Bug 991348 - To send a QEMU guest agent command to LXC guest will crash libvirtd
To send a QEMU guest agent command to LXC guest will crash libvirtd
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt (Show other bugs)
7.0
x86_64 Linux
high Severity high
: rc
: ---
Assigned To: Daniel Berrange
Virtualization Bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-02 04:11 EDT by Alex Jia
Modified: 2014-06-17 20:52 EDT (History)
5 users (show)

See Also:
Fixed In Version: libvirt-1.1.1-2.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 05:43:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alex Jia 2013-08-02 04:11:47 EDT
Description of problem:
As summary, although it's not a recommended or permitted use case, the it shouldn't crash libvirtd at least. 

Version-Release number of selected component (if applicable):
# rpm -q libvirt libvirt-sandbox
libvirt-1.1.1-1.el7.x86_64
libvirt-sandbox-0.5.0-1.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. virt-sandbox -c lxc:/// /bin/sh
2. virsh -c lxc:/// list
3. virsh -c lxc:// qemu-agent-command sandbox "abc"

Actual results:

# virt-sandbox -c lxc:/// /bin/sh
sh-4.2#


# virsh -c lxc:/// list
 Id    Name                           State
----------------------------------------------------
 11840 sandbox                        running


# virsh -c lxc:// qemu-agent-command sandbox "abc"
error: End of file while reading data: Input/output error
error: One or more references were leaked after disconnect from the hypervisor
error: Failed to reconnect to the hypervisor


Expected results:
no crash and raise error "this function is not supported by the connection driver".

Additional info:

GDB backstrace:


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f6f81ff4700 (LWP 11675)]
0x00007f6f8e8e8138 in __strchr_sse42 () from /lib64/libc.so.6
(gdb) bt
#0  0x00007f6f8e8e8138 in __strchr_sse42 () from /lib64/libc.so.6
#1  0x00007f6f916e7ec0 in journalAddString (state=state@entry=0x7f6f81ff2e80, field=field@entry=0x7f6f9186f975 "CODE_FILE", value=value@entry=0x0) at util/virlog.c:1092
#2  0x00007f6f916e82b4 in virLogOutputToJournald (source=VIR_LOG_FROM_FILE, priority=VIR_LOG_ERROR, filename=0x0, linenr=240, funcname=0x7f6f91b2f270 <__FUNCTION__.14845> "virDomainQemuAgentCommand", 
    timestamp=<optimized out>, metadata=0x0, flags=0, rawstr=0x7f6f58000c00 "this function is not supported by the connection driver: virDomainQemuAgentCommand",
    str=0x7f6f58000e20 "11675: error : virDomainQemuAgentCommand:240 : this function is not supported by the connection driver: virDomainQemuAgentCommand\n", data=0x0) at util/virlog.c:1184
#3  0x00007f6f916e8ed7 in virLogVMessage (source=VIR_LOG_FROM_FILE, priority=VIR_LOG_ERROR, filename=0x0, linenr=240, funcname=0x7f6f91b2f270 <__FUNCTION__.14845> "virDomainQemuAgentCommand", metadata=0x0, 
    fmt=fmt@entry=0x7f6f91878115 "%s", vargs=vargs@entry=0x7f6f81ff3338) at util/virlog.c:877
#4  0x00007f6f916e9227 in virLogMessage (source=<optimized out>, priority=<optimized out>, filename=filename@entry=0x0, linenr=linenr@entry=240, 
    funcname=funcname@entry=0x7f6f91b2f270 <__FUNCTION__.14845> "virDomainQemuAgentCommand", metadata=metadata@entry=0x0, fmt=fmt@entry=0x7f6f91878115 "%s") at util/virlog.c:772
#5  0x00007f6f916da9cb in virRaiseErrorFull (filename=filename@entry=0x0, funcname=funcname@entry=0x7f6f91b2f270 <__FUNCTION__.14845> "virDomainQemuAgentCommand", linenr=linenr@entry=240, 
    domain=domain@entry=0, code=code@entry=3, level=level@entry=VIR_ERR_ERROR, str1=0x7f6f9186a6d0 "this function is not supported by the connection driver: %s",
    str2=str2@entry=0x7f6f81ff35c0 "virDomainQemuAgentCommand", str3=str3@entry=0x0, int1=int1@entry=-1, int2=int2@entry=-1, fmt=0x7f6f9186a6d0 "this function is not supported by the connection driver: %s")
    at util/virerror.c:705
#6  0x00007f6f916dab74 in virReportErrorHelper (domcode=domcode@entry=0, errorcode=errorcode@entry=3, filename=filename@entry=0x0, 
    funcname=funcname@entry=0x7f6f91b2f270 <__FUNCTION__.14845> "virDomainQemuAgentCommand", linenr=linenr@entry=240, fmt=fmt@entry=0x7f6f91b2f270 <__FUNCTION__.14845> "virDomainQemuAgentCommand")
    at util/virerror.c:1292
#7  0x00007f6f91b2f158 in virDomainQemuAgentCommand (domain=domain@entry=0x7f6f58000930, cmd=0x7f6f580009c0 "abc", timeout=-1, flags=0) at libvirt-qemu.c:240
#8  0x00007f6f9218d3b4 in qemuDispatchDomainAgentCommand (server=<optimized out>, msg=<optimized out>, ret=0x7f6f58000900, args=<optimized out>, rerr=0x7f6f81ff3c90, client=<optimized out>)
    at qemu_dispatch.h:45
#9  qemuDispatchDomainAgentCommandHelper (server=<optimized out>, client=<optimized out>, msg=<optimized out>, rerr=0x7f6f81ff3c90, args=<optimized out>, ret=0x7f6f58000900) at qemu_dispatch.h:20
#10 0x00007f6f917e17da in virNetServerProgramDispatchCall (msg=0x7f6f93ee4410, client=0x7f6f93ee4cf0, server=0x7f6f93ed9f40, prog=0x7f6f93ee09a0) at rpc/virnetserverprogram.c:435
#11 virNetServerProgramDispatch (prog=0x7f6f93ee09a0, server=server@entry=0x7f6f93ed9f40, client=0x7f6f93ee4cf0, msg=0x7f6f93ee4410) at rpc/virnetserverprogram.c:305
#12 0x00007f6f917dc7e8 in virNetServerProcessMsg (msg=<optimized out>, prog=<optimized out>, client=<optimized out>, srv=0x7f6f93ed9f40) at rpc/virnetserver.c:163
#13 virNetServerHandleJob (jobOpaque=<optimized out>, opaque=0x7f6f93ed9f40) at rpc/virnetserver.c:184
#14 0x00007f6f91706d15 in virThreadPoolWorker (opaque=opaque@entry=0x7f6f93e5f2a0) at util/virthreadpool.c:144
#15 0x00007f6f91706791 in virThreadHelper (data=<optimized out>) at util/virthreadpthread.c:161
#16 0x00007f6f8ef85c53 in start_thread () from /lib64/libpthread.so.0
#17 0x00007f6f8e8ac13d in clone () from /lib64/libc.so.6
Comment 2 Alex Jia 2013-08-02 04:41:05 EDT
(In reply to Alex Jia from comment #0)
> Description of problem:
> As summary, although it's not a recommended or permitted use case, the it
> shouldn't crash libvirtd at least. 

