[libvirt] [PATCH] xend: Don't crash in virDomainXMLDevID
The function is called from all {Attach,Update,Detach}Device APIs to create config strings that are later passed to the xend to perform the desired action. The function is intended to handle all supported devices. However, as of 5b05358abacb1029fa0d61f72decacf0d4fd8ffb we are trying to get disk driver of the device without checking if the device really is a disk. This leads to an segmentation fault: #0 0x00007ffff7571815 in virDomainDiskGetDriver () from /usr/lib/libvirt.so.0 #1 0x00007fffeb9ad471 in ?? () from /usr/lib/libvirt/connection-driver/libvirt_driver_xen.so #2 0x00007fffeb9b1062 in xenDaemonAttachDeviceFlags () from /usr/lib/libvirt/connection-driver/libvirt_driver_xen.so #3 0x00007fffeb9a8a86 in ?? () from /usr/lib/libvirt/connection-driver/libvirt_driver_xen.so #4 0x00007ffff7609266 in virDomainAttachDevice () from /usr/lib/libvirt.so.0 #5 0x0000555555593c9d in ?? () #6 0x00007ffff76743c9 in virNetServerProgramDispatch () from /usr/lib/libvirt.so.0 #7 0x00005555555a678d in ?? () #8 0x00007ffff755460e in ?? () from /usr/lib/libvirt.so.0 #9 0x00007ffff7553b06 in ?? () from /usr/lib/libvirt.so.0 #10 0x00007ffff4998b50 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #11 0x00007ffff46e30ed in clone () from /lib/x86_64-linux-gnu/libc.so.6 #12 0x0000000000000000 in ?? () Reported-by: Xiaolin Su <linxxnil@126.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/xen/xend_internal.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/xen/xend_internal.c b/src/xen/xend_internal.c index a51cb20..c2b9098 100644 --- a/src/xen/xend_internal.c +++ b/src/xen/xend_internal.c @@ -3329,9 +3329,10 @@ virDomainXMLDevID(virConnectPtr conn, xenUnifiedPrivatePtr priv = conn->privateData; char *xref; char *tmp; - const char *driver = virDomainDiskGetDriver(dev->data.disk); if (dev->type == VIR_DOMAIN_DEVICE_DISK) { + const char *driver = virDomainDiskGetDriver(dev->data.disk); + if (STREQ_NULLABLE(driver, "tap") || STREQ_NULLABLE(driver, "tap2")) strcpy(class, driver); else -- 2.0.5
On Fri, Jan 30, 2015 at 10:53:09AM +0100, Michal Privoznik wrote:
The function is called from all {Attach,Update,Detach}Device APIs to create config strings that are later passed to the xend to perform the desired action. The function is intended to handle all supported devices. However, as of 5b05358abacb1029fa0d61f72decacf0d4fd8ffb we are trying to get disk driver of the device without checking if the device really is a disk. This leads to an segmentation fault:
#0 0x00007ffff7571815 in virDomainDiskGetDriver () from /usr/lib/libvirt.so.0 #1 0x00007fffeb9ad471 in ?? () from /usr/lib/libvirt/connection-driver/libvirt_driver_xen.so #2 0x00007fffeb9b1062 in xenDaemonAttachDeviceFlags () from /usr/lib/libvirt/connection-driver/libvirt_driver_xen.so #3 0x00007fffeb9a8a86 in ?? () from /usr/lib/libvirt/connection-driver/libvirt_driver_xen.so #4 0x00007ffff7609266 in virDomainAttachDevice () from /usr/lib/libvirt.so.0 #5 0x0000555555593c9d in ?? () #6 0x00007ffff76743c9 in virNetServerProgramDispatch () from /usr/lib/libvirt.so.0 #7 0x00005555555a678d in ?? () #8 0x00007ffff755460e in ?? () from /usr/lib/libvirt.so.0 #9 0x00007ffff7553b06 in ?? () from /usr/lib/libvirt.so.0 #10 0x00007ffff4998b50 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #11 0x00007ffff46e30ed in clone () from /lib/x86_64-linux-gnu/libc.so.6 #12 0x0000000000000000 in ?? ()
Reported-by: Xiaolin Su <linxxnil@126.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/xen/xend_internal.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
ACK It would be nice if you could push it to v1.2.9-maint as well. Jan
diff --git a/src/xen/xend_internal.c b/src/xen/xend_internal.c index a51cb20..c2b9098 100644 --- a/src/xen/xend_internal.c +++ b/src/xen/xend_internal.c @@ -3329,9 +3329,10 @@ virDomainXMLDevID(virConnectPtr conn, xenUnifiedPrivatePtr priv = conn->privateData; char *xref; char *tmp; - const char *driver = virDomainDiskGetDriver(dev->data.disk);
if (dev->type == VIR_DOMAIN_DEVICE_DISK) { + const char *driver = virDomainDiskGetDriver(dev->data.disk); + if (STREQ_NULLABLE(driver, "tap") || STREQ_NULLABLE(driver, "tap2")) strcpy(class, driver); else -- 2.0.5
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On 30.01.2015 11:12, Ján Tomko wrote:
On Fri, Jan 30, 2015 at 10:53:09AM +0100, Michal Privoznik wrote:
The function is called from all {Attach,Update,Detach}Device APIs to create config strings that are later passed to the xend to perform the desired action. The function is intended to handle all supported devices. However, as of 5b05358abacb1029fa0d61f72decacf0d4fd8ffb we are trying to get disk driver of the device without checking if the device really is a disk. This leads to an segmentation fault:
#0 0x00007ffff7571815 in virDomainDiskGetDriver () from /usr/lib/libvirt.so.0 #1 0x00007fffeb9ad471 in ?? () from /usr/lib/libvirt/connection-driver/libvirt_driver_xen.so #2 0x00007fffeb9b1062 in xenDaemonAttachDeviceFlags () from /usr/lib/libvirt/connection-driver/libvirt_driver_xen.so #3 0x00007fffeb9a8a86 in ?? () from /usr/lib/libvirt/connection-driver/libvirt_driver_xen.so #4 0x00007ffff7609266 in virDomainAttachDevice () from /usr/lib/libvirt.so.0 #5 0x0000555555593c9d in ?? () #6 0x00007ffff76743c9 in virNetServerProgramDispatch () from /usr/lib/libvirt.so.0 #7 0x00005555555a678d in ?? () #8 0x00007ffff755460e in ?? () from /usr/lib/libvirt.so.0 #9 0x00007ffff7553b06 in ?? () from /usr/lib/libvirt.so.0 #10 0x00007ffff4998b50 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #11 0x00007ffff46e30ed in clone () from /lib/x86_64-linux-gnu/libc.so.6 #12 0x0000000000000000 in ?? ()
Reported-by: Xiaolin Su <linxxnil@126.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/xen/xend_internal.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
ACK
It would be nice if you could push it to v1.2.9-maint as well.
Good point. I went ahead and pushed it into all maint branches in question. Michal
participants (2)
-
Ján Tomko -
Michal Privoznik