Re: [Qemu-devel] [PATCH v3 00/10] curl: fix curl read

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Richard W.M. Jones" <rjones@redhat.com>
To: qemu-devel@nongnu.org, kwolf@redhat.com, jcody@redhat.com,
	stefanha@redhat.com
Subject: Re: [Qemu-devel] [PATCH v3 00/10] curl: fix curl read
Date: Tue, 21 May 2013 08:39:25 +0100	[thread overview]
Message-ID: <20130521073925.GL4515@redhat.com> (raw)
In-Reply-To: <20130521015415.GA7100@localhost.nay.redhat.com>

On Tue, May 21, 2013 at 09:54:15AM +0800, Fam Zheng wrote:
> On Mon, 05/20 09:49, Richard W.M. Jones wrote:
> > On Mon, May 20, 2013 at 09:41:06AM +0100, Richard W.M. Jones wrote:
> > > On Mon, May 20, 2013 at 03:03:34PM +0800, Fam Zheng wrote:
> > > > CURL library API has changed, the current curl driver is not working.
> > > > This patch rewrites the use of API as well as the structure of internal
> > > > states. 
> > > 
> > > I tried this, but it segfaults:
> > > 
> > > Program terminated with signal 11, Segmentation fault.
> > 
> > That stack trace was wrong.  I was testing against the version of
> > libcurl in Fedora which is known to be broken.
> > 
> > Here is the stack trace, this time really running against
> > curl-7_30_0-147-gae26ee3:
> > 
> > Program terminated with signal 11, Segmentation fault.
> > #0  curl_read_cb (ptr=<optimized out>, size=<optimized out>, 
> >     nmemb=<optimized out>, opaque=0x7f63d48ba340) at block/curl.c:240
> > 240         size_t aio_base = acb->sector_num * SECTOR_SIZE;
> 
> Looks like a memory corrupt (QLIST head is invalid pointer). But I can't
> reproduce here with your steps. Can you try qemu-io?
> 
> $LD_LIBRARY_PATH=~/d/curl/lib/.libs ~/d/qemu/qemu-io http://192.168.0.249/scratch/winxp.img -c 'read 0 512'

This command is successful:

$ LD_LIBRARY_PATH=~/d/curl/lib/.libs ~/d/qemu/qemu-io http://192.168.0.249/scratch/winxp.img -c 'read 0 512'
read 512/512 bytes at offset 0
512 bytes, 1 ops; 0.0000 sec (32.552 MiB/sec and 66666.6667 ops/sec)
$ echo $?
0

Here's another go with guestfish:

$ ulimit -c unlimited
$ LIBGUESTFS_DEBUG=1 LIBGUESTFS_TRACE=1 LIBGUESTFS_BACKEND=direct LIBGUESTFS_QEMU=~/d/qemu/qemu.wrapper LD_LIBRARY_PATH=~/d/curl/lib/.libs PATH=~/d/qemu:$PATH ./run ./fish/guestfish -a http://192.168.0.249/scratch/winxp.img -i
[...]
[00159ms] /home/rjones/d/qemu/qemu.wrapper \
    -global virtio-blk-pci.scsi=off \
    -nodefconfig \
    -nodefaults \
    -nographic \
    -device virtio-scsi-pci,id=scsi \
    -drive file=http://192.168.0.249/scratch/winxp.img,id=hd0,if=none \
    -device scsi-hd,drive=hd0 \
    -drive file=/home/rjones/d/libguestfs/tmp/.guestfs-1000/root.15535,snapshot=on,id=appliance,if=none,cache=unsafe \
    -device scsi-hd,drive=appliance \
    -machine accel=kvm:tcg \
    -m 500 \
    -no-reboot \
    -no-hpet \
    -device virtio-serial \
    -serial stdio \
    -device sga \
    -chardev socket,path=/home/rjones/d/libguestfs/tmp/libguestfsk9fu9P/guestfsd.sock,id=channel0 \
    -device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \
    -kernel /home/rjones/d/libguestfs/tmp/.guestfs-1000/kernel.15535 \
    -initrd /home/rjones/d/libguestfs/tmp/.guestfs-1000/initrd.15535 \
    -append 'panic=1 console=ttyS0 udevtimeout=600 no_timer_check acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb selinux=0 guestfs_verbose=1 TERM=xterm-256color'libguestfs: error: appliance closed the connection unexpectedly, see earlier error messages
libguestfs: child_cleanup: 0x1db0090: child process died
libguestfs: sending SIGTERM to process 15600
libguestfs: error: /home/rjones/d/qemu/qemu.wrapper killed by signal 11 (Segmentation fault), see debug messages above
libguestfs: error: guestfs_launch failed, see earlier error messages
libguestfs: trace: launch = -1 (error)
[...]

$ file /tmp/core.15600
/tmp/core.15600: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from '/home/rjones/d/qemu/x86_64-softmmu/qemu-system-x86_64 -L /home/rjones/d/qemu/pc'

$ gdb /home/rjones/d/qemu/x86_64-softmmu/qemu-system-x86_64 /tmp/core.15600

[stack trace is the same as before]

#0  curl_read_cb (ptr=<optimized out>, size=<optimized out>, 
    nmemb=<optimized out>, opaque=0x7f4d3c769360) at block/curl.c:240
240         size_t aio_base = acb->sector_num * SECTOR_SIZE;
(gdb) print acb
$1 = (CURLAIOCB *) 0x7575757575757575

Looks like use-after-free?

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top

next prev parent reply	other threads:[~2013-05-21  7:39 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-05-20  7:03 [Qemu-devel] [PATCH v3 00/10] curl: fix curl read Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 01/10] curl: introduce CURLSockInfo to BDRVCURLState Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 02/10] curl: change magic number to sizeof Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 03/10] curl: change curl_multi_do to curl_fd_handler Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 04/10] curl: fix curl_open Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 05/10] curl: add timer to BDRVCURLState Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 06/10] curl: introduce CURLDataCache Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 07/10] curl: make use of CURLDataCache Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 08/10] curl: use list to store CURLState Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 09/10] curl: add cache quota Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 10/10] curl: introduce ssl_no_cert runtime option Fam Zheng
2013-05-20  8:41 ` [Qemu-devel] [PATCH v3 00/10] curl: fix curl read Richard W.M. Jones
2013-05-20  8:49   ` Richard W.M. Jones
2013-05-21  1:54     ` Fam Zheng
2013-05-21  7:39       ` Richard W.M. Jones [this message]
2013-05-22  2:52         ` Fam Zheng

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130521073925.GL4515@redhat.com \
    --to=rjones@redhat.com \
    --cc=jcody@redhat.com \
    --cc=kwolf@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.