[Qemu-devel] [PATCH v3] block/ssh: Avoid segfault if inet_connect doesn't set errno.

[Qemu-devel] [PATCH v3] block/ssh: Avoid segfault if inet_connect doesn't set errno.

[Richard W.M. Jones]

v3:
Same as v2 but set the return value to -EIO.

[Qemu-devel] [PATCH v3] block/ssh: Avoid segfault if inet_connect doesn't set errno.

[Richard W.M. Jones]

On some (but not all) systems:

  $ qemu-img create -f qcow2 overlay -b ssh://xen/
  Segmentation fault

It turns out this happens when inet_connect returns -1 in the
following code, but errno == 0.

  s->sock = inet_connect(s->hostport, errp);
  if (s->sock < 0) {
      ret = -errno;
      goto err;
  }

In the test case above, no host called "xen" exists, so getaddrinfo fails.

On Fedora 22, getaddrinfo happens to set errno = ENOENT (although it
is *not* documented to do that), so it doesn't segfault.

On RHEL 7, errno is not set by the failing getaddrinfo, so ret =
-errno = 0, so the caller doesn't know there was an error and
continues with a half-initialized BDRVSSHState struct, and everything
goes south from there, eventually resulting in a segfault.

Fix this by setting ret to -EIO (same as block/nbd.c and
block/sheepdog.c).  The real error is saved in the Error** errp
struct, so it is printed correctly:

  $ ./qemu-img create -f qcow2 overlay -b ssh://xen/
  qemu-img: overlay: address resolution failed for xen:22: No address associated with hostname

Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Reported-by: Jun Li
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1147343
---
 block/ssh.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/ssh.c b/block/ssh.c
index aebb18c..8d06739 100644
--- a/block/ssh.c
+++ b/block/ssh.c
@@ -563,7 +563,7 @@ static int connect_to_ssh(BDRVSSHState *s, QDict *options,
     /* Open the socket and connect. */
     s->sock = inet_connect(s->hostport, errp);
     if (s->sock < 0) {
-        ret = -errno;
+        ret = -EIO;
         goto err;
     }
 
-- 
2.4.3

Re: [Qemu-devel] [PATCH v3] block/ssh: Avoid segfault if inet_connect doesn't set errno.

[Jeff Cody]

On Wed, Jul 22, 2015 at 02:27:47PM +0100, Richard W.M. Jones wrote:
> On some (but not all) systems:
> 
>   $ qemu-img create -f qcow2 overlay -b ssh://xen/
>   Segmentation fault
> 
> It turns out this happens when inet_connect returns -1 in the
> following code, but errno == 0.
> 
>   s->sock = inet_connect(s->hostport, errp);
>   if (s->sock < 0) {
>       ret = -errno;
>       goto err;
>   }
> 
> In the test case above, no host called "xen" exists, so getaddrinfo fails.
> 
> On Fedora 22, getaddrinfo happens to set errno = ENOENT (although it
> is *not* documented to do that), so it doesn't segfault.
> 
> On RHEL 7, errno is not set by the failing getaddrinfo, so ret =
> -errno = 0, so the caller doesn't know there was an error and
> continues with a half-initialized BDRVSSHState struct, and everything
> goes south from there, eventually resulting in a segfault.
> 
> Fix this by setting ret to -EIO (same as block/nbd.c and
> block/sheepdog.c).  The real error is saved in the Error** errp
> struct, so it is printed correctly:
> 
>   $ ./qemu-img create -f qcow2 overlay -b ssh://xen/
>   qemu-img: overlay: address resolution failed for xen:22: No address associated with hostname
> 
> Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
> Reported-by: Jun Li
> BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1147343
> ---
>  block/ssh.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/block/ssh.c b/block/ssh.c
> index aebb18c..8d06739 100644
> --- a/block/ssh.c
> +++ b/block/ssh.c
> @@ -563,7 +563,7 @@ static int connect_to_ssh(BDRVSSHState *s, QDict *options,
>      /* Open the socket and connect. */
>      s->sock = inet_connect(s->hostport, errp);
>      if (s->sock < 0) {
> -        ret = -errno;
> +        ret = -EIO;
>          goto err;
>      }
>  
> -- 
> 2.4.3
>

Reviewed-by: Jeff Cody <jcody@redhat.com>

Re: [Qemu-devel] [Qemu-block] [PATCH v3] block/ssh: Avoid segfault if inet_connect doesn't set errno.

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 495 bytes --]

On Wed, Jul 22, 2015 at 09:56:41AM -0400, Jeff Cody wrote:
> On Wed, Jul 22, 2015 at 02:27:47PM +0100, Richard W.M. Jones wrote:
> Reviewed-by: Jeff Cody <jcody@redhat.com>

Jeff: Are you taking this through your tree like gluster, rbd, sheepdog,
etc?

$ scripts/get_maintainer.pl -f block/ssh.c
"Richard W.M. Jones" <rjones@redhat.com> (supporter:SSH)
Jeff Cody <jcody@redhat.com> (supporter:SSH)
Kevin Wolf <kwolf@redhat.com> (supporter:Block layer core)
qemu-block@nongnu.org (open list:SSH)

[-- Attachment #2: Type: application/pgp-signature, Size: 473 bytes --]

Re: [Qemu-devel] [Qemu-block] [PATCH v3] block/ssh: Avoid segfault if inet_connect doesn't set errno.

[Jeff Cody]

On Fri, Jul 24, 2015 at 04:08:57PM +0100, Stefan Hajnoczi wrote:
> On Wed, Jul 22, 2015 at 09:56:41AM -0400, Jeff Cody wrote:
> > On Wed, Jul 22, 2015 at 02:27:47PM +0100, Richard W.M. Jones wrote:
> > Reviewed-by: Jeff Cody <jcody@redhat.com>
> 
> Jeff: Are you taking this through your tree like gluster, rbd, sheepdog,
> etc?
> 
> $ scripts/get_maintainer.pl -f block/ssh.c
> "Richard W.M. Jones" <rjones@redhat.com> (supporter:SSH)
> Jeff Cody <jcody@redhat.com> (supporter:SSH)
> Kevin Wolf <kwolf@redhat.com> (supporter:Block layer core)
> qemu-block@nongnu.org (open list:SSH)

Yes, I am.

Thanks,
Jeff

Re: [Qemu-devel] [PATCH v3] block/ssh: Avoid segfault if inet_connect doesn't set errno.

[Jeff Cody]

On Wed, Jul 22, 2015 at 02:27:46PM +0100, Richard W.M. Jones wrote:
> v3:
> Same as v2 but set the return value to -EIO.
>

Thanks, applied to my block tree:

https://github.com/codyprime/qemu-kvm-jtc/tree/block

Thanks,
Jeff