[libvirt] [PATCH] Only parse 'CPU XML' in virCPUDefParseXML()

Jim Fehlig jfehlig at novell.com
Thu Apr 1 00:21:23 UTC 2010

I received a report of user crashing libvirtd with

  virsh capabilities > capabilities.xml
  virsh cpu-compare capabilities.xml

Breakpoint 1, x86ModelFind (map=0x6fb6f0, name=0x0) at cpu/cpu_x86.c:501
501         model = map->models;
(gdb) bt
#0  x86ModelFind (map=0x6fb6f0, name=0x0) at cpu/cpu_x86.c:501
#1  0x00007ffff70d0832 in x86ModelFromCPU (cpu=0x712070, map=0x6fb6f0,
policy=1) at cpu/cpu_x86.c:541
#2  0x00007ffff70d12e9 in x86Compute (host=0x6ea610, cpu=0x712070,
guest=0x0) at cpu/cpu_x86.c:822
#3  0x00007ffff70d1750 in x86Compare (host=0x6ea610, cpu=0x712070) at
#4  0x00007ffff70cf0c9 in cpuCompare (conn=0x6f69a0, host=0x6ea610,
cpu=0x712070) at cpu/cpu.c:118
#5  0x00007ffff70ceff4 in cpuCompareXML (conn=0x6f69a0, host=0x6ea610,
    xml=0x6fa3e0 "<capabilities>\n\n  <host>\n    <cpu>\n     
<arch>x86_64</arch>\n      <features>\n        <pae/>\n     
</features>\n    </cpu>\n    <migration_features>\n      <live/>\n     
<uri_transports>\n        <uri_tra"...) at cpu/cpu.c:90
(gdb) n
503             if (STREQ(model->name, name))

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4ff4960 in strcmp () from /lib64/libc.so.6

name, passed to x86ModelFind(), is NULL because virCPUDefParseXML()
failed to parse anything meaningful from the "malformed" CPU XML.

I waffled for quite a while on how to fix this and in the end decided to
ensure the CPU XML passed to virCPUDefParseXML() does in fact contain an
element named 'cpu'.  AFAICT, all consumers of virCPUDefParseXML() pass
an xmlNodePtr rooted at 'cpu' element.

NB: I will be offline until Monday so if this patch is satisfactory
please include it for 0.7.8/0.8.0 release :-).  Otherwise I'll respin
with suggested changes next week.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: cpu-xml.patch
Type: text/x-patch
Size: 1090 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100331/e8df7259/attachment-0001.bin>

More information about the libvir-list mailing list