From nobody Sun Feb 8 17:42:37 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1615541037; cv=none; d=zohomail.com; s=zohoarc; b=laFsNiMX6ycdmdgbXZ9MZ7MKAYlltb4JaNETrcdxuwEvLI4RRT6EcQgXxNCAX9vO1nuA/n+Sv6H06G9kLqrbCPp/QrqkC16kUFSbE//TmH2CeBDOaNeoLgAQG1Fv/7Eqm+f6+/IfIBp6uXKV8KR1tvfAAHVisCW7LwfvQlXmrbo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1615541037; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=jY0kS5YcP8l+itBHMo/A2OaFoPsRMzG8etWPdde09wE=; b=feewqfWgIwOZ/1gFGfZN5VNkxtbtpn5bzTVp8wqoGsmR6ZQZ4EdlLTQ/0DeJJlo6776vRTLWoeSPVRUGzjNpArEEJp6ZUyf876VuyFTyiLZpI2fMC/UkVPntrvY95th4UgHUGqXEafYXRuy7icRukatE9EpssuuWdGRkJboUHlE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1615541037896951.1086752030691; Fri, 12 Mar 2021 01:23:57 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-76-jsBsumnbP_2hLYv0zN2kUg-1; Fri, 12 Mar 2021 04:23:54 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B2ECBCC621; Fri, 12 Mar 2021 09:23:48 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9052C5D6D7; Fri, 12 Mar 2021 09:23:48 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 5668357DC1; Fri, 12 Mar 2021 09:23:48 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 12C9Nhxi012419 for ; Fri, 12 Mar 2021 04:23:43 -0500 Received: by smtp.corp.redhat.com (Postfix) id B808819703; Fri, 12 Mar 2021 09:23:43 +0000 (UTC) Received: from speedmetal.lan (unknown [10.40.208.53]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1C2C7196E3 for ; Fri, 12 Mar 2021 09:23:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1615541036; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=jY0kS5YcP8l+itBHMo/A2OaFoPsRMzG8etWPdde09wE=; b=cbWHFD+vYNgFhClCBGoimWlPunakleMQmHMRd1v5otmjl5aoL082Vi7lwf8QkqIaHy1rck z4zODaRtdgNXDFu6Bh1oByaT3XJ5zKy61Aid0JZ8hfNcCDBMdIfUJ6M2pfmT13Mz/Nnu+G j53ffaowv+MI9JYXkw51cSVE2HlKJ5Q= X-MC-Unique: jsBsumnbP_2hLYv0zN2kUg-1 From: Peter Krempa To: libvir-list@redhat.com Subject: [PATCH 2/2] virLockSpaceNewPostExecRestart: Fix out-of-bounds array access Date: Fri, 12 Mar 2021 10:23:36 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" 'res->owners' is allocated to 'res->nOwners' elements, but unfortunately 'res->nOwners' doesn't contain the proper value until after the allocation so 0 elements are allocated. The following loop which assumes that the array has the right number of elements then accesses the pointer out of bounds. The bug was also faithfully converted from VIR_ALLOC_N to g_new0. Fixes: 4a3d6ed5ee0 Signed-off-by: Peter Krempa --- src/util/virlockspace.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/util/virlockspace.c b/src/util/virlockspace.c index 9e80db6a0c..0d6cff3707 100644 --- a/src/util/virlockspace.c +++ b/src/util/virlockspace.c @@ -324,7 +324,6 @@ virLockSpacePtr virLockSpaceNewPostExecRestart(virJSONV= aluePtr object) const char *tmp; virJSONValuePtr owners; size_t j; - size_t m; res =3D g_new0(virLockSpaceResource, 1); res->fd =3D -1; @@ -384,9 +383,8 @@ virLockSpacePtr virLockSpaceNewPostExecRestart(virJSONV= aluePtr object) goto error; } - m =3D virJSONValueArraySize(owners); + res->nOwners =3D virJSONValueArraySize(owners); res->owners =3D g_new0(pid_t, res->nOwners); - res->nOwners =3D m; for (j =3D 0; j < res->nOwners; j++) { unsigned long long int owner; --=20 2.29.2