Re: [Qemu-devel] [PATCH v3 00/10] curl: fix curl read

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v3 00/10] curl: fix curl read

From:	Richard W.M. Jones
Subject:	Re: [Qemu-devel] [PATCH v3 00/10] curl: fix curl read
Date:	Tue, 21 May 2013 08:39:25 +0100
User-agent:	Mutt/1.5.20 (2009-12-10)

On Tue, May 21, 2013 at 09:54:15AM +0800, Fam Zheng wrote:
> On Mon, 05/20 09:49, Richard W.M. Jones wrote:
> > On Mon, May 20, 2013 at 09:41:06AM +0100, Richard W.M. Jones wrote:
> > > On Mon, May 20, 2013 at 03:03:34PM +0800, Fam Zheng wrote:
> > > > CURL library API has changed, the current curl driver is not working.
> > > > This patch rewrites the use of API as well as the structure of internal
> > > > states. 
> > > 
> > > I tried this, but it segfaults:
> > > 
> > > Program terminated with signal 11, Segmentation fault.
> > 
> > That stack trace was wrong.  I was testing against the version of
> > libcurl in Fedora which is known to be broken.
> > 
> > Here is the stack trace, this time really running against
> > curl-7_30_0-147-gae26ee3:
> > 
> > Program terminated with signal 11, Segmentation fault.
> > #0  curl_read_cb (ptr=<optimized out>, size=<optimized out>, 
> >     nmemb=<optimized out>, opaque=0x7f63d48ba340) at block/curl.c:240
> > 240         size_t aio_base = acb->sector_num * SECTOR_SIZE;
> 
> Looks like a memory corrupt (QLIST head is invalid pointer). But I can't
> reproduce here with your steps. Can you try qemu-io?
> 
> $LD_LIBRARY_PATH=~/d/curl/lib/.libs ~/d/qemu/qemu-io 
> http://192.168.0.249/scratch/winxp.img -c 'read 0 512'

This command is successful:

$ LD_LIBRARY_PATH=~/d/curl/lib/.libs ~/d/qemu/qemu-io 
http://192.168.0.249/scratch/winxp.img -c 'read 0 512'
read 512/512 bytes at offset 0
512 bytes, 1 ops; 0.0000 sec (32.552 MiB/sec and 66666.6667 ops/sec)
$ echo $?
0

Here's another go with guestfish:

$ ulimit -c unlimited
$ LIBGUESTFS_DEBUG=1 LIBGUESTFS_TRACE=1 LIBGUESTFS_BACKEND=direct 
LIBGUESTFS_QEMU=~/d/qemu/qemu.wrapper LD_LIBRARY_PATH=~/d/curl/lib/.libs 
PATH=~/d/qemu:$PATH ./run ./fish/guestfish -a 
http://192.168.0.249/scratch/winxp.img -i
[...]
[00159ms] /home/rjones/d/qemu/qemu.wrapper \
    -global virtio-blk-pci.scsi=off \
    -nodefconfig \
    -nodefaults \
    -nographic \
    -device virtio-scsi-pci,id=scsi \
    -drive file=http://192.168.0.249/scratch/winxp.img,id=hd0,if=none \
    -device scsi-hd,drive=hd0 \
    -drive 
file=/home/rjones/d/libguestfs/tmp/.guestfs-1000/root.15535,snapshot=on,id=appliance,if=none,cache=unsafe
 \
    -device scsi-hd,drive=appliance \
    -machine accel=kvm:tcg \
    -m 500 \
    -no-reboot \
    -no-hpet \
    -device virtio-serial \
    -serial stdio \
    -device sga \
    -chardev 
socket,path=/home/rjones/d/libguestfs/tmp/libguestfsk9fu9P/guestfsd.sock,id=channel0
 \
    -device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \
    -kernel /home/rjones/d/libguestfs/tmp/.guestfs-1000/kernel.15535 \
    -initrd /home/rjones/d/libguestfs/tmp/.guestfs-1000/initrd.15535 \
    -append 'panic=1 console=ttyS0 udevtimeout=600 no_timer_check acpi=off 
printk.time=1 cgroup_disable=memory root=/dev/sdb selinux=0 guestfs_verbose=1 
TERM=xterm-256color'libguestfs: error: appliance closed the connection 
unexpectedly, see earlier error messages
libguestfs: child_cleanup: 0x1db0090: child process died
libguestfs: sending SIGTERM to process 15600
libguestfs: error: /home/rjones/d/qemu/qemu.wrapper killed by signal 11 
(Segmentation fault), see debug messages above
libguestfs: error: guestfs_launch failed, see earlier error messages
libguestfs: trace: launch = -1 (error)
[...]

$ file /tmp/core.15600
/tmp/core.15600: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, 
from '/home/rjones/d/qemu/x86_64-softmmu/qemu-system-x86_64 -L 
/home/rjones/d/qemu/pc'

$ gdb /home/rjones/d/qemu/x86_64-softmmu/qemu-system-x86_64 /tmp/core.15600

[stack trace is the same as before]

#0  curl_read_cb (ptr=<optimized out>, size=<optimized out>, 
    nmemb=<optimized out>, opaque=0x7f4d3c769360) at block/curl.c:240
240         size_t aio_base = acb->sector_num * SECTOR_SIZE;
(gdb) print acb
$1 = (CURLAIOCB *) 0x7575757575757575

Looks like use-after-free?

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH v3 04/10] curl: fix curl_open, (continued)
- [Qemu-devel] [PATCH v3 04/10] curl: fix curl_open, Fam Zheng, 2013/05/20
- [Qemu-devel] [PATCH v3 05/10] curl: add timer to BDRVCURLState, Fam Zheng, 2013/05/20
- [Qemu-devel] [PATCH v3 06/10] curl: introduce CURLDataCache, Fam Zheng, 2013/05/20
- [Qemu-devel] [PATCH v3 07/10] curl: make use of CURLDataCache., Fam Zheng, 2013/05/20
- [Qemu-devel] [PATCH v3 08/10] curl: use list to store CURLState, Fam Zheng, 2013/05/20
- [Qemu-devel] [PATCH v3 09/10] curl: add cache quota., Fam Zheng, 2013/05/20
- [Qemu-devel] [PATCH v3 10/10] curl: introduce ssl_no_cert runtime option., Fam Zheng, 2013/05/20
- Re: [Qemu-devel] [PATCH v3 00/10] curl: fix curl read, Richard W.M. Jones, 2013/05/20
  - Re: [Qemu-devel] [PATCH v3 00/10] curl: fix curl read, Richard W.M. Jones, 2013/05/20
    - Re: [Qemu-devel] [PATCH v3 00/10] curl: fix curl read, Fam Zheng, 2013/05/20
    - Re: [Qemu-devel] [PATCH v3 00/10] curl: fix curl read, Richard W.M. Jones <=
    - Re: [Qemu-devel] [PATCH v3 00/10] curl: fix curl read, Fam Zheng, 2013/05/21

Prev by Date: Re: [Qemu-devel] [PATCH v2 2/2] net: introduce command to query mac-table information
Next by Date: Re: [Qemu-devel] [PATCH v3 0/8] block: drive-backup live backup command
Previous by thread: Re: [Qemu-devel] [PATCH v3 00/10] curl: fix curl read
Next by thread: Re: [Qemu-devel] [PATCH v3 00/10] curl: fix curl read
Index(es):
- Date
- Thread