libxl: fix double-free of libxl_domain_build_info

On error, libxlMakeDomBuildInfo() frees the caller-provided libxl_domain_build_info struct embedded in libxl_domain_config, causing a segfault Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f9c13020700 (LWP 40988)] (gdb) bt 0 0x00007f9c162f95b4 in free () from /lib64/libc.so.6 1 0x00007f9c0d0965ad in libxl_bitmap_dispose () from /usr/lib64/libxenlight.so.4.4 2 0x00007f9c0d0a73bf in libxl_domain_build_info_dispose () from /usr/lib64/libxenlight.so.4.4 3 0x00007f9c0d0a7974 in libxl_domain_config_dispose () from /usr/lib64/libxenlight.so.4.4 4 0x00007f9c0d2e00c5 in libxlDomainStart (driver=0x7f9c0400e4e0, vm=0x7f9c0412b0d0, start_paused=false, restore_fd=-1) at libxl/libxl_domain.c:1323 5 0x00007f9c0d2e1d4b in libxlDomainCreateXML (conn=0x7f9c000009a0,...) at libxl/libxl_driver.c:660 Remove the call to libxl_domain_build_info_dispose() from libxlMakeDomBuildInfo(). On error, callers will dispose the libxl_domain_config object, which in turn disposes the build info.

libxl: fix double-free of libxl_domain_build_info
On error, libxlMakeDomBuildInfo() frees the caller-provided libxl_domain_build_info struct embedded in libxl_domain_config, causing a segfault Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f9c13020700 (LWP 40988)] (gdb) bt 0 0x00007f9c162f95b4 in free () from /lib64/libc.so.6 1 0x00007f9c0d0965ad in libxl_bitmap_dispose () from /usr/lib64/libxenlight.so.4.4 2 0x00007f9c0d0a73bf in libxl_domain_build_info_dispose () from /usr/lib64/libxenlight.so.4.4 3 0x00007f9c0d0a7974 in libxl_domain_config_dispose () from /usr/lib64/libxenlight.so.4.4 4 0x00007f9c0d2e00c5 in libxlDomainStart (driver=0x7f9c0400e4e0, vm=0x7f9c0412b0d0, start_paused=false, restore_fd=-1) at libxl/libxl_domain.c:1323 5 0x00007f9c0d2e1d4b in libxlDomainCreateXML (conn=0x7f9c000009a0,...) at libxl/libxl_driver.c:660 Remove the call to libxl_domain_build_info_dispose() from libxlMakeDomBuildInfo(). On error, callers will dispose the libxl_domain_config object, which in turn disposes the build info.
720be2eb · Jim Fehlig · 1c0bf509 · 720be2eb
隐藏空白更改
内联并排

Showing with 14 addition and 18 deletion

src/libxl/libxl_conf.c src/libxl/libxl_conf.c +14 -18

未找到文件。
--- a/src/libxl/libxl_conf.c
+++ b/src/libxl/libxl_conf.c
@@ -640,7 +640,7 @@ libxlMakeDomBuildInfo(virDomainDefPtr def,

    b_info->max_vcpus = def->maxvcpus;
    if (libxl_cpu_bitmap_alloc(ctx, &b_info->avail_vcpus, def->maxvcpus))
-        goto error;
+        return -1;
    libxl_bitmap_set_none(&b_info->avail_vcpus);
    for (i = 0; i < def->vcpus; i++)
        libxl_bitmap_set((&b_info->avail_vcpus), i);
@@ -703,26 +703,26 @@ libxlMakeDomBuildInfo(virDomainDefPtr def,
            bootorder[def->os.nBootDevs] = '\0';
        }
        if (VIR_STRDUP(b_info->u.hvm.boot, bootorder) < 0)
-            goto error;
+            return -1;

        if (def->emulator) {
            if (!virFileExists(def->emulator)) {
                virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
                               _("emulator '%s' not found"),
                               def->emulator);
-                goto error;
+                return -1;
            }

            if (!virFileIsExecutable(def->emulator)) {
                virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
                               _("emulator '%s' is not executable"),
                               def->emulator);
-                goto error;
+                return -1;
            }

            VIR_FREE(b_info->device_model);
            if (VIR_STRDUP(b_info->device_model, def->emulator) < 0)
-                goto error;
+                return -1;

            b_info->device_model_version = libxlDomainGetEmulatorType(def);
        }
@@ -732,17 +732,17 @@ libxlMakeDomBuildInfo(virDomainDefPtr def,
                virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
                               "%s",
                               _("Only one serial device is supported by libxl"));
-                goto error;
+                return -1;
            }
            if (libxlMakeChrdevStr(def->serials[0], &b_info->u.hvm.serial) < 0)
-                goto error;
+                return -1;
        }

        if (def->nparallels) {
            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
                           "%s",
                           _("Parallel devices are not supported by libxl"));
-            goto error;
+            return -1;
        }

        /*
@@ -761,33 +761,29 @@ libxlMakeDomBuildInfo(virDomainDefPtr def,
         */
        if (def->os.bootloader) {
            if (VIR_STRDUP(b_info->u.pv.bootloader, def->os.bootloader) < 0)
-                goto error;
+                return -1;
        } else if (def->os.kernel == NULL) {
            if (VIR_STRDUP(b_info->u.pv.bootloader, LIBXL_BOOTLOADER_PATH) < 0)
-                goto error;
+                return -1;
        }
        if (def->os.bootloaderArgs) {
            if (!(b_info->u.pv.bootloader_args =
                  virStringSplit(def->os.bootloaderArgs, " \t\n", 0)))
-                goto error;
+                return -1;
        }
        if (VIR_STRDUP(b_info->u.pv.cmdline, def->os.cmdline) < 0)
-            goto error;
+            return -1;
        if (def->os.kernel) {
            /* libxl_init_build_info() sets VIR_STRDUP(kernel.path, "hvmloader") */
            VIR_FREE(b_info->u.pv.kernel);
            if (VIR_STRDUP(b_info->u.pv.kernel, def->os.kernel) < 0)
-                goto error;
+                return -1;
        }
        if (VIR_STRDUP(b_info->u.pv.ramdisk, def->os.initrd) < 0)
-            goto error;
+            return -1;
    }

    return 0;
-
- error:
-    libxl_domain_build_info_dispose(b_info);
-    return -1;
 }

 static int