From 720be2eb5f0216564d158dca99c466fac2c16a53 Mon Sep 17 00:00:00 2001 From: Jim Fehlig Date: Fri, 10 Oct 2014 15:39:46 -0600 Subject: [PATCH] libxl: fix double-free of libxl_domain_build_info On error, libxlMakeDomBuildInfo() frees the caller-provided libxl_domain_build_info struct embedded in libxl_domain_config, causing a segfault Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f9c13020700 (LWP 40988)] (gdb) bt 0 0x00007f9c162f95b4 in free () from /lib64/libc.so.6 1 0x00007f9c0d0965ad in libxl_bitmap_dispose () from /usr/lib64/libxenlight.so.4.4 2 0x00007f9c0d0a73bf in libxl_domain_build_info_dispose () from /usr/lib64/libxenlight.so.4.4 3 0x00007f9c0d0a7974 in libxl_domain_config_dispose () from /usr/lib64/libxenlight.so.4.4 4 0x00007f9c0d2e00c5 in libxlDomainStart (driver=0x7f9c0400e4e0, vm=0x7f9c0412b0d0, start_paused=false, restore_fd=-1) at libxl/libxl_domain.c:1323 5 0x00007f9c0d2e1d4b in libxlDomainCreateXML (conn=0x7f9c000009a0,...) at libxl/libxl_driver.c:660 Remove the call to libxl_domain_build_info_dispose() from libxlMakeDomBuildInfo(). On error, callers will dispose the libxl_domain_config object, which in turn disposes the build info. --- src/libxl/libxl_conf.c | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c index 715895ca1f..e296ffc0c4 100644 --- a/src/libxl/libxl_conf.c +++ b/src/libxl/libxl_conf.c @@ -640,7 +640,7 @@ libxlMakeDomBuildInfo(virDomainDefPtr def, b_info->max_vcpus = def->maxvcpus; if (libxl_cpu_bitmap_alloc(ctx, &b_info->avail_vcpus, def->maxvcpus)) - goto error; + return -1; libxl_bitmap_set_none(&b_info->avail_vcpus); for (i = 0; i < def->vcpus; i++) libxl_bitmap_set((&b_info->avail_vcpus), i); @@ -703,26 +703,26 @@ libxlMakeDomBuildInfo(virDomainDefPtr def, bootorder[def->os.nBootDevs] = '\0'; } if (VIR_STRDUP(b_info->u.hvm.boot, bootorder) < 0) - goto error; + return -1; if (def->emulator) { if (!virFileExists(def->emulator)) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, _("emulator '%s' not found"), def->emulator); - goto error; + return -1; } if (!virFileIsExecutable(def->emulator)) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, _("emulator '%s' is not executable"), def->emulator); - goto error; + return -1; } VIR_FREE(b_info->device_model); if (VIR_STRDUP(b_info->device_model, def->emulator) < 0) - goto error; + return -1; b_info->device_model_version = libxlDomainGetEmulatorType(def); } @@ -732,17 +732,17 @@ libxlMakeDomBuildInfo(virDomainDefPtr def, virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("Only one serial device is supported by libxl")); - goto error; + return -1; } if (libxlMakeChrdevStr(def->serials[0], &b_info->u.hvm.serial) < 0) - goto error; + return -1; } if (def->nparallels) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("Parallel devices are not supported by libxl")); - goto error; + return -1; } /* @@ -761,33 +761,29 @@ libxlMakeDomBuildInfo(virDomainDefPtr def, */ if (def->os.bootloader) { if (VIR_STRDUP(b_info->u.pv.bootloader, def->os.bootloader) < 0) - goto error; + return -1; } else if (def->os.kernel == NULL) { if (VIR_STRDUP(b_info->u.pv.bootloader, LIBXL_BOOTLOADER_PATH) < 0) - goto error; + return -1; } if (def->os.bootloaderArgs) { if (!(b_info->u.pv.bootloader_args = virStringSplit(def->os.bootloaderArgs, " \t\n", 0))) - goto error; + return -1; } if (VIR_STRDUP(b_info->u.pv.cmdline, def->os.cmdline) < 0) - goto error; + return -1; if (def->os.kernel) { /* libxl_init_build_info() sets VIR_STRDUP(kernel.path, "hvmloader") */ VIR_FREE(b_info->u.pv.kernel); if (VIR_STRDUP(b_info->u.pv.kernel, def->os.kernel) < 0) - goto error; + return -1; } if (VIR_STRDUP(b_info->u.pv.ramdisk, def->os.initrd) < 0) - goto error; + return -1; } return 0; - - error: - libxl_domain_build_info_dispose(b_info); - return -1; } static int