432dd3a40e
- virtlockd, virtlogd: Fix exec-restart 6b8e9613-avoid-use-after-free.patch, eab7ae6b-fix-array-access.patch, c363f03e-virnetdaemon-intro-virNetDaemonQuitExecRestart.patch, ccc6dd8f-fix-exec-restart.patch bsc#1183411 OBS-URL: https://build.opensuse.org/request/show/878655 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=883
41 lines
1.5 KiB
Diff
41 lines
1.5 KiB
Diff
commit eab7ae6bfe13503ea705e70e32edaa60357cbaa1
|
|
Author: Peter Krempa <pkrempa@redhat.com>
|
|
Date: Fri Mar 12 10:16:11 2021 +0100
|
|
|
|
virLockSpaceNewPostExecRestart: Fix out-of-bounds array access
|
|
|
|
'res->owners' is allocated to 'res->nOwners' elements, but unfortunately
|
|
'res->nOwners' doesn't contain the proper value until after the
|
|
allocation so 0 elements are allocated. The following loop which assumes
|
|
that the array has the right number of elements then accesses the
|
|
pointer out of bounds. The bug was also faithfully converted from
|
|
VIR_ALLOC_N to g_new0.
|
|
|
|
Fixes: 4a3d6ed5ee0
|
|
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
|
|
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
|
Index: libvirt-7.1.0/src/util/virlockspace.c
|
|
===================================================================
|
|
--- libvirt-7.1.0.orig/src/util/virlockspace.c
|
|
+++ libvirt-7.1.0/src/util/virlockspace.c
|
|
@@ -324,7 +324,6 @@ virLockSpacePtr virLockSpaceNewPostExecR
|
|
const char *tmp;
|
|
virJSONValuePtr owners;
|
|
size_t j;
|
|
- size_t m;
|
|
|
|
res = g_new0(virLockSpaceResource, 1);
|
|
res->fd = -1;
|
|
@@ -384,9 +383,8 @@ virLockSpacePtr virLockSpaceNewPostExecR
|
|
goto error;
|
|
}
|
|
|
|
- m = virJSONValueArraySize(owners);
|
|
+ res->nOwners = virJSONValueArraySize(owners);
|
|
res->owners = g_new0(pid_t, res->nOwners);
|
|
- res->nOwners = m;
|
|
|
|
for (j = 0; j < res->nOwners; j++) {
|
|
unsigned long long int owner;
|