[PATCH] security: fix virSecurityManagerGetNested access illegal address
gongwei at smartx.com
gongwei at smartx.com
Mon Apr 26 09:23:15 UTC 2021
When stop libvirtd is used, libvirtd exits the eventloop and cleans up
the driverState first. Then release threadPool. If the workers thread
is still executing at this time, it needs to access driverState.
If the value in driverState is not judged at this time, direct access
will cause an abnormal exit and damage the cache file of libvirt.
In our example, the migration task is in progress at this time,
the source is waiting for the target libvirtd dstFinish to return,
the source libvirtd is stopped, and a crash occurs. After start libvirtd,
the corresponding virtual machine process cannot be managed by libvirt
stack:
#0 virSecurityManagerGetNested (mgr=0x7f76141143c0) at security/security_manager.c:1033
1033 if (STREQ("stack", mgr->drv->name))
(gdb) bt
#0 virSecurityManagerGetNested (mgr=0x7f76141143c0) at security/security_manager.c:1033
#1 0x00007f761c31660e in virQEMUDriverCreateCapabilities (driver=driver at entry=0x7f7614111060)
at qemu/qemu_conf.c:1043
#2 0x00007f761c3168b3 in virQEMUDriverGetCapabilities (driver=0x7f7614111060,
refresh=<optimized out>) at qemu/qemu_conf.c:1103
#3 0x00007f761c334d16 in qemuMigrationCookieXMLParse (flags=32, ctxt=0x7f76040040c0,
doc=0x7f76040425c0, driver=0x7f7614111060, mig=0x7f760400ee10)
at qemu/qemu_migration_cookie.c:1209
#4 qemuMigrationCookieXMLParseStr (flags=32,
xml=0x7f7604004580 "<qemu-migration>\n <name>519ed304-375a-4819-a2d5-2f0ba662b9bc</name>
049152ab-efdf-4aaf-ab08-b57ac1816351</uuid>
<hostname>gongwei-nestedcluster-20210330042359-1</me>
<hostuuid>41d69"..., driver=0x7f7614111060, mig=0x7f760400ee10)
at qemu/qemu_migration_cookie.c:1404
#5 qemuMigrationEatCookie (driver=driver at entry=0x7f7614111060, dom=dom at entry=0x7f7604001ac0,
cookiein=cookiein at entry=0x7f7604004580 "<qemu-migration>
<name>519ed304-375a-4819-a2d5-2f09bc</name>
<uuid>049152ab-efdf-4aaf-ab08-b57ac1816351</uuid>
<hostname>gongwei-nestedcluste0330042359-1</hostname>
<hostuuid>41d69"..., cookieinlen=cookieinlen at entry=1410,
flags=flags at entry=32) at qemu/qemu_migration_cookie.c:1501
#6 0x00007f761c3291d5 in qemuMigrationSrcConfirmPhase (driver=driver at entry=0x7f7614111060,
vm=vm at entry=0x7f7604001ac0,
cookiein=0x7f7604004580 "<qemu-migration>
<name>519ed304-375a-4819-a2d5-2f0ba662b9bc</nameuuid>049152ab-efdf-4aaf-ab08-b57ac1816351</uuid>
<hostname>gongwei-nestedcluster-2021033004235ostname>
<hostuuid>41d69"..., cookieinlen=1410, flags=14875, retcode=retcode at entry=0)
at qemu/qemu_migration.c:2805
#7 0x00007f761c331539 in qemuMigrationSrcPerformPeer2Peer3 (flags=14875, useParams=true,
bandwidth=0, migParams=0x7f760400f070, nbdPort=0, migrate_disks=<optimized out>,
nmigrate_disks=0, listenAddress=<optimized out>, graphicsuri=<optimized out>,
uri=<optimized out>, dname=0x0, persist_xml=0x0, xmlin=<optimized out>, vm=0x7f7604001ac0,
dconnuri=0x7f7604000df0 "qemu+tcp://10.181.177.170/system", dconn=0x7f7604021680,
sconn=0x7f7608001410, driver=0x7f7614111060) at qemu/qemu_migration.c:4202
(gdb) frame 1
#1 0x00007f761c31660e in virQEMUDriverCreateCapabilities (driver=driver at entry=0x7f7614111060)
at qemu/qemu_conf.c:1043
1043 if (!(sec_managers = qemuSecurityGetNested(driver->securityManager)))
(gdb) p *(driver->securityManager)
$2 = {parent = {parent = {u = {dummy_align1 = 140145119544368, dummy_align2 = 0x7f7614114430, s =
magic = 336675888, refs = 32630}}, klass = 0xdeadbeef}, lock = {lock = {__data = {
__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __elision
__list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39 times>, __align = 0
drv = 0x0, flags = 0, virtDriver = 0x0, privateData = 0x0}
if (STREQ("stack", mgr->drv->name) mgr->drv is 0x0
Signed-off-by: gongwei <gongwei at smartx.com>
---
src/security/security_manager.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index d8b84e2861..96ca9ee861 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -1030,6 +1030,9 @@ virSecurityManagerGetNested(virSecurityManager *mgr)
{
virSecurityManager ** list = NULL;
+ if (mgr == NULL || mgr->drv == NULL)
+ return NULL;
+
if (STREQ("stack", mgr->drv->name))
return virSecurityStackGetNested(mgr);
--
2.24.1
More information about the libvir-list
mailing list