Description of problem: Running numatune with invalid nodeset parameter crash libvirtd. Version-Release number of selected component (if applicable): Red Hat Enterprise Linux Server release 6.5 Beta libvirt-0.10.2-21.el6.x86_64 kernel-2.6.32-410.el6.x86_64 qemu-kvm-rhev-0.12.1.2-2.386.el6.x86_64 How reproducible: always Steps to Reproduce: 1. make sure a domain 'foo' is shut off. 2. change nodeset to a very large number. # virsh numatune foo --nodeset 1000000000 Actual result: error: Unable to change numa parameters error: End of file while reading data: Input/output error error: One or more references were leaked after disconnect from the hypervisor error: Failed to reconnect to the hypervisor Expected result: An error message or empty line without crashing libvirtd 3. check if libvirtd is crashed. # ps aux | grep libvirtd Additional Info: # virsh nodeinfo CPU model: x86_64 CPU(s): 24 CPU frequency: 1596 MHz CPU socket(s): 1 Core(s) per socket: 6 Thread(s) per core: 2 NUMA cell(s): 2 Memory size: 32834484 KiB libvirtd backtrace: Thread 11 (Thread 0x7f5244dac700 (LWP 10403)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f5244dac700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 10 (Thread 0x7f52425a8700 (LWP 10407)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f52425a8700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 9 (Thread 0x7f52411a6700 (LWP 10409)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f52411a6700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 8 (Thread 0x7f52407a5700 (LWP 10410)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f52407a5700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 7 (Thread 0x7f52443ab700 (LWP 10404)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f52443ab700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 6 (Thread 0x7f52439aa700 (LWP 10405)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f52439aa700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 5 (Thread 0x7f5242fa9700 (LWP 10406)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f5242fa9700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 4 (Thread 0x7f5241ba7700 (LWP 10408)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f5241ba7700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 3 (Thread 0x7f5251a5d860 (LWP 10400)): #0 0x00007f524fdbd6fd in write () at ../sysdeps/unix/syscall-template.S:82 #1 0x00007f52512914ae in safewrite (fd=4, buf=0x1965c20, count=112) at util/util.c:130 #2 0x00007f525127f930 in virLogOutputToFd (category=<value optimized out>, priority=<value optimized out>, funcname=<value optimized out>, linenr=<value optimized out>, timestamp=<value optimized out>, flags=0, str=0x1965050 "10400: debug : virEventPollRunOnce:614 : EVENT_POLL_RUN: nhandles=11 timeout=5000\n", data=0x4) at util/logging.c:846 #3 0x00007f52512802cf in virLogVMessage (category=0x7f52513d000f "trace.util/event_poll.c", priority=<value optimized out>, funcname=0x7f52513d05a0 "virEventPollRunOnce", linenr=614, flags=0, fmt=<value optimized out>, vargs=0x7fffd4511000) at util/logging.c:781 #4 0x00007f525128047c in virLogMessage (category=<value optimized out>, priority=<value optimized out>, funcname=<value optimized out>, linenr=<value optimized out>, flags=<value optimized out>, fmt=<value optimized out>) at util/logging.c:688 #5 0x00007f5251279591 in virEventPollRunOnce () at util/event_poll.c:612 #6 0x00007f52512787e7 in virEventRunDefaultImpl () at util/event.c:247 #7 0x00007f5251366acd in virNetServerRun (srv=0x1960180) at rpc/virnetserver.c:748 #8 0x0000000000423cc7 in main (argc=<value optimized out>, argv=<value optimized out>) at libvirtd.c:1228 Thread 2 (Thread 0x7f52457ad700 (LWP 10402)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183 #1 0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117 #2 0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103 #3 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #4 0x00007f524fdb69d1 in start_thread (arg=0x7f52457ad700) at pthread_create.c:301 #5 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 Thread 1 (Thread 0x7f52461ae700 (LWP 10401)): #0 0x00007f525126e316 in virBitmapIsSet (str=<value optimized out>, sep=0 '\000', bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at util/bitmap.c:153 #1 virBitmapParse (str=<value optimized out>, sep=0 '\000', bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at util/bitmap.c:335 #2 0x0000000000466d95 in qemuDomainSetNumaParameters (dom=<value optimized out>, params=<value optimized out>, nparams=1, flags=2) at qemu/qemu_driver.c:8190 #3 0x00007f525132c3fd in virDomainSetNumaParameters (domain=0x7f52300025a0, params=0x7f5230002de0, nparams=1, flags=0) at libvirt.c:3975 #4 0x000000000042ad7e in remoteDispatchDomainSetNumaParameters (server=<value optimized out>, client=<value optimized out>, msg=<value optimized out>, rerr=0x7f52461adb80, args=<value optimized out>, ret=<value optimized out>) at remote_dispatch.h:5505 #5 remoteDispatchDomainSetNumaParametersHelper (server=<value optimized out>, client=<value optimized out>, msg=<value optimized out>, rerr=0x7f52461adb80, args=<value optimized out>, ret=<value optimized out>) at remote_dispatch.h:5475 #6 0x00007f5251368a42 in virNetServerProgramDispatchCall (prog=0x1968a70, server=0x1960180, client=0x1965700, msg=0x195cc10) at rpc/virnetserverprogram.c:431 #7 virNetServerProgramDispatch (prog=0x1968a70, server=0x1960180, client=0x1965700, msg=0x195cc10) at rpc/virnetserverprogram.c:304 #8 0x00007f525136728e in virNetServerProcessMsg (srv=<value optimized out>, client=0x1965700, prog=<value optimized out>, msg=0x195cc10) at rpc/virnetserver.c:170 #9 0x00007f525136792c in virNetServerHandleJob (jobOpaque=<value optimized out>, opaque=0x1960180) at rpc/virnetserver.c:191 #10 0x00007f525128c07c in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:144 #11 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161 #12 0x00007f524fdb69d1 in start_thread (arg=0x7f52461ae700) at pthread_create.c:301 #13 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
