From nobody Sat May 18 23:23:21 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.129.124 as permitted sender) client-ip=170.10.129.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1663577583; cv=none;
	d=zohomail.com; s=zohoarc;
	b=FmH+C5mucaM1Wcp6mWX01829/VLJJcAcrCvbjHN0eKXL3A0T8hYCE5cp1+ZQ7o7SybzzbmyzYyEG32etTsmZfUXzJmiaE1mPwBmk3e8S8i1NQi4/hWWqJjc360mAuBdN6kloyi6aQEJn3A9vEqUPa//HV1TR2Uxko8ZTsi/LPLA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1663577583;
 h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=JrwLluNQjTvmHcXRPy4K3K5pB7dVN8q3BSRcSMk0Kzs=;
	b=RLBscBeRwoO7mhp1xgyX+RIHgOCf/1PxLUKJvVd7H3/CPKXnAFiaxdeHZpMnvYiQPJlSmKahbc6s3qsG3MFdDcv60NWZLBG1iNogbz7yP9ojfYzkMW5fA6yVbrZB6fUo5GdFfkXBWeG80fLbOyYKvEK7twKVW3CEggHeR90LfMk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<pkrempa@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com
	with SMTPS id 1663577583509801.1189321289135;
 Mon, 19 Sep 2022 01:53:03 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-661-ZUlu7E8tOIK0lIzX45tYKA-1; Mon, 19 Sep 2022 04:52:40 -0400
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 56070101E156;
	Mon, 19 Sep 2022 08:52:38 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (unknown [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 2CD8840C6EC2;
	Mon, 19 Sep 2022 08:52:37 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id D7C6C1946594;
	Mon, 19 Sep 2022 08:52:36 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com
 [10.11.54.8])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 0046C1946586 for <libvir-list@listman.corp.redhat.com>;
 Mon, 19 Sep 2022 08:52:35 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id BBD62C15BA8; Mon, 19 Sep 2022 08:52:35 +0000 (UTC)
Received: from speedmetal.lan (unknown [10.40.208.30])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 2FADCC15BA4
 for <libvir-list@redhat.com>; Mon, 19 Sep 2022 08:52:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1663577582;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=JrwLluNQjTvmHcXRPy4K3K5pB7dVN8q3BSRcSMk0Kzs=;
	b=UvtJGe7nVNh+02AEtmU/4R4N/MboG0gfKWnDLBFylwYtsWa94zSJnRJVzHDXttxjHm+yWc
	dHl5svHS5l6gjPjTBwVeL2TeuKA9BeNnOWOHXwEkoniZO4qMAG4eutiOhJjyCaJBKj3Ios
	e9IPXx6JbspQ+pe1LN+gS74eJ8t8odw=
X-MC-Unique: ZUlu7E8tOIK0lIzX45tYKA-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Peter Krempa <pkrempa@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH] virdomainjob: virDomainObjInitJob: Store a copy of
 virDomainObjPrivateJobCallbacks
Date: Mon, 19 Sep 2022 10:52:34 +0200
Message-Id: 
 <be94d811e895f09ba26e73bcba42acf06d2768af.1663576167.git.pkrempa@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1663577584034100001
Content-Type: text/plain; charset="utf-8"

'virDomainObjPrivateJobCallbacks' is passed into the job object by
copying a pointer from the 'virDomainXMLOption' struct passed in from
the caller. Unfortunately the 'virdomainjob' module can't control the
lifetime of the virDomainXMLOption, which in some cases is freed before
the domain job data.

To avoid dereferencing freed memory create a copy of the struct holding
the private job callbacks.

Fixes: 84e9fd068ccad6e19e037cd6680df437617e2de5
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
This is a naive attempt to fix a crash reported on the upstream mailing
list

https://listman.redhat.com/archives/libvir-list/2022-September/234310.html

Note that I didn't analyze the code in that series in detail, I just
debugged the visible misbehaviour.

CI pipeline now passes even on OpenSUSE:

https://gitlab.com/pipo.sk/libvirt/-/pipelines/643828256

 src/conf/virdomainjob.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/conf/virdomainjob.c b/src/conf/virdomainjob.c
index 7915faa125..16fb0c2177 100644
--- a/src/conf/virdomainjob.c
+++ b/src/conf/virdomainjob.c
@@ -122,13 +122,25 @@ virDomainJobStatusToType(virDomainJobStatus status)
     return VIR_DOMAIN_JOB_NONE;
 }

+
+static virDomainObjPrivateJobCallbacks *
+virDomainObjPrivateJobCallbacksCopy(virDomainObjPrivateJobCallbacks *cb)
+{
+    virDomainObjPrivateJobCallbacks *ret =3D g_new0(virDomainObjPrivateJob=
Callbacks, 1);
+
+    memcpy(ret, cb, sizeof(virDomainObjPrivateJobCallbacks));
+
+    return ret;
+}
+
+
 int
 virDomainObjInitJob(virDomainJobObj *job,
                     virDomainObjPrivateJobCallbacks *cb,
                     virDomainJobDataPrivateDataCallbacks *jobDataPrivateCb)
 {
     memset(job, 0, sizeof(*job));
-    job->cb =3D cb;
+    job->cb =3D virDomainObjPrivateJobCallbacksCopy(cb);
     job->jobDataPrivateCb =3D jobDataPrivateCb;

     if (virCondInit(&job->cond) < 0)
@@ -229,6 +241,8 @@ virDomainObjClearJob(virDomainJobObj *job)

     if (job->cb && job->cb->freeJobPrivate)
         g_clear_pointer(&job->privateData, job->cb->freeJobPrivate);
+
+    g_clear_pointer(&job->cb, g_free);
 }

 void
--=20
2.37.1