|
Pablo Greco |
40546a |
From ad3f8f1d128f726d1504079ec34b68f6db297d3a Mon Sep 17 00:00:00 2001
|
|
Pablo Greco |
40546a |
Message-Id: <ad3f8f1d128f726d1504079ec34b68f6db297d3a@dist-git>
|
|
Pablo Greco |
40546a |
From: Marc Hartmayer <mhartmay@linux.ibm.com>
|
|
Pablo Greco |
40546a |
Date: Wed, 10 Jul 2019 11:49:45 +0200
|
|
Pablo Greco |
40546a |
Subject: [PATCH] virDomainObjListAddLocked: fix double free
|
|
Pablo Greco |
40546a |
MIME-Version: 1.0
|
|
Pablo Greco |
40546a |
Content-Type: text/plain; charset=UTF-8
|
|
Pablo Greco |
40546a |
Content-Transfer-Encoding: 8bit
|
|
Pablo Greco |
40546a |
|
|
Pablo Greco |
40546a |
If @vm has flagged as "to be removed" virDomainObjListFindByNameLocked
|
|
Pablo Greco |
40546a |
returns NULL (although the definition actually exists). Therefore, the
|
|
Pablo Greco |
40546a |
possibility exits that "virHashAddEntry" will raise the error
|
|
Pablo Greco |
40546a |
"Duplicate key" => virDomainObjListAddObjLocked fails =>
|
|
Pablo Greco |
40546a |
virDomainObjEndAPI(&vm) is called and this leads to a freeing of @def
|
|
Pablo Greco |
40546a |
since @def is already assigned to vm->def. But actually this leads to
|
|
Pablo Greco |
40546a |
a double free since the common usage pattern is that the caller of
|
|
Pablo Greco |
40546a |
virDomainObjListAdd(Locked) is responsible for freeing @def in case of
|
|
Pablo Greco |
40546a |
an error.
|
|
Pablo Greco |
40546a |
|
|
Pablo Greco |
40546a |
Let's fix this by setting vm->def to NULL in case of an error.
|
|
Pablo Greco |
40546a |
|
|
Pablo Greco |
40546a |
Backtrace:
|
|
Pablo Greco |
40546a |
|
|
Pablo Greco |
40546a |
➤ bt
|
|
Pablo Greco |
40546a |
#0 virFree (ptrptr=0x7575757575757575)
|
|
Pablo Greco |
40546a |
#1 0x000003ffb5b25b3e in virDomainResourceDefFree
|
|
Pablo Greco |
40546a |
#2 0x000003ffb5b37c34 in virDomainDefFree
|
|
Pablo Greco |
40546a |
#3 0x000003ff9123f734 in qemuDomainDefineXMLFlags
|
|
Pablo Greco |
40546a |
#4 0x000003ff9123f7f4 in qemuDomainDefineXML
|
|
Pablo Greco |
40546a |
#5 0x000003ffb5cd2c84 in virDomainDefineXML
|
|
Pablo Greco |
40546a |
#6 0x000000011745aa82 in remoteDispatchDomainDefineXML
|
|
Pablo Greco |
40546a |
...
|
|
Pablo Greco |
40546a |
|
|
Pablo Greco |
40546a |
Reviewed-by: Bjoern Walk <bwalk@linux.ibm.com>
|
|
Pablo Greco |
40546a |
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
|
|
Pablo Greco |
40546a |
(cherry picked from commit 7e760f61577e6c4adbb0b015f8f7ac1796570cdd)
|
|
Pablo Greco |
40546a |
Signed-off-by: Ján Tomko <jtomko@redhat.com>
|
|
Pablo Greco |
40546a |
|
|
Pablo Greco |
40546a |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1728530
|
|
Pablo Greco |
40546a |
Message-Id: <b651c347f5775c8298347ef8602d0205fab9c3e7.1562752178.git.jtomko@redhat.com>
|
|
Pablo Greco |
40546a |
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
|
|
Pablo Greco |
40546a |
---
|
|
Pablo Greco |
40546a |
src/conf/virdomainobjlist.c | 4 +++-
|
|
Pablo Greco |
40546a |
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
Pablo Greco |
40546a |
|
|
Pablo Greco |
40546a |
diff --git a/src/conf/virdomainobjlist.c b/src/conf/virdomainobjlist.c
|
|
Pablo Greco |
40546a |
index 72064d7c66..e7c3e326ca 100644
|
|
Pablo Greco |
40546a |
--- a/src/conf/virdomainobjlist.c
|
|
Pablo Greco |
40546a |
+++ b/src/conf/virdomainobjlist.c
|
|
Pablo Greco |
40546a |
@@ -329,8 +329,10 @@ virDomainObjListAddLocked(virDomainObjListPtr doms,
|
|
Pablo Greco |
40546a |
goto cleanup;
|
|
Pablo Greco |
40546a |
vm->def = def;
|
|
Pablo Greco |
40546a |
|
|
Pablo Greco |
40546a |
- if (virDomainObjListAddObjLocked(doms, vm) < 0)
|
|
Pablo Greco |
40546a |
+ if (virDomainObjListAddObjLocked(doms, vm) < 0) {
|
|
Pablo Greco |
40546a |
+ vm->def = NULL;
|
|
Pablo Greco |
40546a |
goto error;
|
|
Pablo Greco |
40546a |
+ }
|
|
Pablo Greco |
40546a |
}
|
|
Pablo Greco |
40546a |
cleanup:
|
|
Pablo Greco |
40546a |
return vm;
|
|
Pablo Greco |
40546a |
--
|
|
Pablo Greco |
40546a |
2.22.0
|
|
Pablo Greco |
40546a |
|