[Qemu-devel] Spice bug with qemu_name

[Qemu-devel] Spice bug with qemu_name

[Lee Essen]

Hi,

I think I've found a bug with the way that spice uses qemu_name. 

qemu_name is a char *, that's only set to if "-name" is given (and then the arg is strdup'd), otherwise it's not set properly.

In ui/spice_core.c spice_server_set_name() is called with qemu_name, which if not set causes a core dump.

-----------------  lwp# 1 / thread# 1  --------------------
 fffffd7fff168090 strlen () + 30
 fffffd7ffa6b5d7e spice_server_set_name () + 2b
 000000000068fab1 qemu_spice_init () + 753
 000000000062a58f main () + 2a31
 0000000000519c5c _start () + 6c
-----------------  lwp# 2 / thread# 2  --------------------
 fffffd7fff1f9b2a __sigtimedwait () + a
 fffffd7fff1e626d sigwait () + d
 fffffd7fff1d1b31 __posix_sigwait () + 31
 000000000057572c sigwait_compat () + 68
 fffffd7fff1f39a3 _thrp_setup () + 83
 fffffd7fff1f3ca0 _lwp_start ()

There's a similar situation with qemu_uuid, however because it's not a pointer I'm assuming you end up with all zero's, which is probably ok behaviour.

I haven't provided a patch since I don't really know which way you want to fix this ... either provide a sensible default if it's not set, or default to NULL and check it in the spice code.

Regards,

Lee.

Re: [Qemu-devel] Spice bug with qemu_name

[Alon Levy]

On Fri, Mar 23, 2012 at 08:10:36AM +0000, Lee Essen wrote:
> Hi,
> 
> I think I've found a bug with the way that spice uses qemu_name. 
> 
> qemu_name is a char *, that's only set to if "-name" is given (and then the arg is strdup'd), otherwise it's not set properly.
> 
> In ui/spice_core.c spice_server_set_name() is called with qemu_name, which if not set causes a core dump.
> 
> -----------------  lwp# 1 / thread# 1  --------------------

What's lwp?

>  fffffd7fff168090 strlen () + 30
>  fffffd7ffa6b5d7e spice_server_set_name () + 2b
>  000000000068fab1 qemu_spice_init () + 753
>  000000000062a58f main () + 2a31
>  0000000000519c5c _start () + 6c
> -----------------  lwp# 2 / thread# 2  --------------------
>  fffffd7fff1f9b2a __sigtimedwait () + a
>  fffffd7fff1e626d sigwait () + d
>  fffffd7fff1d1b31 __posix_sigwait () + 31
>  000000000057572c sigwait_compat () + 68
>  fffffd7fff1f39a3 _thrp_setup () + 83
>  fffffd7fff1f3ca0 _lwp_start ()
> 
> There's a similar situation with qemu_uuid, however because it's not a pointer I'm assuming you end up with all zero's, which is probably ok behaviour.
> 
> I haven't provided a patch since I don't really know which way you want to fix this ... either provide a sensible default if it's not set, or default to NULL and check it in the spice code.
> 
> Regards,
> 
> Lee.
> 
> 

Re: [Qemu-devel] Spice bug with qemu_name

[Lee Essen]

On 23 Mar 2012, at 10:18, Alon Levy wrote:

> On Fri, Mar 23, 2012 at 08:10:36AM +0000, Lee Essen wrote:
>> Hi,
>> 
>> I think I've found a bug with the way that spice uses qemu_name. 
>> 
>> qemu_name is a char *, that's only set to if "-name" is given (and then the arg is strdup'd), otherwise it's not set properly.
>> 
>> In ui/spice_core.c spice_server_set_name() is called with qemu_name, which if not set causes a core dump.
>> 
>> -----------------  lwp# 1 / thread# 1  --------------------
> 
> What's lwp?

This is on Illumos (Solaris) and it implements threads on top of lightweight processes or lwp's.

http://en.wikipedia.org/wiki/Light-weight_process

Regards,

Lee.

Re: [Qemu-devel] Spice bug with qemu_name

[Marc-André Lureau]

On Fri, Mar 23, 2012 at 9:10 AM, Lee Essen <lee.essen@nowonline.co.uk> wrote:
> In ui/spice_core.c spice_server_set_name() is called with qemu_name, which if not set causes a core dump.

I forgot strdup didn't like NULL values, and I forgot to push the
patches fixing this in spice. I've now pushed it. Since it's not
officially release, I don't think we should work around it in qemu.

cheers

-- 
Marc-André Lureau