996886 – libvirt segfaults in xdr_string() call

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 996886 - libvirt segfaults in xdr_string() call

Summary: libvirt segfaults in xdr_string() call

Keywords:
Status:	CLOSED DUPLICATE of bug 994855
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Libvirt Maintainers
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-14 08:45 UTC by Gerd Hoffmann
Modified:	2013-08-14 11:56 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-08-14 11:56:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
vconsole src rpm (24.18 KB, application/x-rpm) 2013-08-14 08:49 UTC, Gerd Hoffmann	no flags	Details
vconsole x86_64 rpm (22.93 KB, application/x-rpm) 2013-08-14 08:50 UTC, Gerd Hoffmann	no flags	Details
View All

Description Gerd Hoffmann 2013-08-14 08:45:56 UTC

Description of problem:
$subject

Version-Release number of selected component (if applicable):
libvirt-1.1.1-2.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Fetch & build vconsole (http://www.kraxel.org/cgit/vconsole/)
2. Run vconsole, pick a virtual machine not running, tap enter
3. New tab opens for the VM, tap enter again (which boots it).

Actual results:
vconsole crashes while starting the guest,
with the stack trace ending somewhere deep in libvirt

Expected results:
vconsole continues to run, showing the serial console of the guest.

Additional info:
(gdb) bt
#0  0x0000003976d292d0 in xdr_string () from /lib64/libc.so.6
#1  0x0000003999d5fbde in xdr_remote_nonnull_string (xdrs=xdrs@entry=0x7fffffffc890, 
    objp=objp@entry=0x7fffffffcab0) at remote/remote_protocol.c:31
#2  0x0000003999d5ff11 in xdr_remote_nonnull_domain (xdrs=0x7fffffffc890, objp=0x7fffffffcab0)
    at remote/remote_protocol.c:58
#3  0x0000003999d62109 in xdr_remote_domain_create_with_flags_ret (xdrs=xdrs@entry=0x7fffffffc890, 
    objp=objp@entry=0x7fffffffcab0) at remote/remote_protocol.c:1762
#4  0x0000003999d74930 in virNetMessageDecodePayload (msg=msg@entry=0x9b5570, filter=filter@entry=
    0x3999d62100 <xdr_remote_domain_create_with_flags_ret>, data=data@entry=0x7fffffffcab0)
    at rpc/virnetmessage.c:404
#5  0x0000003999d6b57c in virNetClientProgramCall (prog=prog@entry=0x98fc60, 
    client=client@entry=0x98f8f0, serial=serial@entry=28, proc=proc@entry=196, 
    noutfds=noutfds@entry=0, outfds=outfds@entry=0x0, ninfds=ninfds@entry=0x0, 
    infds=infds@entry=0x0, 
    args_filter=args_filter@entry=0x3999d620c0 <xdr_remote_domain_create_with_flags_args>, 
    args=args@entry=0x7fffffffca80, 
    ret_filter=ret_filter@entry=0x3999d62100 <xdr_remote_domain_create_with_flags_ret>, 
    ret=ret@entry=0x7fffffffcab0) at rpc/virnetclientprogram.c:377
#6  0x0000003999d473e2 in callFull (priv=priv@entry=0x98ebb0, flags=flags@entry=0, 
    fdin=fdin@entry=0x0, fdinlen=fdinlen@entry=0, fdout=fdout@entry=0x0, 
    fdoutlen=fdoutlen@entry=0x0, proc_nr=proc_nr@entry=196, 
    args_filter=0x3999d620c0 <xdr_remote_domain_create_with_flags_args>, 
    args=args@entry=0x7fffffffca80 "\340\032\231", 
    ret_filter=ret_filter@entry=0x3999d62100 <xdr_remote_domain_create_with_flags_ret>, 
    ret=ret@entry=0x7fffffffcab0 "H", conn=<optimized out>) at remote/remote_driver.c:5651
#7  0x0000003999d4bf04 in call (conn=<optimized out>, ret=0x7fffffffcab0 "H", 
    ret_filter=<optimized out>, args=0x7fffffffca80 "\340\032\231", args_filter=<optimized out>, 
    proc_nr=196, flags=0, priv=0x98ebb0) at remote/remote_driver.c:5673
