983635 – QMP: bad input crashes QEMU

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 983635 - QMP: bad input crashes QEMU

Summary: QMP: bad input crashes QEMU

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Luiz Capitulino
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-07-11 15:17 UTC by Luiz Capitulino
Modified:	2013-11-21 07:02 UTC (History)
CC List:	10 users (show)
Fixed In Version:	qemu-kvm-0.12.1.2-2.380.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-21 07:02:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:1553	0	normal	SHIPPED_LIVE	Important: qemu-kvm security, bug fix, and enhancement update	2013-11-20 21:40:29 UTC

Description Luiz Capitulino 2013-07-11 15:17:21 UTC

Description of problem:

Sending a bad QMP input to the QMP server causes QEMU to segfault.

Version-Release number of selected component (if applicable): qemu-kvm-0.12.1.2-2.378.el6


How reproducible:


Steps to Reproduce:
1. Start QEMU with a QMP monitor and negotiate capabilities
2. Send the following command:

{ "execute": "transaction", "arguments": { "actions": [  { 'type': 'blockdev-snapshot-sync' } ] } }

Actual results:

QEMU will segfault.

Expected results:

No segfaults :)

Additional info:

This is only one occurrence of the problem, there more.

Comment 1 Sibiao Luo 2013-07-12 02:51:02 UTC

Reproduce this issue on qemu-kvm-rhev-0.12.1.2-2.378.el6.x86_64.

host info:
kernel-2.6.32-392.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.378.el6.x86_64
guest info:
RHEL-Server-6.4-64
kernel-2.6.32-392.el6.x86_64

Steps:
1.boot guest with QMP servie.
# /usr/libexec/qemu-kvm -S -M rhel6.4.0 -cpu host -enable-kvm -m 2048 -smp 2,sockets=2,cores=1,threads=1 -no-kvm-pit-reinjection -name sluo-test -uuid `uuidgen` -rtc base=localtime,clock=host,driftfix=slew -drive file=/home/RHEL-Server-6.4-64-virtio.qcow2,if=none,id=drive-system-disk,format=qcow2,cache=none,aio=native,werror=stop,rerror=stop -device virtio-scsi-pci,bus=pci.0,addr=0x3,id=scsi0 -device scsi-hd,bus=scsi0.0,drive=drive-system-disk,id=system-disk,bootindex=1 -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device virtio-net-pci,netdev=hostnet0,id=virtio-net-pci0,mac=08:2e:5f:0a:1d:b1,bus=pci.0,addr=0x4,bootindex=2,ioeventfd=off -device virtio-balloon-pci,id=ballooning,bus=pci.0,addr=0x5 -qmp tcp:0:4444,server,nowait -k en-us -boot menu=on -vnc :2 -spice disable-ticketing,port=5932 -vga qxl -monitor stdio
2.connect to the QMP.
$ telnet 10.66.11.229 4444
3.after guest boot up, then do blockdev-snapshot-sync.
{"execute":"qmp_capabilities"}
{"return": {}}
{ "execute": "transaction", "arguments": { "actions": [  { 'type': 'blockdev-snapshot-sync' } ] } }

