External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-25 05:55:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

libxl: fix double-free of libxl_domain_build_info

Browse Source 
On error, libxlMakeDomBuildInfo() frees the caller-provided
libxl_domain_build_info struct embedded in libxl_domain_config,
causing a segfault

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f9c13020700 (LWP 40988)]
(gdb) bt
0  0x00007f9c162f95b4 in free () from /lib64/libc.so.6
1  0x00007f9c0d0965ad in libxl_bitmap_dispose () from
   /usr/lib64/libxenlight.so.4.4
2  0x00007f9c0d0a73bf in libxl_domain_build_info_dispose ()
   from /usr/lib64/libxenlight.so.4.4
3  0x00007f9c0d0a7974 in libxl_domain_config_dispose () from
   /usr/lib64/libxenlight.so.4.4
4  0x00007f9c0d2e00c5 in libxlDomainStart (driver=0x7f9c0400e4e0,
   vm=0x7f9c0412b0d0, start_paused=false, restore_fd=-1) at
   libxl/libxl_domain.c:1323
5  0x00007f9c0d2e1d4b in libxlDomainCreateXML (conn=0x7f9c000009a0,...)
   at libxl/libxl_driver.c:660

Remove the call to libxl_domain_build_info_dispose() from
libxlMakeDomBuildInfo().  On error, callers will dispose the
libxl_domain_config object, which in turn disposes the build info.
This commit is contained in:
Jim Fehlig 2014-10-10 15:39:46 -06:00
parent 1c0bf509ef
commit 720be2eb5f
1 changed files with 14 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
src/libxl/libxl_conf.c
View File

@ -640,7 +640,7 @@ libxlMakeDomBuildInfo(virDomainDefPtr def,
b_info->max_vcpus = def->maxvcpus; b_info->max_vcpus = def->maxvcpus;
if (libxl_cpu_bitmap_alloc(ctx, &b_info->avail_vcpus, def->maxvcpus)) if (libxl_cpu_bitmap_alloc(ctx, &b_info->avail_vcpus, def->maxvcpus))
goto error; return -1;
libxl_bitmap_set_none(&b_info->avail_vcpus); libxl_bitmap_set_none(&b_info->avail_vcpus);
for (i = 0; i < def->vcpus; i++) for (i = 0; i < def->vcpus; i++)
libxl_bitmap_set((&b_info->avail_vcpus), i); libxl_bitmap_set((&b_info->avail_vcpus), i);
@ -703,26 +703,26 @@ libxlMakeDomBuildInfo(virDomainDefPtr def,
bootorder[def->os.nBootDevs] = '\0'; bootorder[def->os.nBootDevs] = '\0';
} }
if (VIR_STRDUP(b_info->u.hvm.boot, bootorder) < 0) if (VIR_STRDUP(b_info->u.hvm.boot, bootorder) < 0)
goto error; return -1;
if (def->emulator) { if (def->emulator) {
if (!virFileExists(def->emulator)) { if (!virFileExists(def->emulator)) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
_("emulator '%s' not found"), _("emulator '%s' not found"),
def->emulator); def->emulator);
goto error; return -1;
} }
if (!virFileIsExecutable(def->emulator)) { if (!virFileIsExecutable(def->emulator)) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
_("emulator '%s' is not executable"), _("emulator '%s' is not executable"),
def->emulator); def->emulator);
goto error; return -1;
} }
VIR_FREE(b_info->device_model); VIR_FREE(b_info->device_model);
if (VIR_STRDUP(b_info->device_model, def->emulator) < 0) if (VIR_STRDUP(b_info->device_model, def->emulator) < 0)
goto error; return -1;
b_info->device_model_version = libxlDomainGetEmulatorType(def); b_info->device_model_version = libxlDomainGetEmulatorType(def);
} }
@ -732,17 +732,17 @@ libxlMakeDomBuildInfo(virDomainDefPtr def,
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
"%s", "%s",
_("Only one serial device is supported by libxl")); _("Only one serial device is supported by libxl"));
goto error; return -1;
} }
if (libxlMakeChrdevStr(def->serials[0], &b_info->u.hvm.serial) < 0) if (libxlMakeChrdevStr(def->serials[0], &b_info->u.hvm.serial) < 0)
goto error; return -1;
} }
if (def->nparallels) { if (def->nparallels) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
"%s", "%s",
_("Parallel devices are not supported by libxl")); _("Parallel devices are not supported by libxl"));
goto error; return -1;
} }
/* /*
@ -761,33 +761,29 @@ libxlMakeDomBuildInfo(virDomainDefPtr def,
*/ */
if (def->os.bootloader) { if (def->os.bootloader) {
if (VIR_STRDUP(b_info->u.pv.bootloader, def->os.bootloader) < 0) if (VIR_STRDUP(b_info->u.pv.bootloader, def->os.bootloader) < 0)
goto error; return -1;
} else if (def->os.kernel == NULL) { } else if (def->os.kernel == NULL) {
if (VIR_STRDUP(b_info->u.pv.bootloader, LIBXL_BOOTLOADER_PATH) < 0) if (VIR_STRDUP(b_info->u.pv.bootloader, LIBXL_BOOTLOADER_PATH) < 0)
goto error; return -1;
} }
if (def->os.bootloaderArgs) { if (def->os.bootloaderArgs) {
if (!(b_info->u.pv.bootloader_args = if (!(b_info->u.pv.bootloader_args =
virStringSplit(def->os.bootloaderArgs, " \t\n", 0))) virStringSplit(def->os.bootloaderArgs, " \t\n", 0)))
goto error; return -1;
} }
if (VIR_STRDUP(b_info->u.pv.cmdline, def->os.cmdline) < 0) if (VIR_STRDUP(b_info->u.pv.cmdline, def->os.cmdline) < 0)
goto error; return -1;
if (def->os.kernel) { if (def->os.kernel) {
/* libxl_init_build_info() sets VIR_STRDUP(kernel.path, "hvmloader") */ /* libxl_init_build_info() sets VIR_STRDUP(kernel.path, "hvmloader") */
VIR_FREE(b_info->u.pv.kernel); VIR_FREE(b_info->u.pv.kernel);
if (VIR_STRDUP(b_info->u.pv.kernel, def->os.kernel) < 0) if (VIR_STRDUP(b_info->u.pv.kernel, def->os.kernel) < 0)
goto error; return -1;
} }
if (VIR_STRDUP(b_info->u.pv.ramdisk, def->os.initrd) < 0) if (VIR_STRDUP(b_info->u.pv.ramdisk, def->os.initrd) < 0)
goto error; return -1;
} }
return 0; return 0;
error:
libxl_domain_build_info_dispose(b_info);
return -1;
} }
static int static int