From nobody Fri Apr 26 07:28:20 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 207.211.31.81 as permitted sender) client-ip=207.211.31.81;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1595925575; cv=none;
	d=zohomail.com; s=zohoarc;
	b=TMIL0tCL9/pphjneBaVfYkkm8tKIDQ2VmdteetYAZ7yK7YRcPkjBynjuSmCLkKnWQSMbevo/JaACYhs3QGWu/B1FymXsljBjaG4UR+vvdMbX7iaqj+0DFzwHciD/9i545BlShrLnaNtja2xoZBBgHc3KRdSZ3wyBbOT/Sfcrtsk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1595925575;
 h=Content-Type:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=f5YCWCnCBiFfJDP5u0yLfpfuHrQKTssnCC4jcAfgkcM=;
	b=QbIutn2ofMJ6BwKRD+p8Cgk4OmZArBXUCWqHuFRd/tGcyLOP80PGztdk7/9g1mXGBhWB6S8OphLDf3gdQtrnIDcA6pxoWjUzdhDNyamcx2nu1KZ00nwfZ/SCphkq0ryjKbdbC9o9dKFt+eZgcV0L4hHQtCfnpPlW2TlVU1E+FQc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com
 [207.211.31.81]) by mx.zohomail.com
	with SMTPS id 1595925575944729.1024002179932;
 Tue, 28 Jul 2020 01:39:35 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-205-1rv2A-JfPdeachNlR7zZ8w-1; Tue, 28 Jul 2020 04:39:31 -0400
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
 [10.5.11.13])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8E210102C7EE;
	Tue, 28 Jul 2020 08:39:26 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 65C1F90E78;
	Tue, 28 Jul 2020 08:39:26 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2D290A35A3;
	Tue, 28 Jul 2020 08:39:25 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com
	[10.11.54.3])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 06S8dMem025317 for <libvir-list@listman.util.phx.redhat.com>;
	Tue, 28 Jul 2020 04:39:23 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id DED5E1134CD1; Tue, 28 Jul 2020 08:39:22 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id DA6801134CD0
	for <libvir-list@redhat.com>; Tue, 28 Jul 2020 08:39:20 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7ADC78007C8
	for <libvir-list@redhat.com>; Tue, 28 Jul 2020 08:39:20 +0000 (UTC)
Received: from huawei.com (szxga05-in.huawei.com [45.249.212.191]) (Using
	TLS) by relay.mimecast.com with ESMTP id
	us-mta-339-8Oeu2KLtNVeWHEpheWi14w-1; Tue, 28 Jul 2020 04:39:17 -0400
Received: from DGGEMS405-HUB.china.huawei.com (unknown [172.30.72.60])
	by Forcepoint Email with ESMTP id 7C66299833942ADE0CBE
	for <libvir-list@redhat.com>; Tue, 28 Jul 2020 16:39:10 +0800 (CST)
Received: from huawei.com (10.175.101.6) by DGGEMS405-HUB.china.huawei.com
	(10.3.19.205) with Microsoft SMTP Server id 14.3.487.0; Tue, 28 Jul 2020
	16:39:02 +0800
X-MC-Unique: 1rv2A-JfPdeachNlR7zZ8w-1
X-MC-Unique: 8Oeu2KLtNVeWHEpheWi14w-1
From: Chuan Zheng <zhengchuan@huawei.com>
To: <libvir-list@redhat.com>
Subject: [PATCH] qemuProcessReconnect: fix possible use after free for xmlopt
Date: Tue, 28 Jul 2020 16:51:26 +0800
Message-ID: <1595926286-63323-1-git-send-email-zhengchuan@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.175.101.6]
X-CFilter-Loop: Reflected
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
X-loop: libvir-list@redhat.com
Cc: fangying1@huawei.com, alex.chen@huawei.com, wanghao232@huawei.com,
	zhang.zhanghailiang@huawei.com, yubihong@huawei.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Zheng Chuan <zhengchuan@huawei.com>

In a case that libvirtd is killed when it has just started,
the qemu_driver->xmlopt is freed in the main thread while qemuProcessReconn=
ect
still visits it, which resulting in null pointer accesses.
Fix that by adding refcount of qemu_driver->xmlopt at the begining of
qemuProcessReconnect.

Signed-off-by: Zheng Chuan <zhengchuan@huawei.com>
---
 src/qemu/qemu_process.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index ec6ca14..ef3fe12 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -8009,6 +8009,7 @@ qemuProcessReconnect(void *opaque)
     virQEMUDriverPtr driver =3D data->driver;
     virDomainObjPtr obj =3D data->obj;
     qemuDomainObjPrivatePtr priv;
+    virDomainXMLOptionPtr xmlopt;
     qemuDomainJobObj oldjob;
     int state;
     int reason;
@@ -8030,6 +8031,9 @@ qemuProcessReconnect(void *opaque)
     cfg =3D virQEMUDriverGetConfig(driver);
     priv =3D obj->privateData;
=20
+    /* need xmlopt later to save status, do not free */
+    xmlopt =3D virObjectRef(driver->xmlopt);
+
     if (qemuDomainObjBeginJob(driver, obj, QEMU_JOB_MODIFY) < 0)
         goto error;
     jobStarted =3D true;
@@ -8229,7 +8233,7 @@ qemuProcessReconnect(void *opaque)
     }
=20
     /* update domain state XML with possibly updated state in virDomainObj=
 */
-    if (virDomainObjSave(obj, driver->xmlopt, cfg->stateDir) < 0)
+    if (virDomainObjSave(obj, xmlopt, cfg->stateDir) < 0)
         goto error;
=20
     /* Run an hook to allow admins to do some magic */
@@ -8262,6 +8266,7 @@ qemuProcessReconnect(void *opaque)
         if (!virDomainObjIsActive(obj))
             qemuDomainRemoveInactiveJob(driver, obj);
     }
+    virObjectUnref(xmlopt);
     virDomainObjEndAPI(&obj);
     virNWFilterUnlockFilterUpdates();
     virIdentitySetCurrent(NULL);
--=20
1.8.3.1