BTW, a read-only client hasn't a permission to use the "virDomainQemuAgentCommand", so don't need to worry about DOS issue.
Comment 3 Alex Jia 2013-08-02 05:29:58 EDT
(In reply to Alex Jia from comment #0)
> 3. virsh -c lxc:// qemu-agent-command sandbox "abc"

The following cmdline also hits the same issue.

# virsh -c qemu:///system lxc-enter-namespace foo -- /bin/sh
Comment 4 Daniel Berrange 2013-08-02 10:33:14 EDT
commit b4ca2999020ab4adf7a73ccbff1de2b40a097874
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Fri Aug 2 12:15:57 2013 +0100

    Avoid crash if NULL is passed for filename/funcname in logging


commit cb3868f701bda3e3f71f9161b4a7f19106600fa6
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Fri Aug 2 12:15:15 2013 +0100

    Ensure LXC/QEMU APIs set the filename for errors
Comment 5 Jiri Denemark 2013-08-02 13:11:34 EDT
Patches backported and sent for review: http://post-office.corp.redhat.com/archives/rhvirt-patches/2013-August/msg00061.html
Comment 6 Luwen Su 2013-08-06 04:01:19 EDT
Test with:
libvirt-1.1.1-2.el7.x86_64

Pass invalid parameters to qemu-agent-command:

virsh # qemu-agent-command sandbox "aaa"
error: this function is not supported by the connection driver: virDomainQemuAgentCommand

virsh # list
 Id    Name                           State
----------------------------------------------------
 24492 sandbox                        running


Pass invalid paramenters to qemu

# virsh -c qemu:///system lxc-enter-namespace kvm-rhel6-x86_64 -- /bin/sh
error: this function is not supported by the connection driver: virDomainLxcOpenNamespace


So set it VERIFIED
Comment 7 Ludek Smid 2014-06-13 05:43:33 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.