#8  remoteDomainCreateWithFlags (dom=0xa11760, flags=<optimized out>)
    at remote/remote_driver.c:2434
#9  0x0000003999d1c9f8 in virDomainCreateWithFlags (domain=domain@entry=0xa11760, flags=1)
    at libvirt.c:9499
#10 0x0000000000407dbf in domain_start (dom=0x992770) at domain.c:370
#11 0x0000003979c0fa28 in g_closure_invoke () from /lib64/libgobject-2.0.so.0
#12 0x0000003979c20a3d in signal_emit_unlocked_R () from /lib64/libgobject-2.0.so.0
#13 0x0000003979c28829 in g_signal_emit_valist () from /lib64/libgobject-2.0.so.0
#14 0x0000003979c28a72 in g_signal_emit () from /lib64/libgobject-2.0.so.0
#15 0x000000398da9b170 in _gtk_action_emit_activate () from /lib64/libgtk-3.so.0
#16 0x000000398dc5d249 in button_clicked () from /lib64/libgtk-3.so.0
#17 0x0000003979c0fc57 in _g_closure_invoke_va () from /lib64/libgobject-2.0.so.0
#18 0x0000003979c27d87 in g_signal_emit_valist () from /lib64/libgobject-2.0.so.0
#19 0x0000003979c28a72 in g_signal_emit () from /lib64/libgobject-2.0.so.0
#20 0x000000398dac2088 in gtk_real_button_released () from /lib64/libgtk-3.so.0
#21 0x0000003979c0fa28 in g_closure_invoke () from /lib64/libgobject-2.0.so.0
#22 0x0000003979c20247 in signal_emit_unlocked_R () from /lib64/libgobject-2.0.so.0
#23 0x0000003979c28829 in g_signal_emit_valist () from /lib64/libgobject-2.0.so.0
#24 0x0000003979c28a72 in g_signal_emit () from /lib64/libgobject-2.0.so.0
#25 0x000000398dac0c33 in gtk_button_button_release () from /lib64/libgtk-3.so.0
#26 0x000000398db8b06e in _gtk_marshal_BOOLEAN__BOXEDv () from /lib64/libgtk-3.so.0
---Type <return> to continue, or q <return> to quit---
#27 0x0000003979c0fc57 in _g_closure_invoke_va () from /lib64/libgobject-2.0.so.0
#28 0x0000003979c27d87 in g_signal_emit_valist () from /lib64/libgobject-2.0.so.0
#29 0x0000003979c28a72 in g_signal_emit () from /lib64/libgobject-2.0.so.0
#30 0x000000398dcab3f4 in gtk_widget_event_internal () from /lib64/libgtk-3.so.0
#31 0x000000398db893bc in propagate_event () from /lib64/libgtk-3.so.0
#32 0x000000398db8ac55 in gtk_main_do_event () from /lib64/libgtk-3.so.0
#33 0x000000398b24bd62 in gdk_event_source_dispatch () from /lib64/libgdk-3.so.0
#34 0x0000003978c47e06 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#35 0x0000003978c48158 in g_main_context_iterate.isra.22 () from /lib64/libglib-2.0.so.0
#36 0x0000003978c4855a in g_main_loop_run () from /lib64/libglib-2.0.so.0
#37 0x000000398db8a15d in gtk_main () from /lib64/libgtk-3.so.0
#38 0x0000000000405be6 in main (argc=1, argv=0x7fffffffddc8) at vconsole.c:1068

Comment 2 Gerd Hoffmann 2013-08-14 08:49:23 UTC

Created attachment 786459 [details]
vconsole src rpm

Comment 3 Gerd Hoffmann 2013-08-14 08:50:04 UTC

Created attachment 786460 [details]
vconsole x86_64 rpm

Comment 4 Daniel Berrangé 2013-08-14 11:48:07 UTC

The stack trace here shows a crash in decoding the RPC reply. This looks like it is the crash fixed upstream

commit be7a89e8cabbc0e222b9e39c6266ece576295fe3
Author: Alex Jia <ajia>
Date:   Thu Aug 8 16:44:57 2013 +0800

    remote: Fix a segfault in remoteDomainCreateWithFlags
    

which dealt with the fact that we did not 'memset' the 'ret' variable. This fix is post-1.1.1 so would not be present in RHEL-7 trees

Comment 5 Martin Kletzander 2013-08-14 11:56:59 UTC


*** This bug has been marked as a duplicate of bug 994855 ***

Note You need to log in before you can comment on or make changes to this bug.