From d0b7495479db0593a8e3c944558fd8551f5f6e8c Mon Sep 17 00:00:00 2001
Message-Id: <d0b7495479db0593a8e3c944558fd8551f5f6e8c@dist-git>
From: Peter Krempa <pkrempa@redhat.com>
Date: Fri, 14 Mar 2014 17:50:53 +0100
Subject: [PATCH] qemu: monitor: Fix invalid parentheses

https://bugzilla.redhat.com/show_bug.cgi?id=1075973

RHEL-only: the code in question is handling a downstream command

A typo in parentheses in a condition checking the success of a monitor
command lead to a crash of libvirtd if the monitor command isn't
successful.

Bug introduced in 1.1.1-15.el7, with commit 673fabaf in response to BZ
1026966. Unfortunately it has been present since at least RHEL 6.3, BZ
573946.

The error path uses a combination of "ret == 0" and "ret < 0" error
checks. Due to this fact the disk definition parsed from the user input
is added to the domain definition but at the same time it's freed at the
end of the AttachDevice API.

When the domain is destroyed afterwards a use-after-free error leads to
a crash on random places when freeing the disk in question.

To reproduce use the attached reproducer with ANY disk definition
supported (gluster as stated in the original report isn't required).

Reproducer:

 diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
 index 502b977..afcf603 100644
 --- a/src/qemu/qemu_monitor.c
 +++ b/src/qemu/qemu_monitor.c
 @@ -28,6 +28,7 @@
  #include <sys/un.h>
  #include <unistd.h>
  #include <fcntl.h>
 +#include <signal.h>

  #include "qemu_monitor.h"
  #include "qemu_monitor_text.h"
 @@ -3003,6 +3004,8 @@ int qemuMonitorAddDrive(qemuMonitorPtr mon,
          return -1;
      }

 +    kill(mon->vm->pid, 9);
 +
      if (mon->json)
          ret = qemuMonitorJSONAddDrive(mon, drivestr);
      else

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---
 src/qemu/qemu_monitor_json.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
index 7b7992f..4f73813 100644
--- a/src/qemu/qemu_monitor_json.c
+++ b/src/qemu/qemu_monitor_json.c
@@ -3136,7 +3136,7 @@ int qemuMonitorJSONAddDrive(qemuMonitorPtr mon,
     }
     args = NULL; /* cmd owns reference to args now */
 
-    if ((ret = qemuMonitorJSONCommand(mon, cmd, &reply) < 0))
+    if ((ret = qemuMonitorJSONCommand(mon, cmd, &reply)) < 0)
         goto cleanup;
 
     if (qemuMonitorJSONHasError(reply, "CommandNotFound")) {
-- 
1.9.0