From nobody Mon May 6 10:28:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1615541042; cv=none; d=zohomail.com; s=zohoarc; b=hY9AxkKgP/H00zVmof9bQ3JKS5DhF824oO3vIH2zuX1iglX7jRR+KiOE7p5K2T/QKJsm4pRr8lMOTx0RbkOe6wbFDgRD4G9ECLr6gLf4CoWVKmH2fen1XEGFQWl22QvA/Cui9Aubjg9080yP05tClP3/U5Qb9Lv+4NUAb/MfZSo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1615541042; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=6SMWbvpzEv3qoHZrZ4TQYyrEE4RDTsUgUYMrRr8mZIo=; b=ClCJQdXWwUuMZVPr39S4UxzvNDKPY6+ZeG73vL9TPpbtceC8VZAoQiNf8v8ycXLhATs1RZ/zDsvPLGqaxqEEl1IvKrERTDo/94TtGf6XMMFSBvsypeqtIlmhhXk1D9P+/1yUm+xxmhxDfocYtdqna/hyIvOcQM0+9+cf3uPWse8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1615541042150730.4033634379402; Fri, 12 Mar 2021 01:24:02 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-451-zbNPp_A-PiGMN5CazkIEFA-1; Fri, 12 Mar 2021 04:23:58 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B096CCC624; Fri, 12 Mar 2021 09:23:51 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 660DD5C234; Fri, 12 Mar 2021 09:23:51 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 22D511800847; Fri, 12 Mar 2021 09:23:51 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 12C9Ngq6012412 for ; Fri, 12 Mar 2021 04:23:42 -0500 Received: by smtp.corp.redhat.com (Postfix) id A539D196E3; Fri, 12 Mar 2021 09:23:42 +0000 (UTC) Received: from speedmetal.lan (unknown [10.40.208.53]) by smtp.corp.redhat.com (Postfix) with ESMTP id 14A0119703 for ; Fri, 12 Mar 2021 09:23:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1615541041; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=6SMWbvpzEv3qoHZrZ4TQYyrEE4RDTsUgUYMrRr8mZIo=; b=iob/748g7NGGBZ0uH0f9Ka7WG91405SglmrV8u0e/LjK/AC4Xcyd0LH36W+/sdcdkoKf6d q+rYg+3kIZGLhXgWI6tq+4jed9EsrEcMh9SimFtVZyp4cPI1p8ki0lkYcj7htxJSzKWoIr O9MKxefjo52d1zHVjH2FzYxj1bdnbmA= X-MC-Unique: zbNPp_A-PiGMN5CazkIEFA-1 From: Peter Krempa To: libvir-list@redhat.com Subject: [PATCH 1/2] virLockSpacePreExecRestart: Avoid use-after-free Date: Fri, 12 Mar 2021 10:23:35 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Recent refactor marked 'object' which is returned from the function as autofree but forgot to use g_steal_pointer in the return statement to prevent freeing it. Fixes: 9a1651f64d7 Signed-off-by: Peter Krempa Reviewed-by: Michal Privoznik --- src/util/virlockspace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util/virlockspace.c b/src/util/virlockspace.c index f253091f39..9e80db6a0c 100644 --- a/src/util/virlockspace.c +++ b/src/util/virlockspace.c @@ -472,7 +472,7 @@ virJSONValuePtr virLockSpacePreExecRestart(virLockSpace= Ptr lockspace) goto error; virMutexUnlock(&lockspace->lock); - return object; + return g_steal_pointer(&object); error: virMutexUnlock(&lockspace->lock); --=20 2.29.2 From nobody Mon May 6 10:28:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1615541037; cv=none; d=zohomail.com; s=zohoarc; b=laFsNiMX6ycdmdgbXZ9MZ7MKAYlltb4JaNETrcdxuwEvLI4RRT6EcQgXxNCAX9vO1nuA/n+Sv6H06G9kLqrbCPp/QrqkC16kUFSbE//TmH2CeBDOaNeoLgAQG1Fv/7Eqm+f6+/IfIBp6uXKV8KR1tvfAAHVisCW7LwfvQlXmrbo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1615541037; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=jY0kS5YcP8l+itBHMo/A2OaFoPsRMzG8etWPdde09wE=; b=feewqfWgIwOZ/1gFGfZN5VNkxtbtpn5bzTVp8wqoGsmR6ZQZ4EdlLTQ/0DeJJlo6776vRTLWoeSPVRUGzjNpArEEJp6ZUyf876VuyFTyiLZpI2fMC/UkVPntrvY95th4UgHUGqXEafYXRuy7icRukatE9EpssuuWdGRkJboUHlE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1615541037896951.1086752030691; Fri, 12 Mar 2021 01:23:57 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-76-jsBsumnbP_2hLYv0zN2kUg-1; Fri, 12 Mar 2021 04:23:54 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B2ECBCC621; Fri, 12 Mar 2021 09:23:48 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9052C5D6D7; Fri, 12 Mar 2021 09:23:48 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 5668357DC1; Fri, 12 Mar 2021 09:23:48 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 12C9Nhxi012419 for ; Fri, 12 Mar 2021 04:23:43 -0500 Received: by smtp.corp.redhat.com (Postfix) id B808819703; Fri, 12 Mar 2021 09:23:43 +0000 (UTC) Received: from speedmetal.lan (unknown [10.40.208.53]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1C2C7196E3 for ; Fri, 12 Mar 2021 09:23:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1615541036; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=jY0kS5YcP8l+itBHMo/A2OaFoPsRMzG8etWPdde09wE=; b=cbWHFD+vYNgFhClCBGoimWlPunakleMQmHMRd1v5otmjl5aoL082Vi7lwf8QkqIaHy1rck z4zODaRtdgNXDFu6Bh1oByaT3XJ5zKy61Aid0JZ8hfNcCDBMdIfUJ6M2pfmT13Mz/Nnu+G j53ffaowv+MI9JYXkw51cSVE2HlKJ5Q= X-MC-Unique: jsBsumnbP_2hLYv0zN2kUg-1 From: Peter Krempa To: libvir-list@redhat.com Subject: [PATCH 2/2] virLockSpaceNewPostExecRestart: Fix out-of-bounds array access Date: Fri, 12 Mar 2021 10:23:36 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" 'res->owners' is allocated to 'res->nOwners' elements, but unfortunately 'res->nOwners' doesn't contain the proper value until after the allocation so 0 elements are allocated. The following loop which assumes that the array has the right number of elements then accesses the pointer out of bounds. The bug was also faithfully converted from VIR_ALLOC_N to g_new0. Fixes: 4a3d6ed5ee0 Signed-off-by: Peter Krempa Reviewed-by: Michal Privoznik --- src/util/virlockspace.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/util/virlockspace.c b/src/util/virlockspace.c index 9e80db6a0c..0d6cff3707 100644 --- a/src/util/virlockspace.c +++ b/src/util/virlockspace.c @@ -324,7 +324,6 @@ virLockSpacePtr virLockSpaceNewPostExecRestart(virJSONV= aluePtr object) const char *tmp; virJSONValuePtr owners; size_t j; - size_t m; res =3D g_new0(virLockSpaceResource, 1); res->fd =3D -1; @@ -384,9 +383,8 @@ virLockSpacePtr virLockSpaceNewPostExecRestart(virJSONV= aluePtr object) goto error; } - m =3D virJSONValueArraySize(owners); + res->nOwners =3D virJSONValueArraySize(owners); res->owners =3D g_new0(pid_t, res->nOwners); - res->nOwners =3D m; for (j =3D 0; j < res->nOwners; j++) { unsigned long long int owner; --=20 2.29.2