[libvirt] [PATCH 0/2] Fix crash in chardev source parsing
Peter Krempa (2): conf: Don't crash on invalid chardev source definition of RNGs and other conf: clean up virDomainChrSourceDefParseXML src/conf/domain_conf.c | 68 +++++++++++----------- .../qemuxml2argv-virtio-rng-egd-crash.xml | 27 +++++++++ tests/qemuxml2argvtest.c | 2 + 3 files changed, 64 insertions(+), 33 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml -- 1.8.3.2
Since commit 297c99a5 an invalid source definition XML of a character device that is used as backend for RNG devices, smartcards and redirdevs causes crash of the daemon when parsing such a definition. The device types mentioned above are not a part of a regular character device but are backends for other types. Thus when parsing such device NULL is passed as the argument @chr_def. Later when checking the validity of the definition @chr_def was dereferenced when parsing a UNIX socket backend with missing path of the socket and crashed the daemon. Sample offending configuration: <devices> ... <rng model='virtio'> <backend model='egd' type='unix'> <source mode='bind' service='1024'/> </backend> </rng> </devices> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1012196 --- src/conf/domain_conf.c | 3 ++- .../qemuxml2argv-virtio-rng-egd-crash.xml | 27 ++++++++++++++++++++++ tests/qemuxml2argvtest.c | 2 ++ 3 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 70fdafc..0c8e9ad 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -7070,7 +7070,8 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def, case VIR_DOMAIN_CHR_TYPE_UNIX: /* path can be auto generated */ if (!path && - chr_def->targetType != VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO) { + (!chr_def || + chr_def->targetType != VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO)) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Missing source path attribute for char device")); goto error; diff --git a/tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml b/tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml new file mode 100644 index 0000000..ce18ea0 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml @@ -0,0 +1,27 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219100</memory> + <currentMemory unit='KiB'>219100</currentMemory> + <vcpu placement='static' cpuset='1-4,8-20,525'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu</emulator> + <controller type='usb' index='0'/> + <controller type='pci' index='0' model='pci-root'/> + <memballoon model='virtio'/> + <rng model='virtio'> + <backend model='egd' type='unix'> + <!-- https://bugzilla.redhat.com/show_bug.cgi?id=1012196 --> + <source mode='connect' host='1.2.3.4' service='1234'/> + </backend> + </rng> + </devices> +</domain> diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 0b808a4..38319e5 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -986,6 +986,8 @@ mymain(void) QEMU_CAPS_OBJECT_RNG_RANDOM); DO_TEST("virtio-rng-egd", QEMU_CAPS_DEVICE, QEMU_CAPS_DEVICE_VIRTIO_RNG, QEMU_CAPS_OBJECT_RNG_EGD); + DO_TEST_PARSE_ERROR("virtio-rng-egd-crash", QEMU_CAPS_DEVICE, + QEMU_CAPS_DEVICE_VIRTIO_RNG, QEMU_CAPS_OBJECT_RNG_EGD); DO_TEST("virtio-rng-ccw", QEMU_CAPS_DEVICE, QEMU_CAPS_CHARDEV, QEMU_CAPS_NODEFCONFIG, QEMU_CAPS_DRIVE, QEMU_CAPS_BOOTINDEX, QEMU_CAPS_VIRTIO_CCW, -- 1.8.3.2
Tweak some conditions and use correct typecasts in enums. --- src/conf/domain_conf.c | 65 +++++++++++++++++++++++++------------------------- 1 file changed, 33 insertions(+), 32 deletions(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 0c8e9ad..52a4fb7 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -6905,17 +6905,17 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def, while (cur != NULL) { if (cur->type == XML_ELEMENT_NODE) { if (xmlStrEqual(cur->name, BAD_CAST "source")) { - if (mode == NULL) + if (!mode) mode = virXMLPropString(cur, "mode"); - switch (def->type) { + switch ((enum virDomainChrType) def->type) { case VIR_DOMAIN_CHR_TYPE_PTY: case VIR_DOMAIN_CHR_TYPE_DEV: case VIR_DOMAIN_CHR_TYPE_FILE: case VIR_DOMAIN_CHR_TYPE_PIPE: case VIR_DOMAIN_CHR_TYPE_UNIX: /* PTY path is only parsed from live xml. */ - if (path == NULL && + if (!path && (def->type != VIR_DOMAIN_CHR_TYPE_PTY || !