[PATCH] security: fix virSecurityManagerGetNested access illegal address

gongwei at smartx.com gongwei at smartx.com
Mon Apr 26 09:23:15 UTC 2021 

    When stop libvirtd is used, libvirtd exits the eventloop and cleans up
    the driverState first. Then release threadPool. If the workers thread
    is still executing at this time, it needs to access driverState.
    If the value in driverState is not judged at this time, direct access
    will cause an abnormal exit and damage the cache file of libvirt.

    In our example, the migration task is in progress at this time,
    the source is waiting for the target libvirtd dstFinish to return,
    the source libvirtd is stopped, and a crash occurs. After start libvirtd,
    the corresponding virtual machine process cannot be managed by libvirt

    stack:
    #0  virSecurityManagerGetNested (mgr=0x7f76141143c0) at security/security_manager.c:1033
    1033	    if (STREQ("stack", mgr->drv->name))
    (gdb) bt
    #0  virSecurityManagerGetNested (mgr=0x7f76141143c0) at security/security_manager.c:1033
    #1  0x00007f761c31660e in virQEMUDriverCreateCapabilities (driver=driver at entry=0x7f7614111060)
        at qemu/qemu_conf.c:1043
    #2  0x00007f761c3168b3 in virQEMUDriverGetCapabilities (driver=0x7f7614111060,
        refresh=<optimized out>) at qemu/qemu_conf.c:1103
    #3  0x00007f761c334d16 in qemuMigrationCookieXMLParse (flags=32, ctxt=0x7f76040040c0,
        doc=0x7f76040425c0, driver=0x7f7614111060, mig=0x7f760400ee10)
        at qemu/qemu_migration_cookie.c:1209
    #4  qemuMigrationCookieXMLParseStr (flags=32,
        xml=0x7f7604004580 "<qemu-migration>\n  <name>519ed304-375a-4819-a2d5-2f0ba662b9bc</name>
        049152ab-efdf-4aaf-ab08-b57ac1816351</uuid>
        <hostname>gongwei-nestedcluster-20210330042359-1</me>
        <hostuuid>41d69"..., driver=0x7f7614111060, mig=0x7f760400ee10)
        at qemu/qemu_migration_cookie.c:1404
    #5  qemuMigrationEatCookie (driver=driver at entry=0x7f7614111060, dom=dom at entry=0x7f7604001ac0,
        cookiein=cookiein at entry=0x7f7604004580 "<qemu-migration>
        <name>519ed304-375a-4819-a2d5-2f09bc</name>
        <uuid>049152ab-efdf-4aaf-ab08-b57ac1816351</uuid>
        <hostname>gongwei-nestedcluste0330042359-1</hostname>
        <hostuuid>41d69"..., cookieinlen=cookieinlen at entry=1410,
        flags=flags at entry=32) at qemu/qemu_migration_cookie.c:1501
    #6  0x00007f761c3291d5 in qemuMigrationSrcConfirmPhase (driver=driver at entry=0x7f7614111060,
        vm=vm at entry=0x7f7604001ac0,
        cookiein=0x7f7604004580 "<qemu-migration>
        <name>519ed304-375a-4819-a2d5-2f0ba662b9bc</nameuuid>049152ab-efdf-4aaf-ab08-b57ac1816351</uuid>
        <hostname>gongwei-nestedcluster-2021033004235ostname>
        <hostuuid>41d69"..., cookieinlen=1410, flags=14875, retcode=retcode at entry=0)
        at qemu/qemu_migration.c:2805
    #7  0x00007f761c331539 in qemuMigrationSrcPerformPeer2Peer3 (flags=14875, useParams=true,
        bandwidth=0, migParams=0x7f760400f070, nbdPort=0, migrate_disks=<optimized out>,
        nmigrate_disks=0, listenAddress=<optimized out>, graphicsuri=<optimized out>,
        uri=<optimized out>, dname=0x0, persist_xml=0x0, xmlin=<optimized out>, vm=0x7f7604001ac0,
        dconnuri=0x7f7604000df0 "qemu+tcp://10.181.177.170/system", dconn=0x7f7604021680,
        sconn=0x7f7608001410, driver=0x7f7614111060) at qemu/qemu_migration.c:4202

    (gdb) frame 1
    #1  0x00007f761c31660e in virQEMUDriverCreateCapabilities (driver=driver at entry=0x7f7614111060)
        at qemu/qemu_conf.c:1043
    1043	    if (!(sec_managers = qemuSecurityGetNested(driver->securityManager)))

    (gdb) p *(driver->securityManager)
    $2 = {parent = {parent = {u = {dummy_align1 = 140145119544368, dummy_align2 = 0x7f7614114430, s =
          magic = 336675888, refs = 32630}}, klass = 0xdeadbeef}, lock = {lock = {__data = {
          __lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __elision
          __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39 times>, __align = 0
          drv = 0x0, flags = 0, virtDriver = 0x0, privateData = 0x0}

    if (STREQ("stack", mgr->drv->name)  mgr->drv is 0x0

Signed-off-by: gongwei <gongwei at smartx.com>
---
src/security/security_manager.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index d8b84e2861..96ca9ee861 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -1030,6 +1030,9 @@ virSecurityManagerGetNested(virSecurityManager *mgr)
{
     virSecurityManager ** list = NULL;
+    if (mgr == NULL || mgr->drv == NULL)
+        return NULL;
+
     if (STREQ("stack", mgr->drv->name))
         return virSecurityStackGetNested(mgr);
--
2.24.1

More information about the libvir-list mailing list