Results:
After step 3, QEMU will segmentation fault (core dumped).
(gdb) bt
#0  0x00007f80e9af21b3 in visit_type_BlockdevSnapshot (m=0x7f80ecaf0160, obj=0x7f80ec1b03c8, name=<value optimized out>, 
    errp=0x7fff671680d8) at rhev-qapi-visit.c:29
#1  0x00007f80e9af2598 in visit_type_BlockdevAction (m=0x7f80ecaf0160, obj=0x7f80ec1b0120, name=<value optimized out>, 
    errp=0x7fff671680d8) at rhev-qapi-visit.c:114
#2  0x00007f80e9af2620 in visit_type_BlockdevActionList (m=0x7f80ecaf0160, obj=<value optimized out>, 
    name=<value optimized out>, errp=0x7fff671680d8) at rhev-qapi-visit.c:134
#3  0x00007f80e9af3756 in qmp_marshal_input_transaction (mon=<value optimized out>, qdict=<value optimized out>, 
    ret=<value optimized out>) at rhev-qmp-marshal.c:100
#4  0x00007f80e9a40e50 in monitor_call_handler (mon=0x7f80ebf09810, cmd=0x7f80e9f230b8, params=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4359
#5  0x00007f80e9a41ad4 in handle_qmp_command (parser=<value optimized out>, tokens=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4982
#6  0x00007f80e9a9a624 in json_message_process_token (lexer=0x7f80ec089fb0, token=0x7f80ec750e50, type=JSON_OPERATOR, x=
    99, y=2) at /usr/src/debug/qemu-kvm-0.12.1.2/json-streamer.c:87
#7  0x00007f80e9a9a2c0 in json_lexer_feed_char (lexer=0x7f80ec089fb0, ch=125 '}', flush=false)
    at /usr/src/debug/qemu-kvm-0.12.1.2/json-lexer.c:303
#8  0x00007f80e9a9a409 in json_lexer_feed (lexer=0x7f80ec089fb0, buffer=0x7fff67168300 "} \005Ԁ\177", size=1)
    at /usr/src/debug/qemu-kvm-0.12.1.2/json-lexer.c:355
#9  0x00007f80e9a4077b in monitor_control_read (opaque=<value optimized out>, buf=<value optimized out>, 
    size=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:5003
#10 0x00007f80e9abdd8a in qemu_chr_be_write (chan=<value optimized out>, cond=<value optimized out>, opaque=
    0x7f80ebe8eee0) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:191
#11 tcp_chr_read (chan=<value optimized out>, cond=<value optimized out>, opaque=0x7f80ebe8eee0)
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:2349
#12 0x00007f80e90ddf0e in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#13 0x00007f80e9a393ca in glib_select_poll (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:3993
#14 main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4066
#15 0x00007f80e9a5bc6a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2244
#16 0x00007f80e9a3cd48 in main_loop (argc=44, argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4260
#17 main (argc=44, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6627
(gdb) bt full
#0  0x00007f80e9af21b3 in visit_type_BlockdevSnapshot (m=0x7f80ecaf0160, obj=0x7f80ec1b03c8, name=<value optimized out>, 
    errp=0x7fff671680d8) at rhev-qapi-visit.c:29
No locals.
#1  0x00007f80e9af2598 in visit_type_BlockdevAction (m=0x7f80ecaf0160, obj=0x7f80ec1b0120, name=<value optimized out>, 
    errp=0x7fff671680d8) at rhev-qapi-visit.c:114
        err = 0x0
#2  0x00007f80e9af2620 in visit_type_BlockdevActionList (m=0x7f80ecaf0160, obj=<value optimized out>, 
    name=<value optimized out>, errp=0x7fff671680d8) at rhev-qapi-visit.c:134
        native_i = <value optimized out>
        i = 0x7f80ec1b0120
        head = <value optimized out>
#3  0x00007f80e9af3756 in qmp_marshal_input_transaction (mon=<value optimized out>, qdict=<value optimized out>, 
    ret=<value optimized out>) at rhev-qmp-marshal.c:100
        local_err = 0x7f80ec1b0870
        errp = 0x7fff671680d8
        args = <value optimized out>
        mi = 0x7f80ecaf0160
        md = <value optimized out>
        v = <value optimized out>
        actions = 0x7f80ec1b0120
#4  0x00007f80e9a40e50 in monitor_call_handler (mon=0x7f80ebf09810, cmd=0x7f80e9f230b8, params=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4359
        ret = <value optimized out>
        data = 0x0
#5  0x00007f80e9a41ad4 in handle_qmp_command (parser=<value optimized out>, tokens=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4982
        err = <value optimized out>
        obj = <value optimized out>
        input = <value optimized out>
        args = 0x7f80ecc42e30
        cmd = 0x7f80e9f230b8
        mon = 0x7f80ebf09810
        cmd_name = <value optimized out>
        query_cmd = 0x0
        __func__ = "handle_qmp_command"
