From ad3f8f1d128f726d1504079ec34b68f6db297d3a Mon Sep 17 00:00:00 2001 Message-Id: From: Marc Hartmayer Date: Wed, 10 Jul 2019 11:49:45 +0200 Subject: [PATCH] virDomainObjListAddLocked: fix double free MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If @vm has flagged as "to be removed" virDomainObjListFindByNameLocked returns NULL (although the definition actually exists). Therefore, the possibility exits that "virHashAddEntry" will raise the error "Duplicate key" => virDomainObjListAddObjLocked fails => virDomainObjEndAPI(&vm) is called and this leads to a freeing of @def since @def is already assigned to vm->def. But actually this leads to a double free since the common usage pattern is that the caller of virDomainObjListAdd(Locked) is responsible for freeing @def in case of an error. Let's fix this by setting vm->def to NULL in case of an error. Backtrace: ➤ bt #0 virFree (ptrptr=0x7575757575757575) #1 0x000003ffb5b25b3e in virDomainResourceDefFree #2 0x000003ffb5b37c34 in virDomainDefFree #3 0x000003ff9123f734 in qemuDomainDefineXMLFlags #4 0x000003ff9123f7f4 in qemuDomainDefineXML #5 0x000003ffb5cd2c84 in virDomainDefineXML #6 0x000000011745aa82 in remoteDispatchDomainDefineXML ... Reviewed-by: Bjoern Walk Signed-off-by: Marc Hartmayer (cherry picked from commit 7e760f61577e6c4adbb0b015f8f7ac1796570cdd) Signed-off-by: Ján Tomko Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1728530 Message-Id: Reviewed-by: Andrea Bolognani --- src/conf/virdomainobjlist.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/conf/virdomainobjlist.c b/src/conf/virdomainobjlist.c index 72064d7c66..e7c3e326ca 100644 --- a/src/conf/virdomainobjlist.c +++ b/src/conf/virdomainobjlist.c @@ -329,8 +329,10 @@ virDomainObjListAddLocked(virDomainObjListPtr doms, goto cleanup; vm->def = def; - if (virDomainObjListAddObjLocked(doms, vm) < 0) + if (virDomainObjListAddObjLocked(doms, vm) < 0) { + vm->def = NULL; goto error; + } } cleanup: return vm; -- 2.22.0