Bug 914931 - FileIn commands cause segfault if appliance dies during the file copy in
Summary: FileIn commands cause segfault if appliance dies during the file copy in
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libguestfs
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Richard W.M. Jones
QA Contact:
URL:
Whiteboard:
Depends On: 914934
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-02-23 14:28 UTC by Richard W.M. Jones
Modified: 2013-02-23 21:01 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-23 21:01:27 UTC
Embargoed:

Attachments (Terms of Use)

Description Richard W.M. Jones 2013-02-23 14:28:30 UTC 
Description of problem:

$ guestfish -a data1.raw -m /dev/sda1 tar-out / - | guestfish -a data2.raw -m /dev/VG/LV tar-in - /
*** buffer overflow detected ***: guestfish terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x328c70a697]
/lib64/libc.so.6[0x328c708810]
/lib64/libc.so.6[0x328c70a607]
/lib64/libguestfs.so.0[0x3b9dc9f905]
/lib64/libguestfs.so.0[0x3b9dca09d2]
/lib64/libguestfs.so.0(guestfs_tar_in_opts_argv+0x3b8)[0x3b9dc43a58]
guestfish[0x41cda1]
guestfish[0x43c5a8]
guestfish[0x40f0a9]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x328c621a05]
guestfish[0x40f29d]
======= Memory map: ========
00400000-0049a000 r-xp 00000000 fd:02 3150983                            /usr/bin/guestfish
00699000-006b1000 r--p 00099000 fd:02 3150983                            /usr/bin/guestfish
006b1000-006b7000 rw-p 000b1000 fd:02 3150983                            /usr/bin/guestfish
006b7000-006b9000 rw-p 00000000 00:00 0 
008b6000-008c2000 rw-p 000b6000 fd:02 3150983                            /usr/bin/guestfish
009da000-00e25000 rw-p 00000000 00:00 0                                  [heap]
328c200000-328c220000 r-xp 00000000 fd:02 3145998                        /usr/lib64/ld-2.16.so
328c420000-328c421000 r--p 00020000 fd:02 3145998                        /usr/lib64/ld-2.16.so
328c421000-328c422000 rw-p 00021000 fd:02 3145998                        /usr/lib64/ld-2.16.so
328c422000-328c423000 rw-p 00000000 00:00 0 
328c600000-328c7ad000 r-xp 00000000 fd:02 3146115                        /usr/lib64/libc-2.16.so
328c7ad000-328c9ad000 ---p 001ad000 fd:02 3146115                        /usr/lib64/libc-2.16.so
328c9ad000-328c9b1000 r--p 001ad000 fd:02 3146115                        /usr/lib64/libc-2.16.so
328c9b1000-328c9b3000 rw-p 001b1000 fd:02 3146115                        /usr/lib64/libc-2.16.so
328c9b3000-328c9b8000 rw-p 00000000 00:00 0 
328ca00000-328ca16000 r-xp 00000000 fd:02 3146197                        /usr/lib64/libpthread-2.16.so
328ca16000-328cc16000 ---p 00016000 fd:02 3146197                        /usr/lib64/libpthread-2.16.so
328cc16000-328cc17000 r--p 00016000 fd:02 3146197                        /usr/lib64/libpthread-2.16.so
328cc17000-328cc18000 rw-p 00017000 fd:02 3146197                        /usr/lib64/libpthread-2.16.so
328cc18000-328cc1c000 rw-p 00000000 00:00 0 
328ce00000-328cf00000 r-xp 00000000 fd:02 3146939                        /usr/lib64/libm-2.16.so
328cf00000-328d0ff000 ---p 00100000 fd:02 3146939                        /usr/lib64/libm-2.16.so
328d0ff000-328d100000 r--p 000ff000 fd:02 3146939                        /usr/lib64/libm-2.16.so
328d100000-328d101000 rw-p 00100000 fd:02 3146939                        /usr/lib64/libm-2.16.so
328d200000-328d203000 r-xp 00000000 fd:02 3146513                        /usr/lib64/libdl-2.16.so
328d203000-328d402000 ---p 00003000 fd:02 3146513                        /usr/lib64/libdl-2.16.so
328d402000-328d403000 r--p 00002000 fd:02 3146513                        /usr/lib64/libdl-2.16.so
328d403000-328d404000 rw-p 00003000 fd:02 3146513                        /usr/lib64/libdl-2.16.so
