Attached is proposed debdiff for SRU. Also includes updated patch for Bug #571093
** Description changed: I was testing attaching and detaching an AoE block device and all was going fine until I tried to attach a device twice in a row without changing the target device. Doing so resulted in a segfault. My example uses AoE but I bet any disk type='block' would work. This is easily a local DoS for libvirtd for anyone one in the libvirtd group or more than likely a remote user who has access to qemu+ssh://<vuln host>/system. This happens with the apparmor security driver disabled too (ie, edit /etc/libvirt/qemu.conf to have 'security = "none"' and restart /etc/init.d/libvirt-bin). Eg: $ cat > /tmp/aoe.xml << EOM <disk type='block'> - <driver name='virtio'/> - <source dev='/dev/etherd/e2.2'/> - <target dev='vda' bus='virtio'/> + <driver name='virtio'/> + <source dev='/dev/etherd/e2.2'/> + <target dev='vda' bus='virtio'/> </disk> EOM - - $ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml + + $ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml Connecting to uri: qemu:///system Device attached successfully - $ virsh detach-device sec-karmic-amd64 /tmp/aoe.xml + $ virsh detach-device sec-karmic-amd64 /tmp/aoe.xml Connecting to uri: qemu:///system Device detached successfully - $ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml + $ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml Connecting to uri: qemu:///system Device attached successfully - $ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml + $ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml Connecting to uri: qemu:///system error: Failed to attach device from /tmp/aoe.xml error: server closed connection $ dmesg| tail -1 [ 1006.485494] libvirtd[2909]: segfault at 70 ip 00000000004345f2 sp 00007f1f75c73b70 error 4 in libvirtd[400000+77000] - - If you start libvirtd in another window under gdb, you can see the issue: + If you start libvirtd in another window under gdb, you can see the + issue: $ sudo gdb libvirtd GNU gdb (GDB) 7.0-ubuntu Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/sbin/libvirtd...(no debugging symbols found)...done. (gdb) run - Starting program: /usr/sbin/libvirtd + Starting program: /usr/sbin/libvirtd [Thread debugging using libthread_db enabled] 16:26:02.316: warning : qemudStartup:521 : Unable to create cgroup for driver: No such device or address 16:26:02.572: warning : lxcStartup:1460 : Unable to create cgroup for driver: No such device or address [New Thread 0x7f8fb8346910 (LWP 4645)] [New Thread 0x7f8fb7b45910 (LWP 4646)] [New Thread 0x7f8fb7344910 (LWP 4647)] [New Thread 0x7f8fb6b43910 (LWP 4648)] [New Thread 0x7f8fb6342910 (LWP 4649)] WARNING: Unhandled message: interface=org.freedesktop.DBus.Introspectable, path=/, member=Introspect 16:26:11.730: error : qemudDomainAttachPciDiskDevice:4857 : operation failed: target vda already exists libvir: QEMU error : operation failed: target vda already exists Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f8fb7344910 (LWP 4647)] 0x00000000004345f2 in ?? () (gdb) bt #0 0x00000000004345f2 in ?? () #1 0x000000000043489c in ?? () #2 0x0000000000434b94 in ?? () #3 0x0000000000434d91 in ?? () #4 0x000000000042cc2a in ?? () #5 0x00007f8fbcc53b01 in virDomainAttachDevice () from /usr/lib/libvirt.so.0 #6 0x000000000041dddf in ?? () #7 0x000000000041f5c6 in ?? () #8 0x000000000041f884 in ?? () #9 0x0000000000413a5c in ?? () #10 0x00007f8fbacfba04 in start_thread (arg=<value optimized out>) - at pthread_create.c:300 + at pthread_create.c:300 #11 0x00007f8fbaa657bd in clone () - at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 + at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #12 0x0000000000000000 in ?? () + + ==== + SRU: + * IMPACT: If affected, libvirtd will crash unexpectedly when attempting to attach a disk device to a running Virtual Machine when it is already attached. + * ADDRESSED: The patch prevents libvirt from entering a code path when cgroups are not used, thus preventing a NULL Pointer Exception/Dereference from occuring. + * PATCH: Modification of my attached patch to match upstream patch. + * TEST CASE: + + 1. Create/use any existing KVM virtual machine + 2. Insert the contents below into a file called /tmp/455832-testcase.xml + + --- + <disk type='block'> + <driver name='virtio'/> + <source dev='/dev/sdd'/> + <target dev='vdc' bus='virtio'/> + </disk> + --- + N.B. Change /dev/sdd to a device that exists, such as a blank USB Thumbdrive, ensure it is not mounted on the running system + + 3. Run "virsh attach-device <vmname> /tmp/455832-testcase.xml" twice + 4. libvirt will crash unexpectedly w/o patch applied, will not crash w/ patch. + 5. Refer to comment #8 for output details. + + * REGRESSION POTENTIAL: Patch is pretty simple, have been in upstream for 8 months+ and is in Maverick at the moment without complaint. + + Note, also includes updated patch for Bug #571093. + ==== ** Patch added: "0.7.5-5ubuntu27.3 Debdiff" https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/455832/+attachment/1520534/+files/455832-SRU.debdiff -- segfault when attaching disk with same physical device https://bugs.launchpad.net/bugs/455832 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs