997818 – [LXC] crash of libvirtd with 'none' type security label

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 997818 - [LXC] crash of libvirtd with 'none' type security label

Summary: [LXC] crash of libvirtd with 'none' type security label

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	6.6
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Privoznik
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-16 09:07 UTC by Alex Jia
Modified:	2013-11-21 09:08 UTC (History)
CC List:	5 users (show)
Fixed In Version:	libvirt-0.10.2-23.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-21 09:08:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1581	0	normal	SHIPPED_LIVE	libvirt bug fix and enhancement update	2013-11-21 01:11:35 UTC

Description Alex Jia 2013-08-16 09:07:44 UTC

Description of problem:
If manually edit LXC guest XML with line <seclabel type='none'/> and without security model, the libvirtd will crash when to start the LXC guest.

Version-Release number of selected component (if applicable):
# rpm -q libvirt kernel
libvirt-0.10.2-21.el6.x86_64
kernel-2.6.32-288.el6.x86_64


How reproducible:
always

Steps to Reproduce:
1. virsh edit "<seclabel type='none'/>" line into LXC guest XML and save configuration
2. virsh start <domain>


Actual results:

error: Failed to start domain toy
error: End of file while reading data: Input/output error

Expected results:
no crash

Additional info:

# virsh -c lxc:/// dumpxml toy
<domain type='lxc'>
  <name>toy</name>
  <uuid>bb428983-cb9f-4702-0f8d-7d4e143d9aad</uuid>
  <memory unit='KiB'>500000</memory>
  <currentMemory unit='KiB'>500000</currentMemory>
  <vcpu placement='static'>4</vcpu>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/bin/sh</init>
  </os>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/'/>
      <target dir='/'/>
    </filesystem>
    <console type='pty'>
      <target type='lxc' port='0'/>
    </console>
  </devices>
  <seclabel type='none'/>
</domain>


# virsh -c lxc:/// start toy
error: Failed to start domain toy
error: End of file while reading data: Input/output error

# service libvirtd status
libvirtd dead but pid file exists


Notes, it's okay for QEMU driver, the "model='selinux'" will be automatically append into line "<seclabel type='none'/>", so we probably need to add security driver for label selinux with LXC driver. In addition, operation virDomainCreate forbidden for read only access, but not sure whether other callers also use 'virSecurityManagerGenLabel' via a read-only client then crash libvirtd.


GDB backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f638599b700 (LWP 24630)]
__strcmp_ssse3 () at ../sysdeps/x86_64/strcmp.S:2112
2112            movdqa  (%rdi), %xmm2
(gdb) bt
#0  __strcmp_ssse3 () at ../sysdeps/x86_64/strcmp.S:2112
#1  0x0000003655d99299 in virSecurityManagerGenLabel (mgr=<value optimized out>, vm=0x7f637c2f7280) at security/security_manager.c:337
#2  0x00000000004d210d in virLXCProcessStart (conn=0x7f636c000ae0, driver=0x7f637c22e280, vm=0x7f637c2bfcb0, autoDestroy=false, reason=VIR_DOMAIN_RUNNING_BOOTED) at lxc/lxc_process.c:996
#3  0x00000000004cd4ed in lxcDomainStartWithFlags (dom=0x7f6364000900, flags=0) at lxc/lxc_driver.c:1007
#4  0x0000003655cf56f0 in virDomainCreate (domain=0x7f6364000900) at libvirt.c:8319
#5  0x0000000000440212 in remoteDispatchDomainCreate (server=<value optimized out>, client=<value optimized out>, msg=<value optimized out>, rerr=0x7f638599ab80, args=<value optimized out>, 
    ret=<value optimized out>) at remote_dispatch.h:1066
#6  remoteDispatchDomainCreateHelper (server=<value optimized out>, client=<value optimized out>, msg=<value optimized out>, rerr=0x7f638599ab80, args=<value optimized out>, ret=<value optimized out>)
    at remote_dispatch.h:1044
#7  0x0000003655d401e2 in virNetServerProgramDispatchCall (prog=0xcff940, server=0xcf6ef0, client=0xcfdc90, msg=0xcfc4b0) at rpc/virnetserverprogram.c:431
#8  virNetServerProgramDispatch (prog=0xcff940, server=0xcf6ef0, client=0xcfdc90, msg=0xcfc4b0) at rpc/virnetserverprogram.c:304
#9  0x0000003655d414ce in virNetServerProcessMsg (srv=<value optimized out>, client=0xcfdc90, prog=<value optimized out>, msg=0xcfc4b0) at rpc/virnetserver.c:170
#10 0x0000003655d41b6c in virNetServerHandleJob (jobOpaque=<value optimized out>, opaque=0xcf6ef0) at rpc/virnetserver.c:191
#11 0x0000003655c63e9c in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:144
#12 0x0000003655c63789 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#13 0x00000038baa077f1 in start_thread (arg=0x7f638599b700) at pthread_create.c:301
#14 0x00000033f68e570d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Comment 2 Michal Privoznik 2013-08-20 09:44:25 UTC

Fixed upstream:

commit ba44dd2453d486e9eb8c6204f8d7c31d07007d8f
Author:     Michal Privoznik <mprivozn>
AuthorDate: Mon Jul 15 15:50:29 2013 +0200
Commit:     Michal Privoznik <mprivozn>
CommitDate: Wed Jul 17 12:36:47 2013 +0200

    virSecurityManagerGenLabel: Skip seclabels without model
    
    While generating seclabels, we check the seclabel stack if required
    driver is in the stack. If not, an error is returned. However, it is
    possible for a seclabel to not have any model set (happens with LXC
    domains that have just <seclabel type='none'>). If that's the case,
    we should just skip the iteration instead of calling STREQ(NULL, ...)
    and SIGSEGV-ing subsequently.


Backported:

http://post-office.corp.redhat.com/archives/rhvirt-patches/2013-August/msg01142.html

Hence moving to POST.

Comment 4 Luwen Su 2013-08-23 03:13:15 UTC

Verified this one with
libvirt-0.10.2-23.el6.x86_64
kernel-2.6.32-358.20.1.el6.x86_64

1.Reproduced with libvirt -22 version
2.Because of  Bug 984597 , i used 6.4.z's kernel
3.Because of  Bug 904951 , the lxc start too slow if setenforce 1.

Same steps with comment 0 , libvirtd not crashed and no error log in libvirtd.log with the latest build , so set VERIFIED

Comment 6 errata-xmlrpc 2013-11-21 09:08:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1581.html

Note You need to log in before you can comment on or make changes to this bug.