1. Patchew
  2. Libvirt
  3. View series

[libvirt] [PATCH v2] vbox: fix SEGV during dumpxml of a serial port

Laine Stump posted 1 patch 6 years, 2 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20180126182641.23835-1-laine@laine.org
src/vbox/vbox_common.c | 43 +++++++++++++++++++++++++++++++------------
1 file changed, 31 insertions(+), 12 deletions(-)
[libvirt] [PATCH v2] vbox: fix SEGV during dumpxml of a serial port
Posted by Laine Stump 6 years, 2 months ago 
commit 77a12987a48 changed the "virDomainChrSourceDef source" inside
virDomainChrDef to "virDomainChrSourceDefPtr source", and started
allocating source inside virDomainChrDefNew(), but vboxDumpSerial()
was allocating a virDomainChrDef with a simple VIR_ALLOC() (i.e. never
calling virDomainChrDefNew()), so source was never initialized,
leading to a SEGV any time a serial port was present. The same problem
was created in vboxDumpParallel().

This patch changes vboxDumpSerial() and vboxDumpParallel() to use
virDomainChrDefNew() instead of VIR_ALLOC(), and changes both of those
functions to return an error if virDomainChrDef() (or any other
allocation) fails.

This resolves: https://bugzilla.redhat.com/1536649
---

Change from V1:

Due to reviews of V1 whining about the patch calling out the lack of
returning failure on OOM in a comment rather than fixing it, V2
changes both functions to return 0/-1, and their caller to abort the
dumpxml if they return -1. (If I'd taken the extra 30 seconds to look
one level up the call chain before posting V1, I would have done that
to begin with - there's really nothing complicated about the change,
so I'm just as comfortable posting this V2 patch without being able to
test as I was with V1).

 src/vbox/vbox_common.c | 43 +++++++++++++++++++++++++++++++------------
 1 file changed, 31 insertions(+), 12 deletions(-)

diff --git a/src/vbox/vbox_common.c b/src/vbox/vbox_common.c
index 33aefabe5..e8381ac95 100644
--- a/src/vbox/vbox_common.c
+++ b/src/vbox/vbox_common.c
@@ -3862,7 +3862,7 @@ vboxDumpAudio(virDomainDefPtr def, vboxDriverPtr data ATTRIBUTE_UNUSED,
     }
 }
 
-static void
+static int
 vboxDumpSerial(virDomainDefPtr def, vboxDriverPtr data, IMachine *machine, PRUint32 serialPortCount)
 {
     PRUint32 serialPortIncCount = 0;
@@ -3886,9 +3886,15 @@ vboxDumpSerial(virDomainDefPtr def, vboxDriverPtr data, IMachine *machine, PRUin
     }
 
     /* Allocate memory for the serial ports which are enabled */
-    if ((def->nserials > 0) && (VIR_ALLOC_N(def->serials, def->nserials) >= 0)) {
-        for (i = 0; i < def->nserials; i++)
-            ignore_value(VIR_ALLOC(def->serials[i]));
+    if (def->nserials > 0) {
+        if (VIR_ALLOC_N(def->serials, def->nserials) < 0)
+            return -1;
+
+        for (i = 0; i < def->nserials; i++) {
+            def->serials[i] = virDomainChrDefNew(NULL);
+            if (!def->serials[i])
+                return -1;
+        }
     }
 
     /* Now get the details about the serial ports here */
@@ -3936,7 +3942,8 @@ vboxDumpSerial(virDomainDefPtr def, vboxDriverPtr data, IMachine *machine, PRUin
 
                 if (pathUtf16) {
                     VBOX_UTF16_TO_UTF8(pathUtf16, &path);
-                    ignore_value(VIR_STRDUP(def->serials[serialPortIncCount]->source->data.file.path, path));
+                    if (VIR_STRDUP(def->serials[serialPortIncCount]->source->data.file.path, path) < 0)
+                        return -1;
                 }
 
                 serialPortIncCount++;
@@ -3948,9 +3955,10 @@ vboxDumpSerial(virDomainDefPtr def, vboxDriverPtr data, IMachine *machine, PRUin
             VBOX_RELEASE(serialPort);
         }
     }
+    return 0;
 }
 