328d600000-328d607000 r-xp 00000000 fd:02 3146293                        /usr/lib64/librt-2.16.so
328d607000-328d806000 ---p 00007000 fd:02 3146293                        /usr/lib64/librt-2.16.so
328d806000-328d807000 r--p 00006000 fd:02 3146293                        /usr/lib64/librt-2.16.so
328d807000-328d808000 rw-p 00007000 fd:02 3146293                        /usr/lib64/librt-2.16.so
328da00000-328da15000 r-xp 00000000 fd:02 3146659                        /usr/lib64/libz.so.1.2.7
328da15000-328dc14000 ---p 00015000 fd:02 3146659                        /usr/lib64/libz.so.1.2.7
328dc14000-328dc15000 r--p 00014000 fd:02 3146659                        /usr/lib64/libz.so.1.2.7
328dc15000-328dc16000 rw-p 00015000 fd:02 3146659                        /usr/lib64/libz.so.1.2.7
328de00000-328de15000 r-xp 00000000 fd:02 3149181                        /usr/lib64/libgcc_s-4.7.2-20121109.so.1
328de15000-328e014000 ---p 00015000 fd:02 3149181                        /usr/lib64/libgcc_s-4.7.2-20121109.so.1
328e014000-328e015000 r--p 00014000 fd:02 3149181                        /usr/lib64/libgcc_s-4.7.2-20121109.so.1
328e015000-328e016000 rw-p 00015000 fd:02 3149181                        /usr/lib64/libgcc_s-4.7.2-20121109.so.1
328e200000-328e25c000 r-xp 00000000 fd:02 3146664                        /usr/lib64/libpcre.so.1.0.1
328e25c000-328e45c000 ---p 0005c000 fd:02 3146664                        /usr/lib64/libpcre.so.1.0.1
328e45c000-328e45d000 r--p 0005c000 fd:02 3146664                        /usr/lib64/libpcre.so.1.0.1
328e45d000-328e45e000 rw-p 0005d000 fd:02 3146664                        /usr/lib64/libpcre.so.1.0.1
328ea00000-328ea0b000 r-xp 00000000 fd:02 3150319                        /usr/lib64/libconfig.so.9.1.2
328ea0b000-328ec0a000 ---p 0000b000 fd:02 3150319                        /usr/lib64/libconfig.so.9.1.2
328ec0a000-328ec0b000 r--p 0000a000 fd:02 3150319                        /usr/lib64/libconfig.so.9.1.2
328ec0b000-328ec0c000 rw-p 0000b000 fd:02 3150319                        /usr/lib64/libconfig.so.9.1.2
328ee00000-328ee16000 r-xp 00000000 fd:02 3146761                        /usr/lib64/libresolv-2.16.so
328ee16000-328f015000 ---p 00016000 fd:02 3146761                        /usr/lib64/libresolv-2.16.so
328f015000-328f016000 r--p 00015000 fd:02 3146761                        /usr/lib64/libresolv-2.16.so
328f016000-328f017000 rw-p 00016000 fd:02 3146761                        /usr/lib64/libresolv-2.16.so
328f017000-328f019000 rw-p 00000000 00:00 0 
3290e00000-3290e3c000 r-xp 00000000 fd:02 3150332                        /usr/lib64/libreadline.so.6.2
3290e3c000-329103b000 ---p 0003c000 fd:02 3150332                        /usr/lib64/libreadline.so.6.2
329103b000-329103d000 r--p 0003b000 fd:02 3150332                        /usr/lib64/libreadline.so.6.2
329103d000-3291043000 rw-p 0003d000 fd:02 3150332                        /usr/lib64/libreadline.so.6.2
3291043000-3291045000 rw-p 00000000 00:00 0 
3291600000-3291602000 r-xp 00000000 fd:02 3149180                        /usr/lib64/libsystemd-daemon.so.0.0.7
3291602000-3291802000 ---p 00002000 fd:02 3149180                        /usr/lib64/libsystemd-daemon.so.0.0.7
3291802000-3291803000 r--p 00002000 fd:02 3149180                        /usr/lib64/libsystemd-daemon.so.0.0.7
3291803000-3291804000 rw-p 00000000 00:00 0 
3291e00000-3291e44000 r-xp 00000000 fd:02 3149218                        /usr/lib64/libdbus-1.so.3.7.2
3291e44000-3292043000 ---p 00044000 fd:02 3149218                        /usr/lib64/libdbus-1.so.3.7.2
3292043000-3292044000 r--p 00043000 fd:02 3149218                        /usr/lib64/libdbus-1.so.3.7.2libguestfs: error: /dev/stdout: write: Broken pipe
libguestfs: error: file receive cancelled by daemon
Aborted (core dumped)

