault.

Fix:
Use free() in the acl_reset() code.

Result:
Qemu-kvm keeps running

Comment 14 Markus Armbruster 2012-05-03 19:42:16 UTC

    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,11 +1,11 @@
 Cause:
-Run a guest and add and reset qemu ACLs.
+Monitor command acl_reset has a use-after-free bug.
 
 Consequence:
-Qemu-kvm fails with segmentation fault.
+qemu-kvm can crash (hasn't been observed in the field, though).
 
 Fix:
-Use free() in the acl_reset() code.
+Avoid the use of freed memory there.
 
 Result:
-Qemu-kvm keeps running+Doesn't crash.

Comment 15 errata-xmlrpc 2012-06-20 11:35:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0746.html

Note You need to log in before you can comment on or make changes to this bug.