libvirt/eab7ae6b-fix-array-access.patch
James Fehlig 432dd3a40e Accepting request 878655 from home:jfehlig:branches:Virtualization
- virtlockd, virtlogd: Fix exec-restart
  6b8e9613-avoid-use-after-free.patch,
  eab7ae6b-fix-array-access.patch,
  c363f03e-virnetdaemon-intro-virNetDaemonQuitExecRestart.patch,
  ccc6dd8f-fix-exec-restart.patch
  bsc#1183411

OBS-URL: https://build.opensuse.org/request/show/878655
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=883
2021-03-12 22:29:08 +00:00

41 lines
1.5 KiB
Diff

commit eab7ae6bfe13503ea705e70e32edaa60357cbaa1
Author: Peter Krempa <pkrempa@redhat.com>
Date: Fri Mar 12 10:16:11 2021 +0100
virLockSpaceNewPostExecRestart: Fix out-of-bounds array access
'res->owners' is allocated to 'res->nOwners' elements, but unfortunately
'res->nOwners' doesn't contain the proper value until after the
allocation so 0 elements are allocated. The following loop which assumes
that the array has the right number of elements then accesses the
pointer out of bounds. The bug was also faithfully converted from
VIR_ALLOC_N to g_new0.
Fixes: 4a3d6ed5ee0
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Index: libvirt-7.1.0/src/util/virlockspace.c
===================================================================
--- libvirt-7.1.0.orig/src/util/virlockspace.c
+++ libvirt-7.1.0/src/util/virlockspace.c
@@ -324,7 +324,6 @@ virLockSpacePtr virLockSpaceNewPostExecR
const char *tmp;
virJSONValuePtr owners;
size_t j;
- size_t m;
res = g_new0(virLockSpaceResource, 1);
res->fd = -1;
@@ -384,9 +383,8 @@ virLockSpacePtr virLockSpaceNewPostExecR
goto error;
}
- m = virJSONValueArraySize(owners);
+ res->nOwners = virJSONValueArraySize(owners);
res->owners = g_new0(pid_t, res->nOwners);
- res->nOwners = m;
for (j = 0; j < res->nOwners; j++) {
unsigned long long int owner;