Version-Release number of selected component (if applicable):

libguestfs-tools-c-1.20.2-5.fc18.x86_64

How reproducible:

100%

Steps to Reproduce:
1. See command above.
Comment 1 Richard W.M. Jones 2013-02-23 14:32:23 UTC 
Full stack trace:

#0  0x000000328c635ba5 in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:63
#1  0x000000328c637358 in __GI_abort () at abort.c:90
#2  0x000000328c67559b in __libc_message (do_abort=do_abort@entry=2, 
    fmt=fmt@entry=0x328c7787ff "*** %s ***: %s terminated\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:197
#3  0x000000328c70a697 in __GI___fortify_fail (
    msg=msg@entry=0x328c7787a5 "buffer overflow detected") at fortify_fail.c:31
#4  0x000000328c708810 in __GI___chk_fail () at chk_fail.c:28
#5  0x000000328c70a607 in __fdelt_chk (d=<optimized out>) at fdelt_chk.c:25
#6  0x0000003b9dc9f905 in recv_from_daemon (buf_rtn=0x7fffa4284aa8, 
    size_rtn=0x7fffa4284aa4, g=0x9731e0) at proto.c:498
#7  guestfs___recv_from_daemon (g=g@entry=0x9731e0, 
    size_rtn=size_rtn@entry=0x7fffa4284aa4, 
    buf_rtn=buf_rtn@entry=0x7fffa4284aa8) at proto.c:659
#8  0x0000003b9dca09d2 in guestfs___recv_discard (g=g@entry=0x9731e0, 
    fn=fn@entry=0x3b9dcbb530 "tar_in") at proto.c:1047
#9  0x0000003b9dc43a58 in guestfs_tar_in_opts_argv (g=0x9731e0, 
    tarfile=tarfile@entry=0x965dc0 "/dev/stdin", 
    directory=directory@entry=0x96b970 "/", optargs=<optimized out>, 
    optargs@entry=0x7fffa4284c00) at actions-3.c:2583
#10 0x000000000041cda1 in run_tar_in (cmd=0x7fffa428536e "tar-in", argc=2, 
    argv=<optimized out>) at cmds.c:8992
#11 0x000000000043c5a8 in issue_command (cmd=0x7fffa428536e "tar-in", 
    argv=0x7fffa4284ef8, pipecmd=pipecmd@entry=0x0, 
    rc_exit_on_error_flag=rc_exit_on_error_flag@entry=1) at fish.c:1140
#12 0x000000000040f0a9 in cmdline (argc=10, optind=10, argv=<optimized out>)
    at fish.c:1043
#13 main (argc=<optimized out>, argv=0x7fffa4284eb8) at fish.c:561
Comment 2 Richard W.M. Jones 2013-02-23 14:33:20 UTC 
(gdb) frame 8
#8  0x0000003b9dca09d2 in guestfs___recv_discard (g=g@entry=0x9731e0, 
    fn=fn@entry=0x3b9dcbb530 "tar_in") at proto.c:1047
1047	  r = guestfs___recv_from_daemon (g, &size, &buf);
(gdb) print size
$1 = 0
(gdb) print buf
$2 = (void *) 0x0
Comment 3 Richard W.M. Jones 2013-02-23 14:36:46 UTC 
Ignore comment 2.

The real error is because g->sock == -1, causing an attempt
to set the -1'th element of an fd_set:

(gdb) frame 6
#6  0x0000003b9dc9f905 in recv_from_daemon (buf_rtn=0x7fffa4284aa8, 
    size_rtn=0x7fffa4284aa4, g=0x9731e0) at proto.c:498
498	  FD_SET (g->sock, &rset);      /* Read socket for data & EOF. */
(gdb) print rset
$3 = {fds_bits = {0 <repeats 16 times>}}
(gdb) print g->sock
$4 = -1
Comment 4 Richard W.M. Jones 2013-02-23 14:43:44 UTC 
Slightly unexpected, but it turns out the cause of this is
an oom error in guestfsd causing the appliance to die.  Since
there are now *two* bugs, I've opened another one (bug 914934).
Comment 5 Richard W.M. Jones 2013-02-23 21:01:27 UTC 
Fixed in these commits:
https://github.com/libguestfs/libguestfs/commit/7953128ca66207a7a3ca44e02fec1de48253223e
https://github.com/libguestfs/libguestfs/commit/4136850f3ced2c8da6ca4f44c0f80881cb6d1352
Note You need to log in before you can comment on or make changes to this bug.