[libvirt] [PATCH] virDomainObjListAddLocked: fix double free
Bjoern Walk
bwalk at linux.ibm.com
Wed Aug 29 05:21:12 UTC 2018
Michal Prívozník <mprivozn at redhat.com> [2018-08-27, 04:03PM +0200]:
> On 08/27/2018 03:20 PM, Marc Hartmayer wrote:
> > If @vm has flagged as "to be removed" virDomainObjListFindByNameLocked
> > returns NULL (although the definition actually exists). Therefore, the
> > possibility exits that "virHashAddEntry" will raise the error
> > "Duplicate key" => virDomainObjListAddObjLocked fails =>
> > virDomainObjEndAPI(&vm) is called and this leads to a freeing of @def
> > since @def is already assigned to vm->def. But actually this leads to
> > a double free since the common usage pattern is that the caller of
> > virDomainObjListAdd(Locked) is responsible for freeing @def in case of
> > an error.
> >
> > Let's fix this by setting vm->def to NULL in case of an error.
> >
> > Backtrace:
> >
> > ➤ bt
> > #0 virFree (ptrptr=0x7575757575757575)
> > #1 0x000003ffb5b25b3e in virDomainResourceDefFree
> > #2 0x000003ffb5b37c34 in virDomainDefFree
> > #3 0x000003ff9123f734 in qemuDomainDefineXMLFlags
> > #4 0x000003ff9123f7f4 in qemuDomainDefineXML
> > #5 0x000003ffb5cd2c84 in virDomainDefineXML
> > #6 0x000000011745aa82 in remoteDispatchDomainDefineXML
> > ...
> >
> > Reviewed-by: Bjoern Walk <bwalk at linux.ibm.com>
> > Signed-off-by: Marc Hartmayer <mhartmay at linux.ibm.com>
> > ---
> > src/conf/virdomainobjlist.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/src/conf/virdomainobjlist.c b/src/conf/virdomainobjlist.c
> > index 52171594f34f..805fe9440afe 100644
> > --- a/src/conf/virdomainobjlist.c
> > +++ b/src/conf/virdomainobjlist.c
> > @@ -329,8 +329,10 @@ virDomainObjListAddLocked(virDomainObjListPtr doms,
> > goto cleanup;
> > vm->def = def;
> >
> > - if (virDomainObjListAddObjLocked(doms, vm) < 0)
> > + if (virDomainObjListAddObjLocked(doms, vm) < 0) {
> > + vm->def = NULL;
> > goto error;
> > + }
> > }
> > cleanup:
> > return vm;
> >
>
>
> How about setting vm->def only after virDomainObjListAddObjLocked()
> succeded?
>
> However, this points to a more sever bug. If a domain is being removed,
> and some other thread is trying to define it back, I guess the whole
> operation should succeed. Definitely not fail with some (for user)
> cryptic message like "double key found in a hash table".
>
> The problem is that:
>
> a) both virDomainObjListFindByUUIDLocked() and
> virDomainObjListFindByNameLocked() return NULL even if domain exists.
> They should return the found domain and only the caller should decide if
> vm->removing is relevant or not.
>
> b) nothing is clearing out the vm->removing flag. The
> virDomainObjListAddObjLocked() looks like a good candidate to do so.
>
> Michal
Can we still take this fix for the upcoming release and worry about
doing it right later?
>
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
--
IBM Systems
Linux on Z & Virtualization Development
------------------------------------------------------------------------
IBM Deutschland Research & Development GmbH
Schönaicher Str. 220, 71032 Böblingen
Phone: +49 7031 16 1819
------------------------------------------------------------------------
Vorsitzende des Aufsichtsrats: Martina Koederitz
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 902 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20180829/2d3525b9/attachment-0001.sig>
More information about the libvir-list
mailing list