From nobody Sat May  4 21:26:57 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 205.139.110.61 as permitted sender) client-ip=205.139.110.61;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1583508156; cv=none;
	d=zohomail.com; s=zohoarc;
	b=KSnfh18yNeP5heQ7kkUsLiOfUxPhw7tt32dzi3TJ7oJMXN8/eiBZcl6ykVjJw6IsRHF/cJYgz3pmKUou71kF5PCm3Q2PsDPSCVsuhq+rvuva8Jd+U7gMktEr2lBKWx8KuTcuwtUPB/4yErwHZXJjakbedLPm2wcHw+w98+JArCY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1583508156;
 h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=evrEhXG/RSZItYzOs97hczJAanUyihIkKYtFXrOSyiE=;
	b=cnIsNSeaFCxDfdpB5+DcmBfm9rPqcfOJHvtwnDCPEQoN38MbkvsqmjTBqayWrp/bCCaano/mxwAWjgw9VaaZQIgc2ZaQ+/k6GnzmwOlCUfMrf8VmCwhtRlxwohsTzOZ6vp7SpU2iS3HVvQCYfVxZBodknETCD0jZ2KiqSjO11UM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<mprivozn@redhat.com> (p=none dis=none)
 header.from=<mprivozn@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com
 [205.139.110.61]) by mx.zohomail.com
	with SMTPS id 1583508156208342.9001582289119;
 Fri, 6 Mar 2020 07:22:36 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-408-8ZbWmEvLMe66PfryU1nlOg-1; Fri, 06 Mar 2020 10:22:32 -0500
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0C9ED107ACCD;
	Fri,  6 Mar 2020 15:22:27 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 44FA492D01;
	Fri,  6 Mar 2020 15:22:26 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id C06E586A04;
	Fri,  6 Mar 2020 15:22:24 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
	[10.5.11.22])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 026FMMKh024335 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 6 Mar 2020 10:22:23 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id EF3D31001B2C; Fri,  6 Mar 2020 15:22:22 +0000 (UTC)
Received: from localhost.localdomain (ovpn-205-44.brq.redhat.com
	[10.40.205.44])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 323211001902
	for <libvir-list@redhat.com>; Fri,  6 Mar 2020 15:22:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1583508155;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=evrEhXG/RSZItYzOs97hczJAanUyihIkKYtFXrOSyiE=;
	b=DpoV9iXbZR/5q1kVqdvWBUsC+3xMShcr123sizyGyioMns3c51qATuxancwqbpjKsUyhsM
	1aMabrujyA9gq8Kg26y3IZMdsU6OM89us/U4zKd27hoUIEwpCdwIZ14ydk10TQ+MjvBJTh
	yu/4srpHTMJ+PECj2LRRci79gd+n/LQ=
X-MC-Unique: 8ZbWmEvLMe66PfryU1nlOg-1
From: Michal Privoznik <mprivozn@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH] virthread: Free thread name only after worker has finished
Date: Fri,  6 Mar 2020 16:22:13 +0100
Message-Id: 
 <b0e44fbebddd3760c568dff3f1563c8bf7d116e6.1583508133.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-loop: libvir-list@redhat.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

When spawning a thread via our virThread APIs we let pthread
spawn this helper thread which sets couple of thread local
variables (e.g. thread job name or thread worker name) and as of
v6.1.0-40-gc85256b31b it also sets pthread name (which is then
visible in `ps' output for instance). Only after these steps the
intended function is called. However, just before calling it we
free the buffer that holds the thread name which results in
invalid memory reads:

=3D=3D47027=3D=3D Invalid read of size 1
=3D=3D47027=3D=3D    at 0x48389C2: strlen (vg_replace_strmem.c:459)
=3D=3D47027=3D=3D    by 0x58BB3D6: __vfprintf_internal (vfprintf-internal.c=
:1645)
=3D=3D47027=3D=3D    by 0x58CE6E0: __vasprintf_internal (vasprintf.c:57)
=3D=3D47027=3D=3D    by 0x574BA28: g_vasprintf (in /usr/lib64/libglib-2.0.s=
o.0.6000.7)
=3D=3D47027=3D=3D    by 0x57240CC: g_strdup_vprintf (in /usr/lib64/libglib-=
2.0.so.0.6000.7)
=3D=3D47027=3D=3D    by 0x48E0EFA: vir_g_strdup_vprintf (glibcompat.c:209)
=3D=3D47027=3D=3D    by 0x493AA05: virLogVMessage (virlog.c:573)
=3D=3D47027=3D=3D    by 0x493A8FE: virLogMessage (virlog.c:513)
=3D=3D47027=3D=3D    by 0x4992FC7: virThreadJobClear (virthreadjob.c:121)
=3D=3D47027=3D=3D    by 0x4992844: virThreadHelper (virthread.c:237)
=3D=3D47027=3D=3D    by 0x5817496: start_thread (pthread_create.c:486)
=3D=3D47027=3D=3D    by 0x59563CE: clone (clone.S:95)

The problem is that neither virThreadJobSetWorker() nor
virThreadJobSet() create a copy of passed name. They just set a
thread local variable to point to the buffer which is then
freed. Moving the free towards the end of the wrapper function
solves the issue.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/util/virthread.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/util/virthread.c b/src/util/virthread.c
index 37b2cdfbe9..64013b575c 100644
--- a/src/util/virthread.c
+++ b/src/util/virthread.c
@@ -217,7 +217,6 @@ static void *virThreadHelper(void *data)
     } else {
         thname =3D g_strdup(local.name);
     }
-    g_free(local.name);
=20
 #if defined(__linux__) || defined(WIN32)
     pthread_setname_np(pthread_self(), thname);
@@ -236,6 +235,7 @@ static void *virThreadHelper(void *data)
     if (!local.worker)
         virThreadJobClear(0);
=20
+    g_free(local.name);
     return NULL;
 }
=20
--=20
2.24.1