From f228917a5ca189f080060bd33076b254497ae9ac Mon Sep 17 00:00:00 2001
From: Alex Jia <ajia@redhat.com>
Date: Mon, 6 Feb 2012 11:39:41 +0800
Subject: [PATCH] virsh: Avoid invalid read of size errors

Detected by valgrind. the codes are allocating 0 bytes memory to variable
cpumap by vshCalloc function, and then the function VIR_USE_CPU will access
it later, a invalid read error will be hit.

* tools/virsh.c(cmdVcpuPin): fix invalid read error.

* How to reproduce?
% valgrind -v --read-var-info=yes virsh vcpupin <domain> 0 0

* Actual result:

==27271== ERROR SUMMARY: 5 errors from 2 contexts (suppressed: 8 from 6)
==27271==
==27271== 1 errors in context 1 of 2:
==27271== Invalid read of size 1
==27271==    at 0x39CF087E2E: __GI_memcpy (in /lib64/libc-2.12.so)
==27271==    by 0x39CF114FDC: xdrmem_putbytes (in /lib64/libc-2.12.so)
==27271==    by 0x39CF114707: xdr_opaque (in /lib64/libc-2.12.so)
==27271==    by 0x4D56194: xdr_remote_domain_pin_vcpu_args (remote_protocol.c:1844)
==27271==    by 0x4D6CCE1: virNetMessageEncodePayload (virnetmessage.c:341)
==27271==    by 0x4D5A44B: virNetClientProgramCall (virnetclientprogram.c:327)
==27271==    by 0x4D36EDB: callWithFD (remote_driver.c:4546)
==27271==    by 0x4D36F7B: call (remote_driver.c:4567)
==27271==    by 0x4D3B2C1: remoteDomainPinVcpu (remote_client_bodies.h:1566)
==27271==    by 0x4D199D3: virDomainPinVcpu (libvirt.c:8585)
==27271==    by 0x4241F4: cmdVcpuPin (virsh.c:5262)
==27271==    by 0x4150A6: vshCommandRun (virsh.c:17712)
==27271==  Address 0x5602b80 is 0 bytes after a block of size 0 alloc'd
==27271==    at 0x4A04A28: calloc (vg_replace_malloc.c:467)
==27271==    by 0x4C89BDF: virAllocN (memory.c:129)
==27271==    by 0x423868: _vshCalloc.clone.2 (virsh.c:454)
==27271==    by 0x423EF9: cmdVcpuPin (virsh.c:5190)
==27271==    by 0x4150A6: vshCommandRun (virsh.c:17712)
==27271==    by 0x426583: main (virsh.c:19289)
==27271==
==27271==
==27271== 4 errors in context 2 of 2:
==27271== Invalid read of size 1
==27271==    at 0x424133: cmdVcpuPin (virsh.c:5245)
==27271==    by 0x4150A6: vshCommandRun (virsh.c:17712)
==27271==    by 0x426583: main (virsh.c:19289)
==27271==  Address 0x5602b80 is 0 bytes after a block of size 0 alloc'd
==27271==    at 0x4A04A28: calloc (vg_replace_malloc.c:467)
==27271==    by 0x4C89BDF: virAllocN (memory.c:129)
==27271==    by 0x423868: _vshCalloc.clone.2 (virsh.c:454)
==27271==    by 0x423EF9: cmdVcpuPin (virsh.c:5190)
==27271==    by 0x4150A6: vshCommandRun (virsh.c:17712)
==27271==    by 0x426583: main (virsh.c:19289)

Signed-off-by: Alex Jia <ajia@redhat.com>
---
 tools/virsh.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/virsh.c b/tools/virsh.c
index 72ca93add7..1613d2ebf2 100644
--- a/tools/virsh.c
+++ b/tools/virsh.c
@@ -5187,7 +5187,7 @@ cmdVcpuPin(vshControl *ctl, const vshCmd *cmd)
 
     /* Pin mode: pinning specified vcpu to specified physical cpus*/
 
-    cpumap = vshCalloc(ctl, 0, cpumaplen);
+    cpumap = vshCalloc(ctl, cpumaplen, sizeof(cpumap));
     /* Parse cpulist */
     cur = cpulist;
     if (*cur == 0) {