From nobody Fri Apr 19 08:58:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1619429020; cv=none; d=zohomail.com; s=zohoarc; b=GI8RUCkcr4zl3eKH7qwqHJJH5UtimPWZKQAnGWy1EVRSAK/zLO0DDIiwweXBngDSygg168hWi7nvgaY6xNmG5C7G1wlbZoNqa3MexpjrkpFYcUqq0MGfbOHKWQPhaoCaPm7ZzhukxVRJbosSzD+C7l0jlV9spTv2qBxXqZ03AzA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1619429020; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=ENxLTVzBzxMoVqZzI1X9S3+gV9TDRelUYHaSZpkV5t4=; b=CW1985XN9RGRd+1HyhG/PL1CtSQ+YCMLR1cSX+6Se2U0oNjZHL4VuIXLkl2bVJaDJKJvr5NN/W58VTvJiibbRkI98UXTvuZ90cDDIHvbMabWdrHrdRdCXhO7Nde3C0/LQAvHpud/guIY+pzcgcK6gSRprYEv7frQGvjYhZdsSO8= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1619429020163655.3073018401042; Mon, 26 Apr 2021 02:23:40 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-407-3q_eQSSjP-Gqy94kiz9Zlw-1; Mon, 26 Apr 2021 05:23:35 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3602988127C; Mon, 26 Apr 2021 09:23:30 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B83E660C4A; Mon, 26 Apr 2021 09:23:28 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 55D511806D1A; Mon, 26 Apr 2021 09:23:26 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 13Q9NPiH024165 for ; Mon, 26 Apr 2021 05:23:25 -0400 Received: by smtp.corp.redhat.com (Postfix) id E24E0110DBC0; Mon, 26 Apr 2021 09:23:24 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DE156110DBBE for ; Mon, 26 Apr 2021 09:23:22 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 82790185A7A5 for ; Mon, 26 Apr 2021 09:23:22 +0000 (UTC) Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-104-yOZXET6LNsyrl6deHIn3Kg-1; Mon, 26 Apr 2021 05:23:19 -0400 Received: by mail-pj1-f49.google.com with SMTP id lr7so10491874pjb.2 for ; Mon, 26 Apr 2021 02:23:19 -0700 (PDT) Received: from HFP-20180514SOC ([129.227.156.201]) by smtp.gmail.com with ESMTPSA id o15sm14622060pjk.48.2021.04.26.02.23.17 (version=TLS1_2 cipher=AES128-GCM-SHA256 bits=128/128); Mon, 26 Apr 2021 02:23:17 -0700 (PDT) X-MC-Unique: 3q_eQSSjP-Gqy94kiz9Zlw-1 X-MC-Unique: yOZXET6LNsyrl6deHIn3Kg-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:mime-version:message-id :content-transfer-encoding; bh=PwxV6Qjvpyz3jDj/8N3B3AzG86D8IhJwJHx+i5avkWE=; b=ctv3M3cexNQ7r4bzW/ETPE3+uJCyT61Uwwg8l7FZpTuGqVegoLoIW7SfPi8p7FWJ8L ypi5W0gK2NWecMVioe1rUKhIA3JYw4Lrkd076h9UhiJkQaWHBXjuoss4TWdCAPIipZje X3d1ludU2bMqPjDfIKqwBYrdo1tEne5K9ukadZcIwLaTnbrM4MKRhq6IIx62vXU4ptwc 7kx62qLNJq2SgDLrCya1baKlAJiQWHE17BsVU6odqDp88uhmpFmt32xNA6h9QPcGHlAe vGmg+cNGT9Gfta/kgEqF3WaVMcr+4nYOJPuJeXCmMhcPSDA1ivlVE/3iAXehh++T2v0p UT2A== X-Gm-Message-State: AOAM533r0rrjGfNhCfr45HOMvIYL9yjlnHMTYDeqmzY+YTBCRYSt8RZw m7yWDdE75WV9lPPKMWJaLAhLRi+e4H+B83+jEDg= X-Google-Smtp-Source: ABdhPJzvYCcqocKpZZ0NfnUgxX4+TfGmhIhd0U10aCJqI2Bw+xf/6w0CPc6NdXVs8x5+0MzU1oIqow== X-Received: by 2002:a17:902:d30c:b029:eb:3d5a:ff07 with SMTP id b12-20020a170902d30cb02900eb3d5aff07mr17917522plc.19.1619428998071; Mon, 26 Apr 2021 02:23:18 -0700 (PDT) Date: Mon, 26 Apr 2021 17:23:15 +0800 From: "gongwei@smartx.com" To: libvir-list Subject: [PATCH] security: fix virSecurityManagerGetNested access illegal address X-Priority: 3 X-GUID: ABD527B1-886A-441C-863E-BC95BCB63792 X-Has-Attach: no Mime-Version: 1.0 Message-ID: <202104261723143787491@smartx.com> X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-MIME-Autoconverted: from base64 