[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1916501] Re: qemu-img convert segfaults with specific URL

From: Max Reitz
Subject: [Bug 1916501] Re: qemu-img convert segfaults with specific URL
Date: Tue, 23 Feb 2021 15:47:02 -0000

I can reproduce this, and I can reproduce it back to 5.0 (haven’t tried
any release before that).  I couldn’t find a definite reason for why it
breaks (curl_clean_state() is called because curl reports CURLMSG_DONE,
freeing a socket, but then curl_multi_do() is called again for that
socket, resulting in a use-after-free – but I don’t know why
curl_multi_do() is invoked after CURLMSG_DONE).

Because I remembered a similar situation where the curl driver suddenly
failed (and then failed for every qemu release until that point), and
where it turned out a change in libcurl broke our driver, I tried
bisecting libcurl, but it turned out that when I build it myself and use
it via LD_PRELOAD, I don’t get a crash.  I’ve tried building it with
different options and in different versions, but consistently I see that
using the system libcurl results in a crash, and using one I built
myself does not.  (Tested on Fedora and Arch.)

That isn’t to say the bug isn’t in our curl driver, but to find out
where it is exactly, it seems necessary to find out what the difference
between the system libcurl and the one I built is...  So far, I have no
idea. :/

You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.

  qemu-img convert segfaults with specific URL

Status in QEMU:

Bug description:
  Using what is currently the latest git: (commit
  00d8ba9e0d62ea1c7459c25aeabf9c8bb7659462, Date:   Sun Feb 21 19:52:58
  2021 +0000)

  $ ./build/qemu-img convert -f qcow2 -O raw 
https://download.cirros-cloud.net/0.4.0/cirros-0.4.0-x86_64-disk.img out.img
  Segmentation fault (core dumped)

  Backtrace for convenience:
  qemu: qemu_mutex_lock_impl: Invalid argument

  Thread 1 "qemu-img" received signal SIGABRT, Aborted.
  0x00007ffff77c59d5 in raise () from /lib64/libc.so.6
  (gdb) bt
  #0  0x00007ffff77c59d5 in raise () from /lib64/libc.so.6
  #1  0x00007ffff77ae8a4 in abort () from /lib64/libc.so.6
  #2  0x00005555556705b2 in error_exit (err=<optimized out>, 
msg=msg@entry=0x5555556b69a0 <__func__.31> "qemu_mutex_lock_impl") at 
  #3  0x0000555555670945 in qemu_mutex_lock_impl (mutex=0x555555ae3758, 
file=0x5555556827a2 "../block/curl.c", line=406) at 
  #4  0x000055555559a05b in curl_multi_do (arg=0x555555aad2a0) at 
  #5  0x000055555566193a in aio_dispatch_handler (ctx=ctx@entry=0x555555737790, 
node=0x555555b14150) at ../util/aio-posix.c:329
  #6  0x0000555555662072 in aio_dispatch_handlers (ctx=0x555555737790) at 
  #7  aio_dispatch (ctx=0x555555737790) at ../util/aio-posix.c:382
  #8  0x000055555564442e in aio_ctx_dispatch (source=<optimized out>, 
callback=<optimized out>, user_data=<optimized out>) at ../util/async.c:306
  #9  0x00007ffff7cfda9f in g_main_context_dispatch () from 
  #10 0x000055555566f2c8 in glib_pollfds_poll () at ../util/main-loop.c:232
  #11 os_host_main_loop_wait (timeout=4397000000) at ../util/main-loop.c:255
  #12 main_loop_wait (nonblocking=nonblocking@entry=0) at 
  #13 0x0000555555581edd in convert_do_copy (s=0x7fffffffd3a0) at 
  #14 img_convert (argc=<optimized out>, argv=<optimized out>) at 
  #15 0x00005555555783b1 in main (argc=7, argv=<optimized out>) at 

To manage notifications about this bug go to:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]