(flags & VIR_DOMAIN_XML_INACTIVE))) path = virXMLPropString(cur, "path"); @@ -6924,27 +6924,32 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def, case VIR_DOMAIN_CHR_TYPE_UDP: case VIR_DOMAIN_CHR_TYPE_TCP: - if (mode == NULL || - STREQ((const char *)mode, "connect")) { - - if (connectHost == NULL) + if (!mode || STREQ(mode, "connect")) { + if (!connectHost) connectHost = virXMLPropString(cur, "host"); - if (connectService == NULL) + if (!connectService) connectService = virXMLPropString(cur, "service"); - } else if (STREQ((const char *)mode, "bind")) { - if (bindHost == NULL) + } else if (STREQ(mode, "bind")) { + if (!bindHost) bindHost = virXMLPropString(cur, "host"); - if (bindService == NULL) + if (!bindService) bindService = virXMLPropString(cur, "service"); } else { virReportError(VIR_ERR_INTERNAL_ERROR, - _("Unknown source mode '%s'"), - mode); + _("Unknown source mode '%s'"), mode); goto error; } if (def->type == VIR_DOMAIN_CHR_TYPE_UDP) VIR_FREE(mode); + break; + + case VIR_DOMAIN_CHR_TYPE_LAST: + case VIR_DOMAIN_CHR_TYPE_NULL: + case VIR_DOMAIN_CHR_TYPE_VC: + case VIR_DOMAIN_CHR_TYPE_STDIO: + case VIR_DOMAIN_CHR_TYPE_SPICEVMC: + break; } /* Check for an optional seclabel override in <source/>. */ @@ -6963,7 +6968,7 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def, ctxt->node = saved_node; } } else if (xmlStrEqual(cur->name, BAD_CAST "protocol")) { - if (protocol == NULL) + if (!protocol) protocol = virXMLPropString(cur, "type"); } else { remaining++; @@ -6972,11 +6977,11 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def, cur = cur->next; } - switch (def->type) { + switch ((enum virDomainChrType) def->type) { + case VIR_DOMAIN_CHR_TYPE_LAST: case VIR_DOMAIN_CHR_TYPE_NULL: - /* Nada */ - break; - + case VIR_DOMAIN_CHR_TYPE_STDIO: + case VIR_DOMAIN_CHR_TYPE_SPICEVMC: case VIR_DOMAIN_CHR_TYPE_VC: break; @@ -6984,7 +6989,7 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def, case VIR_DOMAIN_CHR_TYPE_DEV: case VIR_DOMAIN_CHR_TYPE_FILE: case VIR_DOMAIN_CHR_TYPE_PIPE: - if (path == NULL && + if (!path && def->type != VIR_DOMAIN_CHR_TYPE_PTY) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Missing source path attribute for char device")); @@ -6995,20 +7000,15 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def, path = NULL; break; - case VIR_DOMAIN_CHR_TYPE_STDIO: - case VIR_DOMAIN_CHR_TYPE_SPICEVMC: - /* Nada */ - break; - case VIR_DOMAIN_CHR_TYPE_TCP: - if (mode == NULL || - STREQ(mode, "connect")) { - if (connectHost == NULL) { + if (!mode || STREQ(mode, "connect")) { + if (!connectHost) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Missing source host attribute for char device")); goto error; } - if (connectService == NULL) { + + if (!connectService) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Missing source service attribute for char device")); goto error; @@ -7020,12 +7020,13 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def, connectService = NULL; def->data.tcp.listen = false; } else { - if (bindHost == NULL) { + if (!bindHost) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Missing source host attribute for char device")); goto error; } - if (bindService == NULL) { + + if (!bindService) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Missing source service attribute for char device")); goto error; @@ -7038,7 +7039,7 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def, def->data.tcp.listen = true; } - if (protocol == NULL) + if (!protocol) def->data.tcp.protocol = VIR_DOMAIN_CHR_TCP_PROTOCOL_RAW; else if ((def->data.tcp.protocol = virDomainChrTcpProtocolTypeFromString(protocol)) < 0) { @@ -7050,7 +7051,7 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def, break; case VIR_DOMAIN_CHR_TYPE_UDP: - if (connectService == NULL) { + if (!connectService) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Missing source service attribute for char device")); goto error; -- 1.8.3.2
On 26.09.2013 09:28, Peter Krempa wrote:
Peter Krempa (2): conf: Don't crash on invalid chardev source definition of RNGs and other conf: clean up virDomainChrSourceDefParseXML
src/conf/domain_conf.c | 68 +++++++++++----------- .../qemuxml2argv-virtio-rng-egd-crash.xml | 27 +++++++++ tests/qemuxml2argvtest.c | 2 + 3 files changed, 64 insertions(+), 33 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml
ACK and definitely 1.1.3 material. Michal
On 09/26/13 13:31, Michal Privoznik wrote:
On 26.09.2013 09:28, Peter Krempa wrote:
Peter Krempa (2): conf: Don't crash on invalid chardev source definition of RNGs and other conf: clean up virDomainChrSourceDefParseXML
src/conf/domain_conf.c | 68 +++++++++++----------- .../qemuxml2argv-virtio-rng-egd-crash.xml | 27 +++++++++ tests/qemuxml2argvtest.c | 2 + 3 files changed, 64 insertions(+), 33 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-egd-crash.xml
ACK and definitely 1.1.3 material.
Michal
Pushed; Thanks! Peter
participants (2)
-
Michal Privoznik -
Peter Krempa