From nobody Mon May 6 06:52:28 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1550842751795217.52530231335913; Fri, 22 Feb 2019 05:39:11 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2844BC057EC9; Fri, 22 Feb 2019 13:39:10 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id F40E0282C1; Fri, 22 Feb 2019 13:39:09 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B01F1247E4; Fri, 22 Feb 2019 13:39:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x1J7f5sX002288 for ; Tue, 19 Feb 2019 02:41:05 -0500 Received: by smtp.corp.redhat.com (Postfix) id 1DBD8171CA; Tue, 19 Feb 2019 07:41:05 +0000 (UTC) Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com [10.5.110.29]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 165535F9D0 for ; Tue, 19 Feb 2019 07:41:01 +0000 (UTC) Received: from huawei.com (szxga06-in.huawei.com [45.249.212.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 15E30315FB1 for ; Tue, 19 Feb 2019 07:41:00 +0000 (UTC) Received: from DGGEMS410-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id 47EE549F2C6707C40EA0 for ; Tue, 19 Feb 2019 15:40:49 +0800 (CST) Received: from localhost (10.177.19.14) by DGGEMS410-HUB.china.huawei.com (10.3.19.210) with Microsoft SMTP Server id 14.3.408.0; Tue, 19 Feb 2019 15:40:39 +0800 From: Jay Zhou To: Date: Tue, 19 Feb 2019 15:40:31 +0800 Message-ID: <1550562031-16632-1-git-send-email-jianjay.zhou@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.177.19.14] X-CFilter-Loop: Reflected X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 216 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Tue, 19 Feb 2019 07:41:00 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Tue, 19 Feb 2019 07:41:00 +0000 (UTC) for IP:'45.249.212.32' DOMAIN:'szxga06-in.huawei.com' HELO:'huawei.com' FROM:'jianjay.zhou@huawei.com' RCPT:'' X-RedHat-Spam-Score: -2.302 (RCVD_IN_DNSWL_MED, SPF_HELO_PASS, SPF_PASS) 45.249.212.32 szxga06-in.huawei.com 45.249.212.32 szxga06-in.huawei.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.29 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com X-Mailman-Approved-At: Tue, 19 Feb 2019 08:02:57 -0500 Cc: weidong.huang@huawei.com, wujing42@huawei.com, jianjay.zhou@huawei.com Subject: [libvirt] [PATCH] util: fix heap-buffer-overflow in virFileWrapperFdFree X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Fri, 22 Feb 2019 13:39:10 +0000 (UTC) Content-Type: text/plain; charset="utf-8" From: Jing Wu Some functions like doCoreDump call virFileWrapperFdNew to execute async cmds, if a step after virFileWrapperFdNew failed, the func may skip virFileWrapperFdClose and jump to cleanup label to call virFileWrapperFdFree directly. If the child process of the cmd is running and asyncioThread is polling, cmd->errbuf have been alloced at least one byte but not yet operate (*cmd->errbuf)[errlen] =3D '\0', access of wfd->err_msg in virFileWrapperFdFree at this time will cause risk of heap-buffer-overflow. So, we need to put VIR_WARN(wfd->err_msg) after VIR_FREE(wfd->err_msg). Besides, since virCommandFree has included virCommandAbort, there is no need to call virCommandAbort extraly. Signed-off-by: Jing Wu Signed-off-by: Jay Zhou --- src/util/virfile.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/util/virfile.c b/src/util/virfile.c index f6f9e4c..d488158 100644 --- a/src/util/virfile.c +++ b/src/util/virfile.c @@ -347,13 +347,12 @@ virFileWrapperFdFree(virFileWrapperFdPtr wfd) if (!wfd) return; =20 + virCommandFree(wfd->cmd); + if (wfd->err_msg && *wfd->err_msg) VIR_WARN("iohelper reports: %s", wfd->err_msg); =20 - virCommandAbort(wfd->cmd); - VIR_FREE(wfd->err_msg); - virCommandFree(wfd->cmd); VIR_FREE(wfd); } =20 --=20 1.8.3.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list