(In reply to Hao Liu from comment #0) > Steps to Reproduce: > 1. make sure a domain 'foo' is shut off. It's not necessary. > libvirtd backtrace: > Thread 1 (Thread 0x7f52461ae700 (LWP 10401)): > #0 0x00007f525126e316 in virBitmapIsSet (str=<value optimized out>, sep=0 > '\000', bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at > util/bitmap.c:153 > #1 virBitmapParse (str=<value optimized out>, sep=0 '\000', > bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at util/bitmap.c:335 > #2 0x0000000000466d95 in qemuDomainSetNumaParameters (dom=<value optimized > out>, params=<value optimized out>, nparams=1, flags=2) at > qemu/qemu_driver.c:8190 > #3 0x00007f525132c3fd in virDomainSetNumaParameters (domain=0x7f52300025a0, > params=0x7f5230002de0, nparams=1, flags=0) at libvirt.c:3975 > #4 0x000000000042ad7e in remoteDispatchDomainSetNumaParameters > (server=<value optimized out>, client=<value optimized out>, msg=<value > optimized out>, rerr=0x7f52461adb80, > args=<value optimized out>, ret=<value optimized out>) at > remote_dispatch.h:5505 > #5 remoteDispatchDomainSetNumaParametersHelper (server=<value optimized > out>, client=<value optimized out>, msg=<value optimized out>, > rerr=0x7f52461adb80, args=<value optimized out>, > ret=<value optimized out>) at remote_dispatch.h:5475 > #6 0x00007f5251368a42 in virNetServerProgramDispatchCall (prog=0x1968a70, > server=0x1960180, client=0x1965700, msg=0x195cc10) at > rpc/virnetserverprogram.c:431 > #7 virNetServerProgramDispatch (prog=0x1968a70, server=0x1960180, > client=0x1965700, msg=0x195cc10) at rpc/virnetserverprogram.c:304 > #8 0x00007f525136728e in virNetServerProcessMsg (srv=<value optimized out>, > client=0x1965700, prog=<value optimized out>, msg=0x195cc10) at > rpc/virnetserver.c:170 > #9 0x00007f525136792c in virNetServerHandleJob (jobOpaque=<value optimized > out>, opaque=0x1960180) at rpc/virnetserver.c:191 > #10 0x00007f525128c07c in virThreadPoolWorker (opaque=<value optimized out>) > at util/threadpool.c:144 > #11 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at > util/threads-pthread.c:161 > #12 0x00007f524fdb69d1 in start_thread (arg=0x7f52461ae700) at > pthread_create.c:301 > #13 0x00007f524f6fca8d in clone () at > ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 This should be enough to debug.
(In reply to Alex Jia from comment #1) > > libvirtd backtrace: > > > Thread 1 (Thread 0x7f52461ae700 (LWP 10401)): > > #0 0x00007f525126e316 in virBitmapIsSet (str=<value optimized out>, sep=0 > > '\000', bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at > > util/bitmap.c:153 Eric, need we fix this on gnulib library? or fix this on caller? thanks.
Patch on upstream: https://www.redhat.com/archives/libvir-list/2013-August/msg00723.html
A more thorough version posted for review: https://www.redhat.com/archives/libvir-list/2013-August/msg00735.html
Fixed upstream: commit 7efd5fd1b0225436cbbae1181ab41c2d3eca43f9 Author: Peter Krempa <pkrempa> Date: Fri Aug 16 12:13:27 2013 +0200 virbitmaptest: Add test for out of bounds condition Previous patch fixed an issue where, when parsing a bitmap from the string, the bounds of the bitmap weren't checked. That flaw resulted into crashes. This test tests that case to avoid it in the future. commit 536d38128e749fa5b149b9e168224280c3ad348c Author: Peter Krempa <pkrempa> Date: Fri Aug 16 12:12:55 2013 +0200 virbitmaptest: Fix function header formatting commit 47b9127e883677a0d60d767030a147450e919a25 Author: Peter Krempa <pkrempa> Date: Fri Aug 16 12:22:32 2013 +0200 virbitmap: Refactor virBitmapParse to avoid access beyond bounds of array The virBitmapParse function was calling virBitmapIsSet() function that requires the caller to check the bounds of the bitmap without checking them. This resulted into crashes when parsing a bitmap string that was exceeding the bounds used as argument. This patch refactors the function to use virBitmapSetBit without checking if the bit is set (this function does the checks internally) and then counts the bits in the bitmap afterwards (instead of keeping track while parsing the string). This patch also changes the "parse_error" label to a more common "error". The refactor should also get rid of the need to call sa_assert on the returned variable as the callpath should allow coverity to infer the possible return values. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=997367 Thanks to Alex Jia for tracking down the issue. This issue is introduced by commit 0fc8909.
This bug is already public knowledge, but it is now being discussed on the closed libvirt-security list for its potential as a CVE. Please do not discuss the CVE specifics in public comments.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1581.html