[Qemu-devel] simple qmp core dump

[Qemu-devel] simple qmp core dump

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 907 bytes --]

Just noticed this core dump (I was actually trying to exceed the 1024
hard-baked limit in qmp-input-visitor.c which tries to set an Error
object, but it looks like that limit was unreachable due to this earlier
assertion):

$ printf '{"execute":"qmp_capabilities","id":%1025s' " " | tr ' ' { |
    ./x86_64-softmmu/qemu-system-x86_64 -nodefaults -qmp stdio
{"QMP": {"version": {"qemu": {"micro": 50, "minor": 4, "major": 2},
"package": ""}, "capabilities": []}}
main-loop: WARNING: I/O thread spun for 1000 iterations
**
ERROR:qobject/json-parser.c:294:parser_context_peek_token: assertion
failed: (ctxt->tokens.pos < ctxt->tokens.count)
Aborted (core dumped)

I don't know the best way to deal with a client that abuses QMP
protocol, but it would at least be nice to not abort.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]

Re: [Qemu-devel] simple qmp core dump

[Markus Armbruster]

Eric Blake <eblake@redhat.com> writes:

> Just noticed this core dump (I was actually trying to exceed the 1024
> hard-baked limit in qmp-input-visitor.c which tries to set an Error
> object, but it looks like that limit was unreachable due to this earlier
> assertion):
>
> $ printf '{"execute":"qmp_capabilities","id":%1025s' " " | tr ' ' { |
>     ./x86_64-softmmu/qemu-system-x86_64 -nodefaults -qmp stdio
> {"QMP": {"version": {"qemu": {"micro": 50, "minor": 4, "major": 2},
> "package": ""}, "capabilities": []}}
> main-loop: WARNING: I/O thread spun for 1000 iterations
> **
> ERROR:qobject/json-parser.c:294:parser_context_peek_token: assertion
> failed: (ctxt->tokens.pos < ctxt->tokens.count)
> Aborted (core dumped)
>
> I don't know the best way to deal with a client that abuses QMP
> protocol, but it would at least be nice to not abort.

Handwritten parser crashes, surprise, surprise.

1023 works, 1024 crashes.  Need to dig to find out why.

Re: [Qemu-devel] simple qmp core dump

[Markus Armbruster]

Markus Armbruster <armbru@redhat.com> writes:

> Eric Blake <eblake@redhat.com> writes:
>
>> Just noticed this core dump (I was actually trying to exceed the 1024
>> hard-baked limit in qmp-input-visitor.c which tries to set an Error
>> object, but it looks like that limit was unreachable due to this earlier
>> assertion):
>>
>> $ printf '{"execute":"qmp_capabilities","id":%1025s' " " | tr ' ' { |
>>     ./x86_64-softmmu/qemu-system-x86_64 -nodefaults -qmp stdio
>> {"QMP": {"version": {"qemu": {"micro": 50, "minor": 4, "major": 2},
>> "package": ""}, "capabilities": []}}
>> main-loop: WARNING: I/O thread spun for 1000 iterations
>> **
>> ERROR:qobject/json-parser.c:294:parser_context_peek_token: assertion
>> failed: (ctxt->tokens.pos < ctxt->tokens.count)
>> Aborted (core dumped)
>>
>> I don't know the best way to deal with a client that abuses QMP
>> protocol, but it would at least be nice to not abort.
>
> Handwritten parser crashes, surprise, surprise.
>
> 1023 works, 1024 crashes.  Need to dig to find out why.

Regressed in commit 65c0f1e "json-parser: don't replicate tokens at each
level of recursion", v1.2.0.  Until then, we got a clean "{"error":
{"class": "GenericError", "desc": "Invalid JSON syntax"}}".