Xen project Mailing List

Re: [Xen-devel] [PATCH] tools/libxl: Fix free() of wild pointer in libxl__initiate_device_remove()

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Ian Campbell <Ian.Campbell@xxxxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>

From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>

Date: Wed, 2 Jul 2014 16:07:04 +0100

Delivery-date: Wed, 02 Jul 2014 15:07:11 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Ian Jackson writes ("Re: [PATCH] tools/libxl: Fix free() of wild pointer in libxl__initiate_device_remove()"): > Andrew Cooper writes ("[PATCH] tools/libxl: Fix free() of wild pointer in > libxl__initiate_device_remove()"): > > libxl__initiate_device_remove() had a preexisting error path issue where > > libxl_dominfo_dispose() could be called on a libxl_dominfo object before it > > had been initialised with libxl_dominfo_init(). ... > Acked-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> > Committed-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> This has been backported to 4.4. It isn't applicable to 4.3 and earlier. FYI: While investigating why it didn't apply, I discovered that the changeset blamed by Andrew isn't actually the real culprit. The real culprit IMO is f39b1af257e3 "libxl: remove the Qemu bodge for driver domain devices" which was by Roger and acked by me. That change moves libxl_dominfo_init(&info) from the start of the function to a branch of an if(), but doesn't move the corresponding variable. Ie it introduced a violation of our principle that variables should all be initialised to a (noop)-freeable value; that violation was latent bug. Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.