From nobody Sat May 18 18:58:09 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.129.124 as permitted sender) client-ip=170.10.129.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1663664690; cv=none;
	d=zohomail.com; s=zohoarc;
	b=UblGop0L46IMtC6ds3nnBeoP+KqIYjbl8Xzdx9EpXMxn9Lh6EheF51DzpjSnQLDETmzypNHdvATcU4GcuzAbdXEEb7kZ0qQ/LAXioqJ2vg1w9DOjKcTwuZ8TZNP3SqnCyHQF+Cwa9ZCupQkRhcghioaZj3yo7H5zWQZiUkBy0A8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1663664690;
 h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=o0o3F+wfLRDbMzIHc/y136wkfRrmZmtBvmHsViIjxZo=;
	b=X6FiOA93ecG2aQ+AZa8Hr99LUnVfL6uqkGxZvr5xAS1WCSUBOHVZv9mskgdkOgz5b14Ps8dTJ+rq9zvw+lO6FJkfWpGizkYPmsvj6kb9kozcO1+Uw9OvUKQB1tKPgkmkjDCoBqKWCHrtbS7TUZLx9+gfwbaA/YiUX5ocyuF+sTc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<pkrempa@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com
	with SMTPS id 166366469050848.08552987774078;
 Tue, 20 Sep 2022 02:04:50 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com
 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-103-O0Eh_RZvNEa1XQdMimfcRg-1; Tue, 20 Sep 2022 05:04:46 -0400
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com
 [10.11.54.1])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6CFBE3C11722;
	Tue, 20 Sep 2022 09:04:43 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (unknown [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 9E5BC40C2064;
	Tue, 20 Sep 2022 09:04:41 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 66ACB19465A3;
	Tue, 20 Sep 2022 09:04:41 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com
 [10.11.54.6])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 3446B19465A0 for <libvir-list@listman.corp.redhat.com>;
 Tue, 20 Sep 2022 09:04:41 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id 250CC2166B2B; Tue, 20 Sep 2022 09:04:41 +0000 (UTC)
Received: from speedmetal.lan (unknown [10.40.208.30])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 9B6862166B2C
 for <libvir-list@redhat.com>; Tue, 20 Sep 2022 09:04:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1663664689;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=o0o3F+wfLRDbMzIHc/y136wkfRrmZmtBvmHsViIjxZo=;
	b=eqISjtgn1SXfLMmHzbOaegkoiJIEWDtRy+Aj3vys697fVl2O4zag5CGWIHEV2UsESkxHIn
	KbIXxbVPReJWt95I1bCEL6yNPd6V1G28P5tNmN12nWPT+mPBRVS1W8qOJlmSfHaJIuV+tI
	K9oeGfHLvkQtc7iXEx4QwUCCrPPdtKg=
X-MC-Unique: O0Eh_RZvNEa1XQdMimfcRg-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Peter Krempa <pkrempa@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH v2] virdomainjob: virDomainObjInitJob: Avoid borrowing memory
 from 'virDomainXMLOption'
Date: Tue, 20 Sep 2022 11:04:39 +0200
Message-Id: 
 <0e936d04782600d17bcd91f9292870441d9e8d66.1663664641.git.pkrempa@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1663664691762100001
Content-Type: text/plain; charset="utf-8"

The 'cb' and 'jobDataPrivateCb' pointers are stored in the job object
but made point to the memory owned by the virDomainXMLOption struct in
the callers.

Since the 'virdomainjob' module isn't in control the lifetime of the
virDomainXMLOption, which in some cases is freed before the domain job
data, freed memory would be dereferenced in some cases.

Copy the structs from virDomainXMLOption to ensure the lifetime. This is
possible since the callback functions are immutable.

Fixes: 84e9fd068ccad6e19e037cd6680df437617e2de5
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
---

v2:
    - copy both pointers
    - don't bother with creating copy functions, use g_memdup

 src/conf/virdomainjob.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/conf/virdomainjob.c b/src/conf/virdomainjob.c
index 7915faa125..aca801af38 100644
--- a/src/conf/virdomainjob.c
+++ b/src/conf/virdomainjob.c
@@ -128,8 +128,8 @@ virDomainObjInitJob(virDomainJobObj *job,
                     virDomainJobDataPrivateDataCallbacks *jobDataPrivateCb)
 {
     memset(job, 0, sizeof(*job));
-    job->cb =3D cb;
-    job->jobDataPrivateCb =3D jobDataPrivateCb;
+    job->cb =3D g_memdup(cb, sizeof(*cb));
+    job->jobDataPrivateCb =3D g_memdup(jobDataPrivateCb, sizeof(*jobDataPr=
ivateCb));

     if (virCondInit(&job->cond) < 0)
         return -1;
@@ -229,6 +229,9 @@ virDomainObjClearJob(virDomainJobObj *job)

     if (job->cb && job->cb->freeJobPrivate)
         g_clear_pointer(&job->privateData, job->cb->freeJobPrivate);
+
+    g_clear_pointer(&job->cb, g_free);
+    g_clear_pointer(&job->jobDataPrivateCb, g_free);
 }

 void
--=20
2.37.1