Re: [Qemu-devel] [PATCH v3 00/10] curl: fix curl read

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Fam Zheng <famz@redhat.com>
To: "Richard W.M. Jones" <rjones@redhat.com>
Cc: kwolf@redhat.com, jcody@redhat.com, qemu-devel@nongnu.org,
	stefanha@redhat.com
Subject: Re: [Qemu-devel] [PATCH v3 00/10] curl: fix curl read
Date: Wed, 22 May 2013 10:52:53 +0800	[thread overview]
Message-ID: <20130522025253.GA13837@localhost.nay.redhat.com> (raw)
In-Reply-To: <20130521073925.GL4515@redhat.com>

On Tue, 05/21 08:39, Richard W.M. Jones wrote:
> On Tue, May 21, 2013 at 09:54:15AM +0800, Fam Zheng wrote:
> > On Mon, 05/20 09:49, Richard W.M. Jones wrote:
> > > On Mon, May 20, 2013 at 09:41:06AM +0100, Richard W.M. Jones wrote:
> > > > On Mon, May 20, 2013 at 03:03:34PM +0800, Fam Zheng wrote:
> > > > > CURL library API has changed, the current curl driver is not working.
> > > > > This patch rewrites the use of API as well as the structure of internal
> > > > > states. 
> > > > 
> > > > I tried this, but it segfaults:
> > > > 
> > > > Program terminated with signal 11, Segmentation fault.
> > > 
> > > That stack trace was wrong.  I was testing against the version of
> > > libcurl in Fedora which is known to be broken.
> > > 
> > > Here is the stack trace, this time really running against
> > > curl-7_30_0-147-gae26ee3:
> > > 
> > > Program terminated with signal 11, Segmentation fault.
> > > #0  curl_read_cb (ptr=<optimized out>, size=<optimized out>, 
> > >     nmemb=<optimized out>, opaque=0x7f63d48ba340) at block/curl.c:240
> > > 240         size_t aio_base = acb->sector_num * SECTOR_SIZE;
> > 
> > Looks like a memory corrupt (QLIST head is invalid pointer). But I can't
> > reproduce here with your steps. Can you try qemu-io?
> > 
> > $LD_LIBRARY_PATH=~/d/curl/lib/.libs ~/d/qemu/qemu-io http://192.168.0.249/scratch/winxp.img -c 'read 0 512'
> 
> This command is successful:
> 
> $ LD_LIBRARY_PATH=~/d/curl/lib/.libs ~/d/qemu/qemu-io http://192.168.0.249/scratch/winxp.img -c 'read 0 512'
> read 512/512 bytes at offset 0
> 512 bytes, 1 ops; 0.0000 sec (32.552 MiB/sec and 66666.6667 ops/sec)
> $ echo $?
> 0
> 
> Here's another go with guestfish:
> 
> $ ulimit -c unlimited
> $ LIBGUESTFS_DEBUG=1 LIBGUESTFS_TRACE=1 LIBGUESTFS_BACKEND=direct LIBGUESTFS_QEMU=~/d/qemu/qemu.wrapper LD_LIBRARY_PATH=~/d/curl/lib/.libs PATH=~/d/qemu:$PATH ./run ./fish/guestfish -a http://192.168.0.249/scratch/winxp.img -i
> [...]
> [00159ms] /home/rjones/d/qemu/qemu.wrapper \
>     -global virtio-blk-pci.scsi=off \
>     -nodefconfig \
>     -nodefaults \
>     -nographic \
>     -device virtio-scsi-pci,id=scsi \
>     -drive file=http://192.168.0.249/scratch/winxp.img,id=hd0,if=none \
>     -device scsi-hd,drive=hd0 \
>     -drive file=/home/rjones/d/libguestfs/tmp/.guestfs-1000/root.15535,snapshot=on,id=appliance,if=none,cache=unsafe \
>     -device scsi-hd,drive=appliance \
>     -machine accel=kvm:tcg \
>     -m 500 \
>     -no-reboot \
>     -no-hpet \
>     -device virtio-serial \
>     -serial stdio \
>     -device sga \
>     -chardev socket,path=/home/rjones/d/libguestfs/tmp/libguestfsk9fu9P/guestfsd.sock,id=channel0 \
>     -device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \
>     -kernel /home/rjones/d/libguestfs/tmp/.guestfs-1000/kernel.15535 \
>     -initrd /home/rjones/d/libguestfs/tmp/.guestfs-1000/initrd.15535 \
>     -append 'panic=1 console=ttyS0 udevtimeout=600 no_timer_check acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb selinux=0 guestfs_verbose=1 TERM=xterm-256color'libguestfs: error: appliance closed the connection unexpectedly, see earlier error messages
> libguestfs: child_cleanup: 0x1db0090: child process died
> libguestfs: sending SIGTERM to process 15600
> libguestfs: error: /home/rjones/d/qemu/qemu.wrapper killed by signal 11 (Segmentation fault), see debug messages above
> libguestfs: error: guestfs_launch failed, see earlier error messages
> libguestfs: trace: launch = -1 (error)
> [...]
> 
> $ file /tmp/core.15600
> /tmp/core.15600: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from '/home/rjones/d/qemu/x86_64-softmmu/qemu-system-x86_64 -L /home/rjones/d/qemu/pc'
> 
> $ gdb /home/rjones/d/qemu/x86_64-softmmu/qemu-system-x86_64 /tmp/core.15600
> 
> [stack trace is the same as before]
> 
> #0  curl_read_cb (ptr=<optimized out>, size=<optimized out>, 
>     nmemb=<optimized out>, opaque=0x7f4d3c769360) at block/curl.c:240
> 240         size_t aio_base = acb->sector_num * SECTOR_SIZE;
> (gdb) print acb
> $1 = (CURLAIOCB *) 0x7575757575757575
> 
> Looks like use-after-free?

Yes, thank you a lot. Will post another version to fix this.

-- 
Fam

     prev parent reply	other threads:[~2013-05-22  3:02 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-05-20  7:03 [Qemu-devel] [PATCH v3 00/10] curl: fix curl read Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 01/10] curl: introduce CURLSockInfo to BDRVCURLState Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 02/10] curl: change magic number to sizeof Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 03/10] curl: change curl_multi_do to curl_fd_handler Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 04/10] curl: fix curl_open Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 05/10] curl: add timer to BDRVCURLState Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 06/10] curl: introduce CURLDataCache Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 07/10] curl: make use of CURLDataCache Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 08/10] curl: use list to store CURLState Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 09/10] curl: add cache quota Fam Zheng
2013-05-20  7:03 ` [Qemu-devel] [PATCH v3 10/10] curl: introduce ssl_no_cert runtime option Fam Zheng
2013-05-20  8:41 ` [Qemu-devel] [PATCH v3 00/10] curl: fix curl read Richard W.M. Jones
2013-05-20  8:49   ` Richard W.M. Jones
2013-05-21  1:54     ` Fam Zheng
2013-05-21  7:39       ` Richard W.M. Jones
2013-05-22  2:52         ` Fam Zheng [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130522025253.GA13837@localhost.nay.redhat.com \
    --to=famz@redhat.com \
    --cc=jcody@redhat.com \
    --cc=kwolf@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=rjones@redhat.com \
    --cc=stefanha@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).