From nobody Sat Apr 27 05:28:11 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) client-ip=209.132.183.25; envelope-from=libvir-list-bounces@redhat.com; helo=mx4-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx4-phx2.redhat.com (mx4-phx2.redhat.com [209.132.183.25]) by mx.zohomail.com with SMTPS id 1486689407521734.9317042389475; Thu, 9 Feb 2017 17:16:47 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx4-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1A1D62Y014540; Thu, 9 Feb 2017 20:13:06 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1A1D5D8004608 for ; Thu, 9 Feb 2017 20:13:05 -0500 Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com [10.5.110.39]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1A1D5WP024361 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 9 Feb 2017 20:13:05 -0500 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [119.145.14.65]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 306C961D00 for ; Fri, 10 Feb 2017 01:13:02 +0000 (UTC) Received: from 172.24.1.136 (EHLO szxeml425-hub.china.huawei.com) ([172.24.1.136]) by szxrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DUH28789; Fri, 10 Feb 2017 09:12:55 +0800 (CST) Received: from localhost (10.177.17.7) by szxeml425-hub.china.huawei.com (10.82.67.180) with Microsoft SMTP Server id 14.3.235.1; Fri, 10 Feb 2017 09:12:45 +0800 From: Wang King To: Date: Fri, 10 Feb 2017 09:12:25 +0800 Message-ID: <20170210011225.12056-1-king.wang@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.177.17.7] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020205.589D1397.01F7, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 3e1a9a6a10e7cc22df3d5c5fa76f4c0d X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 200 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Fri, 10 Feb 2017 01:13:03 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Fri, 10 Feb 2017 01:13:03 +0000 (UTC) for IP:'119.145.14.65' DOMAIN:'szxga02-in.huawei.com' HELO:'szxga02-in.huawei.com' FROM:'king.wang@huawei.com' RCPT:'' X-RedHat-Spam-Score: -1.902 (BAYES_50, DCC_REPUT_00_12, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, SPF_PASS) 119.145.14.65 szxga02-in.huawei.com 119.145.14.65 szxga02-in.huawei.com X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-Scanned-By: MIMEDefang 2.78 on 10.5.110.39 X-loop: libvir-list@redhat.com Cc: yanqiangjun@huawei.com, weidong.huang@huawei.com, Wang King , weifuqiang@huawei.com Subject: [libvirt] [PATCH] rpc: fix use-after-free when sending event message X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" If there is a process with a client which registers event callbacks, and it calls libvirt's API which uses the same virConnectPtr in that callback function. When this process exit abnormally lead to client disconnect, there is a possibility that the main thread is refer to virServerClient just after the virServerClient been freed by job thread of libvirtd. Following is the backtrace: #0 0x00007fda223d66d8 in virClassIsDerivedFrom (klass=3D0xdeadbeef,parent= =3D0x7fda24c81b40) #1 0x00007fda223d6a1e in virObjectIsClass (anyobj=3Danyobj@entry=3D0x7fd9= e575b400,klass=3D) #2 0x00007fda223d6a44 in virObjectLock (anyobj=3Danyobj@entry=3D0x7fd9e57= 5b400) #3 0x00007fda22507f71 in virNetServerClientSendMessage (client=3Dclient@e= ntry=3D0x7fd9e575b400, msg=3Dmsg@entry=3D0x7fd9ec30de90) #4 0x00007fda230d714d in remoteDispatchObjectEventSend (client=3D0x7fd9e5= 75b400, program=3D0x7fda24c844e0, procnr=3Dprocnr@entry=3D348, proc=3D0x7fd= a2310e5e0 , data=3Ddata@entry= =3D0x7ffc3857fdb0) #5 0x00007fda230dd71b in remoteRelayDomainEventTunable (conn=3D, dom=3D0x7fda27cd7660, params=3D0x7fda27f3aae0, nparams=3D1, opaque= =3D0x7fd9e6c99e00) #6 0x00007fda224484cb in virDomainEventDispatchDefaultFunc (conn=3D0x7fda= 27cd0120, event=3D0x7fda2736ea00, cb=3D0x7fda230dd610 , cbopaque=3D0x7fd9e6c99e00) #7 0x00007fda22446871 in virObjectEventStateDispatchCallbacks (callbacks= =3D, callbacks=3D, event=3D0x7fda2736ea00, st= ate=3D0x7fda24ca3960) #8 virObjectEventStateQueueDispatch (callbacks=3D0x7fda24c65800, queue=3D= 0x7ffc3857fe90, state=3D0x7fda24ca3960) #9 virObjectEventStateFlush (state=3D0x7fda24ca3960) #10 virObjectEventTimer (timer=3D, opaque=3D0x7fda24ca3960) #11 0x00007fda223ae8b9 in virEventPollDispatchTimeouts () #12 virEventPollRunOnce () #13 0x00007fda223ad1d2 in virEventRunDefaultImpl () #14 0x00007fda225046cd in virNetDaemonRun (dmn=3Ddmn@entry=3D0x7fda24c775c= 0) #15 0x00007fda230d6351 in main (argc=3D, argv=3D) (gdb) p *(virNetServerClientPtr)0x7fd9e575b400 $2 =3D {parent =3D {parent =3D {u =3D {dummy_align1 =3D 140573849338048, du= mmy_align2 =3D 0x7fd9e65ac0c0, s =3D {magic =3D 3864707264, refs =3D 32729}= }, klass =3D 0x7fda00000078}, lock =3D {lock =3D {__data =3D {__lock =3D 0, __count =3D 0, __owner =3D 0, __nusers =3D 0, __kind =3D 0, __spi= ns =3D 0, __list =3D {__prev =3D 0x0, __next =3D 0x0}}, __size =3D '\000' <= repeats 39 times>, __align =3D 0}}}, wantClose =3D false, delayedClose =3D false, sock =3D 0x0, auth =3D 0, readonly =3D false, tls= Ctxt =3D 0x0, tls =3D 0x0, sasl =3D 0x0, sockTimer =3D 0, identity =3D 0x0,= nrequests =3D 0, nrequests_max =3D 0, rx =3D 0x0, tx =3D 0x0, filters =3D = 0x0, nextFilterID =3D 0, dispatchFunc =3D 0x0, dispatchOpaque =3D 0x0, private= Data =3D 0x0, privateDataFreeFunc =3D 0x0, privateDataPreExecRestart =3D 0x= 0, privateDataCloseFunc =3D 0x0, keepalive =3D 0x0} --- src/rpc/virnetserverclient.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c index 81da82c..562516f 100644 --- a/src/rpc/virnetserverclient.c +++ b/src/rpc/virnetserverclient.c @@ -1021,6 +1021,12 @@ void virNetServerClientClose(virNetServerClientPtr c= lient) client->sock =3D NULL; } =20 + if (client->privateData && + client->privateDataFreeFunc) { + client->privateDataFreeFunc(client->privateData); + client->privateData =3D NULL; + } + virObjectUnlock(client); } =20 --=20 2.8.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list