[libvirt] [PATCH] conf: fix crash when parse a invalid vcpus in virDomainThreadSchedParse()
Luyao Huang
lhuang at redhat.com
Fri Apr 10 12:06:59 UTC 2015
On 04/10/2015 06:43 PM, Erik Skultety wrote:
>
> On 04/09/2015 09:39 AM, Luyao Huang wrote:
>> When we set a invalid vcpus in /domain/cputune/vcpusched, like this:
>>
>> <vcpusched vcpus='0,^0' scheduler='fifo' priority='1'/>
>>
>> libvirtd will get segfault, because we will free bitmap (here is sp->ids) we
>> passed in virBitmapParse() then return -1, then call virBitmapIsAllClear() with
>> a null pointer bitmap will crash libvirtd.
>>
>> Split this check in two part to report parse error when cannot parse vcpus,
>> and report invalid argument error when the cpu number is not correct.
>>
>> virBitmapIsAllClear (bitmap=0x0) at util/virbitmap.c:649
>> 649 for (i = 0; i < bitmap->map_len; i++)
>> (gdb) bt
>> #0 virBitmapIsAllClear (bitmap=0x0) at util/virbitmap.c:649
>> #1 0x00007f28322f1245 in virDomainThreadSchedParse at conf/domain_conf.c:13464
>> #2 0x00007f283238aec8 in virDomainDefParseXML at conf/domain_conf.c:14059
>> #3 0x00007f2832390ddb in virDomainDefParseNode at conf/domain_conf.c:15588
>> #4 0x00007f2832390f02 in virDomainDefParse at conf/domain_conf.c:15530
>> #5 0x00007f2832390f53 in virDomainDefParseString at conf/domain_conf.c:15546
>> #6 0x00007f2819d8e8de in qemuDomainDefineXMLFlags at qemu/qemu_driver.c:7385
>>
>> Signed-off-by: Luyao Huang <lhuang at redhat.com>
>> ---
>> src/conf/domain_conf.c | 9 ++++-----
>> 1 file changed, 4 insertions(+), 5 deletions(-)
>>
>> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
>> index 1763305..46dfea1 100644
>> --- a/src/conf/domain_conf.c
>> +++ b/src/conf/domain_conf.c
>> @@ -13473,12 +13473,11 @@ virDomainThreadSchedParse(xmlNodePtr node,
>> goto error;
>> }
>>
>> - if (!virBitmapParse(tmp, 0, &sp->ids,
>> - VIR_DOMAIN_CPUMASK_LEN) ||
>> - virBitmapIsAllClear(sp->ids) ||
> This line ^ should be left as is, see below.
>> - virBitmapNextSetBit(sp->ids, -1) < minid ||
>> - virBitmapLastSetBit(sp->ids) > maxid) {
>> + if (virBitmapParse(tmp, 0, &sp->ids, VIR_DOMAIN_CPUMASK_LEN) < 0)
>> + goto error;
> Although this line is correct, the problem resides in the virBitmapParse
> function itself. The virBitmapIsAllClear check should be removed from
> there and placed to every relevant place after the virBitmapParse call.
Oh, i see, reasonable to me, thanks for pointing out this :)
>
>> + if (virBitmapNextSetBit(sp->ids, -1) < minid ||
>> + virBitmapLastSetBit(sp->ids) > maxid) {
>> virReportError(VIR_ERR_XML_ERROR,
>> _("Invalid value of '%s': %s"),
>> name, tmp);
>>
> I sent 2 patches to the list, first adding the checks to
> relevant spots and the second partially reverting commit 983f5a
> which broke the virBitmapParse logic.
Okay, so no need I write a new version :)
Thanks for your review
> Erik
Luyao
More information about the libvir-list
mailing list