From nobody Thu Apr 18 00:09:09 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1619950453; cv=none; d=zohomail.com; s=zohoarc; b=Sf5qySl6YNOwaiO0sv2fXztfoYc35NiKccc6HoQv92OIjmu8C4sWP30G5V9Fd9qd3DfySmHv3EwwfgYcHYsrLtasHDlNHPvZSmAKUbzH4U/j4hSA+4G21Sn2GrvA40PXBlCCM8zMkaeC2tz3G5595Ex91TcJqGN9AU6HgatDvz8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1619950453; h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=EZwgM2DWwKAaXzBeGGslqi52MblZZQPck4iyeRXlnDM=; b=FjRs6F6aS4V0B+H6Hlz0rhUvVH0HRXty9vqmfDl5EzftqBVTog9kb2/MkK2AAqXqh6gujA9xBDqITE2Pp1T3lEtbreWh3MZM14Vl5u4/0aDh+9vpTkAsO95AyZZX6Tm4oEiK7jaWfdEuBTaK2cpJAkh4vvbyiRoP04FCpP7FpPw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1619950453862523.5062783681103; Sun, 2 May 2021 03:14:13 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-379-kiz1xZqSOFO9LEuJUVSYWg-1; Sun, 02 May 2021 06:14:10 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id AC0AC79EC0; Sun, 2 May 2021 10:14:04 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D3C4F6E71D; Sun, 2 May 2021 10:14:01 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B5D68180B463; Sun, 2 May 2021 10:13:56 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 142ADtkP018259 for ; Sun, 2 May 2021 06:13:55 -0400 Received: by smtp.corp.redhat.com (Postfix) id 97D6A70590; Sun, 2 May 2021 10:13:55 +0000 (UTC) Received: from speedmetal.lan (unknown [10.40.208.36]) by smtp.corp.redhat.com (Postfix) with ESMTP id EF3087058E for ; Sun, 2 May 2021 10:13:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1619950452; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=EZwgM2DWwKAaXzBeGGslqi52MblZZQPck4iyeRXlnDM=; b=RiTvEblay6Zx5qX+ZH+S+sSIxEb6+RABFczdCMqSPYrxzOVJbHsJNLf8HpmpEBPHnKv7Hw ucVAtry2oeVH8sJ1T/WbMU8XBbDzsifMtlJRqwQw8o69+urxiss+XajpeqKdMkD7CPRSvp //hHTl5vmozj8sU5yPE32UWvzPMf5n0= X-MC-Unique: kiz1xZqSOFO9LEuJUVSYWg-1 From: Peter Krempa To: libvir-list@redhat.com Subject: [PATCH for 7.3] conf: Fix heap corruption when hot-adding a lease Date: Sun, 2 May 2021 12:13:50 +0200 Message-Id: <72848f89ce29aa26f4f1c115c95d14114e8ec760.1619950384.git.pkrempa@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Commit 28a86993162f7d2f ( v6.9.0-179-g28a8699316 ) incorrectly replaced VIR_EXPAND_N by g_renew. VIR_EXPAND_N has these two extra effects apart from reallocating memory: 1) The newly allocated memory is zeroed out 2) The number of elements in the array which is passed to VIR_EXPAND_N is increased. This comes into play when used with virDomainLeaseInsertPreAlloced, which expects that the array element count already includes the space for the added 'lease', by plainly just assigning to 'leases[nleases - 1' Since g_renew does not increase the number of elements in the array any existing code which calls virDomainLeaseInsertPreAlloced thus either overwrites a lease definition or corrupts the heap if there are no leases to start with. To preserve existing functionality we revert the code back to using VIR_EXPAND_N which at this point doesn't return any value, so other commits don't need to be reverted. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D1953577 Signed-off-by: Peter Krempa Reviewed-by: Jiri Denemark --- src/conf/domain_conf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 9d98f487ea..84570c001c 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -16837,7 +16837,7 @@ int virDomainLeaseIndex(virDomainDef *def, void virDomainLeaseInsertPreAlloc(virDomainDef *def) { - def->leases =3D g_renew(virDomainLeaseDef *, def->leases, def->nleases= + 1); + VIR_EXPAND_N(def->leases, def->nleases, 1); } void virDomainLeaseInsert(virDomainDef *def, virDomainLeaseDef *lease) --=20 2.30.2