mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-02-22 19:32:19 +00:00
265680c58e
Commit febf84c2 tried to delay in-memory modification of the actual domain disk structure until after the qemu event was received. However, I missed that the code for block pivot had been temporarily setting disk->src = disk->mirror prior to the qemu command, in order to label the backing chain of a reused external blockcopy disk; and calls into qemu while still in that state before finally undoing things at the cleanup label. Since the qemu event handler then does: virStorageSourceFree(disk->src); disk->src = disk->mirror; we have the sad race that a fast enough qemu event can cause a leak of the original disk->src, as well as a use-after-free of the disk->mirror contents, bad enough to crash libvirtd in some of my test runs, even though the common case of the qemu event being much later won't trip the race. I'll go wear the brown paper bag of shame, for introducing a crasher in between rc1 and rc2 of the freeze for 1.2.7 :( My only consolation is that virDomainBlockJobAbort requires the domain:write ACL, so it is not a CVE. The valgrind report when the race occurs looks like: ==25612== Invalid read of size 4 ==25612== at 0x50E7C90: virStorageSourceGetActualType (virstoragefile.c:1948) ==25612== by 0x209C0B18: qemuDomainDetermineDiskChain (qemu_domain.c:2473) ==25612== by 0x209D7F6A: qemuProcessHandleBlockJob (qemu_process.c:1087) ==25612== by 0x209F40C9: qemuMonitorEmitBlockJob (qemu_monitor.c:1357) ... ==25612== Address 0xe4b5610 is 0 bytes inside a block of size 200 free'd ==25612== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==25612== by 0x50839E9: virFree (viralloc.c:582) ==25612== by 0x50E7E51: virStorageSourceFree (virstoragefile.c:2015) ==25612== by 0x209D7EFF: qemuProcessHandleBlockJob (qemu_process.c:1073) ==25612== by 0x209F40C9: qemuMonitorEmitBlockJob (qemu_monitor.c:1357) * src/qemu/qemu_driver.c (qemuDomainBlockPivot): Don't corrupt disk->src, and only label chain for blockcopy. Signed-off-by: Eric Blake <eblake@redhat.com>
LibVirt : simple API for virtualization
Libvirt is a C toolkit to interact with the virtualization capabilities
of recent versions of Linux (and other OSes). It is free software
available under the GNU Lesser General Public License. Virtualization of
the Linux Operating System means the ability to run multiple instances of
Operating Systems concurrently on a single hardware system where the basic
resources are driven by a Linux instance. The library aim at providing
long term stable C API initially for the Xen paravirtualization but
should be able to integrate other virtualization mechanisms if needed.
Daniel Veillard <veillard@redhat.com>