[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Re: [PATCH, v2] fix invalid free segfault and use-after-free in libxl_device_disk_list()

To: "Gianni Tedesco (3P)" <gianni.tedesco@xxxxxxxxxx>
From: Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx>
Date: Mon, 16 Aug 2010 10:53:59 +0100
Cc: Xen Devel <xen-devel@xxxxxxxxxxxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Stefano Stabellini <Stefano.Stabellini@xxxxxxxxxxxxx>
Delivery-date: Mon, 16 Aug 2010 02:54:56 -0700
List-id: Xen developer discussion <xen-devel.lists.xensource.com>

On Fri, 2010-08-13 at 17:16 +0100, Gianni Tedesco (3P) wrote:
> +    /* FIXME: leaks disk paths */
>      free(disks);
> [...]

>          disk->domid = domid;
>      }
> +    /* FIXME: leaks disk paths */
>      free(disks);
>      return 0;
>  }

I've added this to my destructor autogeneration series:

diff -r ef610efe28c8 tools/libxl/libxl.c
--- a/tools/libxl/libxl.c       Mon Aug 16 10:50:53 2010 +0100
+++ b/tools/libxl/libxl.c       Mon Aug 16 10:52:26 2010 +0100
@@ -1337,8 +1337,8 @@ static char ** libxl_build_device_model_
             flexarray_set(dm_args, num++, libxl_sprintf(gc, "-%s", 
disks[i].virtpath));
             flexarray_set(dm_args, num++, disks[i].physpath);
         }
+        libxl_device_disk_destroy(&disks[i]);
     }
-    /* FIXME: leaks disk paths */
     free(disks);
     flexarray_set(dm_args, num++, NULL);
     return (char **) flexarray_contents(dm_args);
@@ -2552,6 +2552,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, u
     int num, i;
     uint32_t stubdomid;
     libxl_device_disk *disks;
+    int ret = ERROR_FAIL;
 
     if (!disk->physpath) {
         disk->physpath = "";
@@ -2565,9 +2566,11 @@ int libxl_cdrom_insert(libxl_ctx *ctx, u
     }
     if (i == num) {
         XL_LOG(ctx, XL_LOG_ERROR, "Virtual device not found");
-        free(disks);
-        return ERROR_FAIL;
+        goto out;
     }
+
+    ret = 0;
+
     libxl_device_disk_del(ctx, disks + i, 1);
     libxl_device_disk_add(ctx, domid, disk);
     stubdomid = libxl_get_stubdom_id(ctx, domid);
@@ -2578,9 +2581,11 @@ int libxl_cdrom_insert(libxl_ctx *ctx, u
         libxl_device_disk_add(ctx, stubdomid, disk);
         disk->domid = domid;
     }
-    /* FIXME: leaks disk paths */
+out:
+    for (i = 0; i < num; i++)
+        libxl_device_disk_destroy(&disks[i]);
     free(disks);
-    return 0;
+    return ret;
 }
 
 
/******************************************************************************/




_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

References:
- [Xen-devel] [PATCH, v2] fix invalid free segfault and use-after-free in libxl_device_disk_list()
  - From: Gianni Tedesco

Prev by Date: Re: [Xen-devel] Xen Hypervisor start fail when system memory more than 64GB
Next by Date: Re: [Xen-devel] Xen Hypervisor start fail when system memory more than 64GB, and free xen memory over 32 GB
Previous by thread: [Xen-devel] [PATCH, v2] fix invalid free segfault and use-after-free in libxl_device_disk_list()
Next by thread: [Xen-devel] [PATCH]: zap libxl_free() since there are no more callers
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.