to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 13Q9NPiH024165 X-loop: libvir-list@redhat.com Cc: gongwei X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable =C2=A0=C2=A0=C2=A0 When stop libvirtd is used, libvirtd exits the eventloop= and cleans up =C2=A0=C2=A0=C2=A0 the driverState first. Then release threadPool. If the w= orkers thread =C2=A0=C2=A0=C2=A0 is still executing at this time, it needs to access driv= erState. =C2=A0=C2=A0=C2=A0 If the value in driverState is not judged at this time, = direct access =C2=A0=C2=A0=C2=A0 will cause an abnormal exit and damage the cache file of= libvirt. =C2=A0=C2=A0=C2=A0 In our example, the migration task is in progress at thi= s time, =C2=A0=C2=A0=C2=A0 the source is waiting for the target libvirtd dstFinish = to return, =C2=A0=C2=A0=C2=A0 the source libvirtd is stopped, and a crash occurs. Afte= r start libvirtd, =C2=A0=C2=A0=C2=A0 the corresponding virtual machine process cannot be mana= ged by libvirt =C2=A0=C2=A0=C2=A0 stack: =C2=A0=C2=A0=C2=A0 #0=C2=A0 virSecurityManagerGetNested (mgr=3D0x7f76141143= c0) at security/security_manager.c:1033 =C2=A0=C2=A0=C2=A0 1033 =C2=A0=C2=A0=C2=A0 if (STREQ("stack", mgr->drv->nam= e)) =C2=A0=C2=A0=C2=A0 (gdb) bt =C2=A0=C2=A0=C2=A0 #0=C2=A0 virSecurityManagerGetNested (mgr=3D0x7f76141143= c0) at security/security_manager.c:1033 =C2=A0=C2=A0=C2=A0 #1=C2=A0 0x00007f761c31660e in virQEMUDriverCreateCapabi= lities (driver=3Ddriver@entry=3D0x7f7614111060) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at qemu/qemu_conf.c:1043 =C2=A0=C2=A0=C2=A0 #2=C2=A0 0x00007f761c3168b3 in virQEMUDriverGetCapabilit= ies (driver=3D0x7f7614111060, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 refresh=3D) at qe= mu/qemu_conf.c:1103 =C2=A0=C2=A0=C2=A0 #3=C2=A0 0x00007f761c334d16 in qemuMigrationCookieXMLPar= se (flags=3D32, ctxt=3D0x7f76040040c0, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 doc=3D0x7f76040425c0, driver=3D0= x7f7614111060, mig=3D0x7f760400ee10) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at qemu/qemu_migration_cookie.c:= 1209 =C2=A0=C2=A0=C2=A0 #4=C2=A0 qemuMigrationCookieXMLParseStr (flags=3D32, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 xml=3D0x7f7604004580 "\n=C2=A0 519ed304-375a-4819-a2d5-2f0ba662b9bc =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 049152ab-efdf-4aaf-ab08-b57ac181= 6351 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 gongwei-nestedcluster-= 20210330042359-1 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 41d69"..., driver=3D0x= 7f7614111060, mig=3D0x7f760400ee10) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at qemu/qemu_migration_cookie.c:= 1404 =C2=A0=C2=A0=C2=A0 #5=C2=A0 qemuMigrationEatCookie (driver=3Ddriver@entry= =3D0x7f7614111060, dom=3Ddom@entry=3D0x7f7604001ac0, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 cookiein=3Dcookiein@entry=3D0x7f= 7604004580 " =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 519ed304-375a-4819-a2d5-2f= 09bc =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 049152ab-efdf-4aaf-ab08-b5= 7ac1816351 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 gongwei-nestedcluste03= 30042359-1 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 41d69"..., cookieinlen= =3Dcookieinlen@entry=3D1410, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 flags=3Dflags@entry=3D32) at qem= u/qemu_migration_cookie.c:1501 =C2=A0=C2=A0=C2=A0 #6=C2=A0 0x00007f761c3291d5 in qemuMigrationSrcConfirmPh= ase (driver=3Ddriver@entry=3D0x7f7614111060, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 vm=3Dvm@entry=3D0x7f7604001ac0, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 cookiein=3D0x7f7604004580 " =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 519ed304-375a-4819-a2d5-2f= 0ba662b9bc049152ab-efdf-4aaf-ab08-b57ac1816351 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 gongwei-nestedcluster-= 2021033004235ostname> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 41d69"..., cookieinlen= =3D1410, flags=3D14875, retcode=3Dretcode@entry=3D0) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at qemu/qemu_migration.c:2805 =C2=A0=C2=A0=C2=A0 #7=C2=A0 0x00007f761c331539 in qemuMigrationSrcPerformPe= er2Peer3 (flags=3D14875, useParams=3Dtrue, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 bandwidth=3D0, migParams=3D0x7f7= 60400f070, nbdPort=3D0, migrate_disks=3D, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 nmigrate_disks=3D0, listenAddres= s=3D, graphicsuri=3D, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 uri=3D, dname=3D0= x0, persist_xml=3D0x0, xmlin=3D, vm=3D0x7f7604001ac0, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 dconnuri=3D0x7f7604000df0 "qemu+= tcp://10.181.177.170/system", dconn=3D0x7f7604021680, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 sconn=3D0x7f7608001410, driver= =3D0x7f7614111060) at qemu/qemu_migration.c:4202 =C2=A0=C2=A0=C2=A0 (gdb) frame 1 =C2=A0=C2=A0=C2=A0 #1=C2=A0 0x00007f761c31660e in virQEMUDriverCreateCapabi= lities (driver=3Ddriver@entry=3D0x7f7614111060) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 at qemu/qemu_conf.c:1043 =C2=A0=C2=A0=C2=A0 1043 =C2=A0=C2=A0=C2=A0 if (!(sec_managers =3D qemuSecur= ityGetNested(driver->securityManager))) =C2=A0=C2=A0=C2=A0 (gdb) p *(driver->securityManager) =C2=A0=C2=A0=C2=A0 $2 =3D {parent =3D {parent =3D {u =3D {dummy_align1 =3D = 140145119544368, dummy_align2 =3D 0x7f7614114430, s =3D =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 magic =3D 336675888,= refs =3D 32630}}, klass =3D 0xdeadbeef}, lock =3D {lock =3D {__data =3D { =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 __lock =3D 0, __coun= t =3D 0, __owner =3D 0, __nusers =3D 0, __kind =3D 0, __spins =3D 0, __elis= ion =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 __list =3D {__prev = =3D 0x0, __next =3D 0x0}}, __size =3D '\000' , __align = =3D 0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 drv =3D 0x0, flags = =3D 0, virtDriver =3D 0x0, privateData =3D 0x0} =C2=A0=C2=A0=C2=A0 if (STREQ("stack", mgr->drv->name)=C2=A0 mgr->drv is 0x0 Signed-off-by: gongwei --- src/security/security_manager.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/security/security_manager.c b/src/security/security_manage= r.c index d8b84e2861..96ca9ee861 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -1030,6 +1030,9 @@ virSecurityManagerGetNested(virSecurityManager *mgr) { =C2=A0=C2=A0=C2=A0=C2=A0 virSecurityManager ** list =3D NULL; +=C2=A0=C2=A0=C2=A0 if (mgr =3D=3D NULL || mgr->drv =3D=3D NULL) +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return NULL; + =C2=A0=C2=A0=C2=A0=C2=A0 if (STREQ("stack", mgr->drv->name)) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return virSecurityStackGet= Nested(mgr); -- 2.24.1