#6  0x00007f80e9a9a624 in json_message_process_token (lexer=0x7f80ec089fb0, token=0x7f80ec750e50, type=JSON_OPERATOR, x=
    99, y=2) at /usr/src/debug/qemu-kvm-0.12.1.2/json-streamer.c:87
        parser = 0x7f80ec089fa8
        dict = 0x7f80ecc40df0
#7  0x00007f80e9a9a2c0 in json_lexer_feed_char (lexer=0x7f80ec089fb0, ch=125 '}', flush=false)
    at /usr/src/debug/qemu-kvm-0.12.1.2/json-lexer.c:303
        char_consumed = 1
        new_state = <value optimized out>
#8  0x00007f80e9a9a409 in json_lexer_feed (lexer=0x7f80ec089fb0, buffer=0x7fff67168300 "} \005Ԁ\177", size=1)
    at /usr/src/debug/qemu-kvm-0.12.1.2/json-lexer.c:355
        err = <value optimized out>
        i = <value optimized out>
#9  0x00007f80e9a4077b in monitor_control_read (opaque=<value optimized out>, buf=<value optimized out>, 
    size=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:5003
        old_mon = 0x0
#10 0x00007f80e9abdd8a in qemu_chr_be_write (chan=<value optimized out>, cond=<value optimized out>, opaque=
    0x7f80ebe8eee0) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:191
No locals.
#11 tcp_chr_read (chan=<value optimized out>, cond=<value optimized out>, opaque=0x7f80ebe8eee0)
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:2349
        chr = 0x7f80ebe8eee0
        s = 0x7f80ebe8efa0
        buf = 
    "} \005Ԁ\177\000\000\020\240\002Ԁ\177\000\000\270\203\026g\377\177\000\000\023\247\071\347\200\177\000\000\270\203\026g\377\177\000\000(\205\352\353\200\177\000\000\240\203\026g\377\177\000\000y~9\351\200\177\000\000(\205\352\353\200\177\000\000\060\244\247\351\200\177\000\000\020 \005Ԁ\177\000\000\211\237\247\351\001\000\000\000\020 \005Ԁ\177\000\000Y\205\071\351\200\177\000\000\000\000\000\000\000\000\000\000Ҽ\247\351\200\177\000\000\001\004\000\000\001\000\000\000\240\223\026g\377\177\000\000\270\223\026g\377\177\000\000\270\203\026g\377\177\000\000\000\000\000\000\000\000\000\000@\240\002Ԁ\177\000\000\000\200\000\000\000\000\000\000Y\205\071\351\200\177\000\000\000\000\000\000\000\000\000\000Ŷ\245\351\200\177\000\000\001", '\000' <repeats 24 times>, "\f\002Ԁ\177\000\000\000\020", '\000' <repeats 22 times>"\240, E\003Ԁ\177\000\000\000 ", '\000' <repeats 22 times>, "P!\005Ԁ\177\000\000\000"...
        len = <value optimized out>
        size = <value optimized out>
#12 0x00007f80e90ddf0e in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
No symbol table info available.
#13 0x00007f80e9a393ca in glib_select_poll (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:3993
        context = 0x7f80ebe90500
#14 main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4066
        ioh = <value optimized out>
        rfds = {fds_bits = {8589934592, 0 <repeats 15 times>}}
        wfds = {fds_bits = {0 <repeats 16 times>}}
        xfds = {fds_bits = {0 <repeats 16 times>}}
        ret = <value optimized out>
        nfds = 33
        tv = {tv_sec = 0, tv_usec = 999994}
#15 0x00007f80e9a5bc6a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2244
        fds = {24, 25}
        mask = {__val = {268443712, 0 <repeats 15 times>}}
        sigfd = 26
#16 0x00007f80e9a3cd48 in main_loop (argc=44, argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4260
        r = <value optimized out>
#17 main (argc=44, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6627
        gdbstub_dev = 0x0
        i = <value optimized out>
        snapshot = 0
        linux_boot = 0
        initrd_filename = 0x0
        kernel_filename = 0x0
        kernel_cmdline = 0x7f80e9bf58af ""
        boot_devices = "cad", '\000' <repeats 29 times>
        ds = <value optimized out>
        dcl = <value optimized out>
        cyls = 0
        heads = 0
        secs = 0
        translation = 0
        hda_opts = 0x7f80e9f52250
        opts = <value optimized out>
        olist = <value optimized out>
        optind = 44
        optarg = 0x7fff6716b7cf "stdio"
        loadvm = 0x0
        machine = 0x7f80e9f4baa0
        cpu_model = 0x7fff6716b4a4 "host"
        fds = {-375701504, 32640}
        tb_size = 0
        pid_file = 0x0
        incoming = 0x0
        fd = 0
        pwd = 0x0
        chroot_dir = 0x0
        run_as = 0x0
        env = <value optimized out>
        show_vnc_port = 0
        defconfig = <value optimized out>
        defconfig_verbose = <value optimized out>
(gdb) 

Best Regards,
sluo

Comment 2 Miroslav Rezanina 2013-07-18 10:22:41 UTC

Fixed in qemu-kvm-0.12.1.2-2.379.el6

Comment 5 mazhang 2013-07-26 05:34:37 UTC

reproduce with:
qemu-kvm-rhev-0.12.1.2-2.378.el6.x86_64
kernel-2.6.32-400.el6.x86_64

steps refer comment 1 .

qemu quit with segmentation fault after do blockdev-snapshot-sync.

(gdb) bt
#0  0x00007ffff7e8f1b3 in visit_type_BlockdevSnapshot (m=0x7ffff9c05e70, obj=0x7ffff8b01fe8, 
    name=<value optimized out>, errp=0x7fffffffb5e8) at rhev-qapi-visit.c:29
#1  0x00007ffff7e8f598 in visit_type_BlockdevAction (m=0x7ffff9c05e70, obj=0x7ffff8c32fe0, 
    name=<value optimized out>, errp=0x7fffffffb5e8) at rhev-qapi-visit.c:114
#2  0x00007ffff7e8f620 in visit_type_BlockdevActionList (m=0x7ffff9c05e70, obj=<value optimized out>, 
    name=<value optimized out>, errp=0x7fffffffb5e8) at rhev-qapi-visit.c:134
#3  0x00007ffff7e90756 in qmp_marshal_input_transaction (mon=<value optimized out>, 
    qdict=<value optimized out>, ret=<value optimized out>) at rhev-qmp-marshal.c:100
#4  0x00007ffff7ddde50 in monitor_call_handler (mon=0x7ffff88e0570, cmd=0x7ffff82c00b8, 
    params=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4359
#5  0x00007ffff7ddead4 in handle_qmp_command (parser=<value optimized out>, tokens=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4982
#6  0x00007ffff7e37624 in json_message_process_token (lexer=0x7ffff88e0620, token=0x7ffff900bf40, 
    type=JSON_OPERATOR, x=99, y=1) at /usr/src/debug/qemu-kvm-0.12.1.2/json-streamer.c:87
#7  0x00007ffff7e372c0 in json_lexer_feed_char (lexer=0x7ffff88e0620, ch=125 '}', flush=false)
    at /usr/src/debug/qemu-kvm-0.12.1.2/json-lexer.c:303
#8  0x00007ffff7e37409 in json_lexer_feed (lexer=0x7ffff88e0620, buffer=0x7fffffffb810 "}\270\377\377\377\177", 
    size=1) at /usr/src/debug/qemu-kvm-0.12.1.2/json-lexer.c:355
#9  0x00007ffff7ddd77b in monitor_control_read (opaque=<value optimized out>, buf=<value optimized out>, 
    size=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:5003
#10 0x00007ffff7e5ad8a in qemu_chr_be_write (chan=<value optimized out>, cond=<value optimized out>, 
    opaque=0x7ffff86e1e00) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:191
#11 tcp_chr_read (chan=<value optimized out>, cond=<value optimized out>, opaque=0x7ffff86e1e00)
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:2349
#12 0x00007ffff7461eb2 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#13 0x00007ffff7dd63ca in glib_select_poll (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:3993
#14 main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4066
#15 0x00007ffff7df8c6a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2244
#16 0x00007ffff7dd9d48 in main_loop (argc=57, argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4260
#17 main (argc=57, argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6627

Comment 6 mazhang 2013-07-26 07:27:22 UTC

verify this bug with qemu-kvm-rhev-0.12.1.2-2.381.el6.x86_64

steps refer to comment 1.
qemu-kvm works well after do blockdev-snapshot-sync , and qmp prompt:

{ "execute": "transaction", "arguments": { "actions": [  { 'type': 'blockdev-snapshot-sync' } ] } }
{"error": {"class": "InvalidParameterType", "desc": "Invalid parameter type, expected: QDict", "data": {"name": "data", "expected": "QDict"}}}
{"error": {"class": "JSONParsing", "desc": "Invalid JSON syntax", "data": {}}}

Comment 8 errata-xmlrpc 2013-11-21 07:02:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-1553.html

Note You need to log in before you can comment on or make changes to this bug.