1. Patchew
  2. Libvirt
  3. View series

[PATCH] cmdDomBlkError: Fix crash when initial call to virDomainGetDiskErrors fails

Peter Krempa posted 1 patch 3 years ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/b9dc5df1d6982749b58e167b7fb20ad8d5c7e787.1618813500.git.pkrempa@redhat.com
tools/virsh-domain-monitor.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
[PATCH] cmdDomBlkError: Fix crash when initial call to virDomainGetDiskErrors fails
Posted by Peter Krempa 3 years ago 
virDomainGetDiskErrors uses the weird semantics where we make the
caller query for the number of elements and then pass pre-allocated
structure.

The cleanup section errorneously used the 'count' variable to free the
allocated elements for the API but 'count' can be '-1' in cases when the
API returns failure, thus attempting to free beyond the end of the
array.

Resolves: https://gitlab.com/libvirt/libvirt/-/issues/155
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 tools/virsh-domain-monitor.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/tools/virsh-domain-monitor.c b/tools/virsh-domain-monitor.c
index 0e49f5da8a..a2bf5c05fc 100644
--- a/tools/virsh-domain-monitor.c
+++ b/tools/virsh-domain-monitor.c
@@ -1220,7 +1220,7 @@ cmdDomBlkError(vshControl *ctl, const vshCmd *cmd)
 {
     virDomainPtr dom;
     virDomainDiskErrorPtr disks = NULL;
-    unsigned int ndisks;
+    unsigned int ndisks = 0;
     size_t i;
     int count;
     bool ret = false;
@@ -1230,10 +1230,10 @@ cmdDomBlkError(vshControl *ctl, const vshCmd *cmd)

     if ((count = virDomainGetDiskErrors(dom, NULL, 0, 0)) < 0)
         goto cleanup;
-    ndisks = count;

-    if (ndisks) {
-        disks = g_new0(virDomainDiskError, ndisks);
+    if (count > 0) {
+        disks = g_new0(virDomainDiskError, count);
+        ndisks = count;

         if ((count = virDomainGetDiskErrors(dom, disks, ndisks, 0)) == -1)
             goto cleanup;
@@ -1252,7 +1252,7 @@ cmdDomBlkError(vshControl *ctl, const vshCmd *cmd)
     ret = true;

  cleanup:
-    for (i = 0; i < count; i++)
+    for (i = 0; i < ndisks; i++)
         VIR_FREE(disks[i].disk);
     VIR_FREE(disks);
     virshDomainFree(dom);
-- 
2.30.2
Re: [PATCH] cmdDomBlkError: Fix crash when initial call to virDomainGetDiskErrors fails
Posted by Pavel Hrdina 3 years ago 
On Mon, Apr 19, 2021 at 08:25:00AM +0200, Peter Krempa wrote:
> virDomainGetDiskErrors uses the weird semantics where we make the
> caller query for the number of elements and then pass pre-allocated
> structure.
> 
> The cleanup section errorneously used the 'count' variable to free the
> allocated elements for the API but 'count' can be '-1' in cases when the
> API returns failure, thus attempting to free beyond the end of the
> array.
> 
> Resolves: https://gitlab.com/libvirt/libvirt/-/issues/155
> Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> ---
>  tools/virsh-domain-monitor.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)

Reviewed-by: Pavel Hrdina <phrdina@redhat.com>

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.