[libvirt] [PATCH] qemu: Avoid crash in qemuDiskGetActualType
Libvirtd would crash if a domain contained an empty cdrom drive of type='volume' as the disk def->srcpool member would be dereferenced. Fix it by checking if the source pool is present before dereferencing it. Also alter tests to catch this issue in the future. Reported by: Kevin Shanahan Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1056328 --- src/qemu/qemu_conf.c | 2 +- tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.args | 2 ++ tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.xml | 6 ++++++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 4378791..ac53f6d 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -1302,7 +1302,7 @@ cleanup: int qemuDiskGetActualType(virDomainDiskDefPtr def) { - if (def->type == VIR_DOMAIN_DISK_TYPE_VOLUME) + if (def->type == VIR_DOMAIN_DISK_TYPE_VOLUME && def->srcpool) return def->srcpool->actualtype; return def->type; diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.args index da87ad9..6b409b7 100644 --- a/tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.args +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.args @@ -3,6 +3,8 @@ LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ -monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -usb -drive \ file=/some/block/device/cdrom,if=none,media=cdrom,id=drive-ide0-0-1 -device \ ide-drive,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1 -drive \ +if=none,media=cdrom,id=drive-ide0-1-0 -device \ +ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0 -drive \ file=/tmp/idedisk.img,if=none,id=drive-ide0-0-2 -device \ ide-drive,bus=ide.0,unit=2,drive=drive-ide0-0-2,id=ide0-0-2 -device \ virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4 diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.xml index 6ca5cf7..e96f76e 100644 --- a/tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.xml +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.xml @@ -24,6 +24,12 @@ <readonly/> <address type='drive' controller='0' bus='0' target='0' unit='1'/> </disk> + <disk type='volume' device='cdrom'> + <driver name='qemu' type='raw'/> + <target dev='hdc' bus='ide'/> + <readonly/> + <address type='drive' controller='0' bus='1' target='0' unit='0'/> + </disk> <disk type='file' device='disk'> <source file='/tmp/idedisk.img'/> <target dev='hdc' bus='ide'/> -- 1.8.5.3
On 22/01/14 18:18, Peter Krempa wrote:
Libvirtd would crash if a domain contained an empty cdrom drive of type='volume' as the disk def->srcpool member would be dereferenced. Fix it by checking if the source pool is present before dereferencing it.
Also alter tests to catch this issue in the future.
Reported by: Kevin Shanahan Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1056328 --- src/qemu/qemu_conf.c | 2 +- tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.args | 2 ++ tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.xml | 6 ++++++ 3 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 4378791..ac53f6d 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -1302,7 +1302,7 @@ cleanup: int qemuDiskGetActualType(virDomainDiskDefPtr def) { - if (def->type == VIR_DOMAIN_DISK_TYPE_VOLUME) + if (def->type == VIR_DOMAIN_DISK_TYPE_VOLUME && def->srcpool) return def->srcpool->actualtype;
Returning the type as "volume" should be fine, since there is no "case" statement for "volume" type when building the drive's command line, and the "source" is empty anyway. ACK.
On 01/22/14 11:30, Osier Yang wrote:
On 22/01/14 18:18, Peter Krempa wrote:
Libvirtd would crash if a domain contained an empty cdrom drive of type='volume' as the disk def->srcpool member would be dereferenced. Fix it by checking if the source pool is present before dereferencing it.
Also alter tests to catch this issue in the future.
Reported by: Kevin Shanahan Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1056328 --- src/qemu/qemu_conf.c | 2 +- tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.args | 2 ++ tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.xml | 6 ++++++ 3 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 4378791..ac53f6d 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -1302,7 +1302,7 @@ cleanup: int qemuDiskGetActualType(virDomainDiskDefPtr def) { - if (def->type == VIR_DOMAIN_DISK_TYPE_VOLUME) + if (def->type == VIR_DOMAIN_DISK_TYPE_VOLUME && def->srcpool) return def->srcpool->actualtype;
Returning the type as "volume" should be fine, since there is no "case" statement for "volume" type when building the drive's command line, and the "source" is empty anyway.
ACK.
Pushed; Thanks. Peter
participants (2)
-
Osier Yang -
Peter Krempa