libvirt/eab7ae6b-fix-array-access.patch

41 lines
1.5 KiB
Diff
Raw Normal View History

commit eab7ae6bfe13503ea705e70e32edaa60357cbaa1
Author: Peter Krempa <pkrempa@redhat.com>
Date: Fri Mar 12 10:16:11 2021 +0100
virLockSpaceNewPostExecRestart: Fix out-of-bounds array access
'res->owners' is allocated to 'res->nOwners' elements, but unfortunately
'res->nOwners' doesn't contain the proper value until after the
allocation so 0 elements are allocated. The following loop which assumes
that the array has the right number of elements then accesses the
pointer out of bounds. The bug was also faithfully converted from
VIR_ALLOC_N to g_new0.
Fixes: 4a3d6ed5ee0
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Index: libvirt-7.1.0/src/util/virlockspace.c
===================================================================
--- libvirt-7.1.0.orig/src/util/virlockspace.c
+++ libvirt-7.1.0/src/util/virlockspace.c
@@ -324,7 +324,6 @@ virLockSpacePtr virLockSpaceNewPostExecR
const char *tmp;
virJSONValuePtr owners;
size_t j;
- size_t m;
res = g_new0(virLockSpaceResource, 1);
res->fd = -1;
@@ -384,9 +383,8 @@ virLockSpacePtr virLockSpaceNewPostExecR
goto error;
}
- m = virJSONValueArraySize(owners);
+ res->nOwners = virJSONValueArraySize(owners);
res->owners = g_new0(pid_t, res->nOwners);
- res->nOwners = m;
for (j = 0; j < res->nOwners; j++) {
unsigned long long int owner;