-static void
+static int
 vboxDumpParallel(virDomainDefPtr def, vboxDriverPtr data, IMachine *machine, PRUint32 parallelPortCount)
 {
     PRUint32 parallelPortIncCount = 0;
@@ -3974,9 +3982,15 @@ vboxDumpParallel(virDomainDefPtr def, vboxDriverPtr data, IMachine *machine, PRU
     }
 
     /* Allocate memory for the parallel ports which are enabled */
-    if ((def->nparallels > 0) && (VIR_ALLOC_N(def->parallels, def->nparallels) >= 0)) {
-        for (i = 0; i < def->nparallels; i++)
-            ignore_value(VIR_ALLOC(def->parallels[i]));
+    if (def->nparallels > 0) {
+        if (VIR_ALLOC_N(def->parallels, def->nparallels) < 0)
+            return -1;
+
+        for (i = 0; i < def->nparallels; i++) {
+            def->parallels[i] = virDomainChrDefNew(NULL);
+            if (!def->parallels[i])
+                return -1;
+        }
     }
 
     /* Now get the details about the parallel ports here */
@@ -4011,7 +4025,8 @@ vboxDumpParallel(virDomainDefPtr def, vboxDriverPtr data, IMachine *machine, PRU
                 gVBoxAPI.UIParallelPort.GetPath(parallelPort, &pathUtf16);
 
                 VBOX_UTF16_TO_UTF8(pathUtf16, &path);
-                ignore_value(VIR_STRDUP(def->parallels[parallelPortIncCount]->source->data.file.path, path));
+                if (VIR_STRDUP(def->parallels[parallelPortIncCount]->source->data.file.path, path) < 0)
+                    return -1;
 
                 parallelPortIncCount++;
 
@@ -4022,6 +4037,7 @@ vboxDumpParallel(virDomainDefPtr def, vboxDriverPtr data, IMachine *machine, PRU
             VBOX_RELEASE(parallelPort);
         }
     }
+    return 0;
 }
 
 static char *vboxDomainGetXMLDesc(virDomainPtr dom, unsigned int flags)
@@ -4162,8 +4178,11 @@ static char *vboxDomainGetXMLDesc(virDomainPtr dom, unsigned int flags)
     vboxDumpSharedFolders(def, data, machine);
     vboxDumpNetwork(def, data, machine, networkAdapterCount);
     vboxDumpAudio(def, data, machine);
-    vboxDumpSerial(def, data, machine, serialPortCount);
-    vboxDumpParallel(def, data, machine, parallelPortCount);
+
+    if (vboxDumpSerial(def, data, machine, serialPortCount) < 0)
+        goto cleanup;
+    if (vboxDumpParallel(def, data, machine, parallelPortCount) < 0)
+        goto cleanup;
 
     /* dump USB devices/filters if active */
     vboxHostDeviceGetXMLDesc(data, def, machine);
-- 
2.14.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v2] vbox: fix SEGV during dumpxml of a serial port
Posted by Ján Tomko 6 years, 2 months ago 
On Fri, Jan 26, 2018 at 01:26:41PM -0500, Laine Stump wrote:
>commit 77a12987a48 changed the "virDomainChrSourceDef source" inside
>virDomainChrDef to "virDomainChrSourceDefPtr source", and started
>allocating source inside virDomainChrDefNew(), but vboxDumpSerial()
>was allocating a virDomainChrDef with a simple VIR_ALLOC() (i.e. never
>calling virDomainChrDefNew()), so source was never initialized,
>leading to a SEGV any time a serial port was present. The same problem
>was created in vboxDumpParallel().
>
>This patch changes vboxDumpSerial() and vboxDumpParallel() to use
>virDomainChrDefNew() instead of VIR_ALLOC(), and changes both of those
>functions to return an error if virDomainChrDef() (or any other
>allocation) fails.
>
>This resolves: https://bugzilla.redhat.com/1536649
>---
>
>Change from V1:
>
>Due to reviews of V1 whining about the patch calling out the lack of
>returning failure on OOM in a comment rather than fixing it, V2
>changes both functions to return 0/-1, and their caller to abort the
>dumpxml if they return -1. (If I'd taken the extra 30 seconds to look
>one level up the call chain before posting V1, I would have done that
>to begin with - there's really nothing complicated about the change,
>so I'm just as comfortable posting this V2 patch without being able to
>test as I was with V1).
>
> src/vbox/vbox_common.c | 43 +++++++++++++++++++++++++++++++------------
> 1 file changed, 31 insertions(+), 12 deletions(-)
>

ACK

Jan
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.