|
 |
c401cc |
From d0b7495479db0593a8e3c944558fd8551f5f6e8c Mon Sep 17 00:00:00 2001
|
|
|
c401cc |
Message-Id: <d0b7495479db0593a8e3c944558fd8551f5f6e8c@dist-git>
|
|
|
c401cc |
From: Peter Krempa <pkrempa@redhat.com>
|
|
|
c401cc |
Date: Fri, 14 Mar 2014 17:50:53 +0100
|
|
|
c401cc |
Subject: [PATCH] qemu: monitor: Fix invalid parentheses
|
|
|
c401cc |
|
|
|
c401cc |
https://bugzilla.redhat.com/show_bug.cgi?id=1075973
|
|
|
c401cc |
|
|
|
c401cc |
RHEL-only: the code in question is handling a downstream command
|
|
|
c401cc |
|
|
|
c401cc |
A typo in parentheses in a condition checking the success of a monitor
|
|
|
c401cc |
command lead to a crash of libvirtd if the monitor command isn't
|
|
|
c401cc |
successful.
|
|
|
c401cc |
|
|
|
c401cc |
Bug introduced in 1.1.1-15.el7, with commit 673fabaf in response to BZ
|
|
|
c401cc |
1026966. Unfortunately it has been present since at least RHEL 6.3, BZ
|
|
|
c401cc |
573946.
|
|
|
c401cc |
|
|
|
c401cc |
The error path uses a combination of "ret == 0" and "ret < 0" error
|
|
|
c401cc |
checks. Due to this fact the disk definition parsed from the user input
|
|
|
c401cc |
is added to the domain definition but at the same time it's freed at the
|
|
|
c401cc |
end of the AttachDevice API.
|
|
|
c401cc |
|
|
|
c401cc |
When the domain is destroyed afterwards a use-after-free error leads to
|
|
|
c401cc |
a crash on random places when freeing the disk in question.
|
|
|
c401cc |
|
|
|
c401cc |
To reproduce use the attached reproducer with ANY disk definition
|
|
|
c401cc |
supported (gluster as stated in the original report isn't required).
|
|
|
c401cc |
|
|
|
c401cc |
Reproducer:
|
|
|
c401cc |
|
|
|
c401cc |
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
|
|
|
c401cc |
index 502b977..afcf603 100644
|
|
|
c401cc |
--- a/src/qemu/qemu_monitor.c
|
|
|
c401cc |
+++ b/src/qemu/qemu_monitor.c
|
|
|
c401cc |
@@ -28,6 +28,7 @@
|
|
|
c401cc |
#include <sys/un.h>
|
|
|
c401cc |
#include <unistd.h>
|
|
|
c401cc |
#include <fcntl.h>
|
|
|
c401cc |
+#include <signal.h>
|
|
|
c401cc |
|
|
|
c401cc |
#include "qemu_monitor.h"
|
|
|
c401cc |
#include "qemu_monitor_text.h"
|
|
|
c401cc |
@@ -3003,6 +3004,8 @@ int qemuMonitorAddDrive(qemuMonitorPtr mon,
|
|
|
c401cc |
return -1;
|
|
|
c401cc |
}
|
|
|
c401cc |
|
|
|
c401cc |
+ kill(mon->vm->pid, 9);
|
|
|
c401cc |
+
|
|
|
c401cc |
if (mon->json)
|
|
|
c401cc |
ret = qemuMonitorJSONAddDrive(mon, drivestr);
|
|
|
c401cc |
else
|
|
|
c401cc |
|
|
|
c401cc |
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
c401cc |
---
|
|
|
c401cc |
src/qemu/qemu_monitor_json.c | 2 +-
|
|
|
c401cc |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
c401cc |
|
|
|
c401cc |
diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
|
|
|
c401cc |
index 7b7992f..4f73813 100644
|
|
|
c401cc |
--- a/src/qemu/qemu_monitor_json.c
|
|
|
c401cc |
+++ b/src/qemu/qemu_monitor_json.c
|
|
|
c401cc |
@@ -3136,7 +3136,7 @@ int qemuMonitorJSONAddDrive(qemuMonitorPtr mon,
|
|
|
c401cc |
}
|
|
|
c401cc |
args = NULL; /* cmd owns reference to args now */
|
|
|
c401cc |
|
|
|
c401cc |
- if ((ret = qemuMonitorJSONCommand(mon, cmd, &reply) < 0))
|
|
|
c401cc |
+ if ((ret = qemuMonitorJSONCommand(mon, cmd, &reply)) < 0)
|
|
|
c401cc |
goto cleanup;
|
|
|
c401cc |
|
|
|
c401cc |
if (qemuMonitorJSONHasError(reply, "CommandNotFound")) {
|
|
|
c401cc |
--
|
|
|
c401cc |
1.9.0
|
|
|
c401cc |
|