libvirt/eab7ae6b-fix-array-access.patch

commit eab7ae6bfe13503ea705e70e32edaa60357cbaa1
Author: Peter Krempa <pkrempa@redhat.com>
Date:   Fri Mar 12 10:16:11 2021 +0100

    virLockSpaceNewPostExecRestart: Fix out-of-bounds array access
    
    'res->owners' is allocated to 'res->nOwners' elements, but unfortunately
    'res->nOwners' doesn't contain the proper value until after the
    allocation so 0 elements are allocated. The following loop which assumes
    that the array has the right number of elements then accesses the
    pointer out of bounds. The bug was also faithfully converted from
    VIR_ALLOC_N to g_new0.
    
    Fixes: 4a3d6ed5ee0
    Signed-off-by: Peter Krempa <pkrempa@redhat.com>
    Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

Index: libvirt-7.1.0/src/util/virlockspace.c
===================================================================
--- libvirt-7.1.0.orig/src/util/virlockspace.c
+++ libvirt-7.1.0/src/util/virlockspace.c
@@ -324,7 +324,6 @@ virLockSpacePtr virLockSpaceNewPostExecR
         const char *tmp;
         virJSONValuePtr owners;
         size_t j;
-        size_t m;
 
         res = g_new0(virLockSpaceResource, 1);
         res->fd = -1;
@@ -384,9 +383,8 @@ virLockSpacePtr virLockSpaceNewPostExecR
             goto error;
         }
 
-        m = virJSONValueArraySize(owners);
+        res->nOwners = virJSONValueArraySize(owners);
         res->owners = g_new0(pid_t, res->nOwners);
-        res->nOwners = m;
 
         for (j = 0; j < res->nOwners; j++) {
             unsigned long long int owner;
Accepting request 878655 from home:jfehlig:branches:Virtualization - virtlockd, virtlogd: Fix exec-restart 6b8e9613-avoid-use-after-free.patch, eab7ae6b-fix-array-access.patch, c363f03e-virnetdaemon-intro-virNetDaemonQuitExecRestart.patch, ccc6dd8f-fix-exec-restart.patch bsc#1183411 OBS-URL: https://build.opensuse.org/request/show/878655 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=883 2021-03-12 23:29:08 +01:00			`commit eab7ae6bfe13503ea705e70e32edaa60357cbaa1`
			`Author: Peter Krempa <pkrempa@redhat.com>`
			`Date: Fri Mar 12 10:16:11 2021 +0100`

			`virLockSpaceNewPostExecRestart: Fix out-of-bounds array access`

			`'res->owners' is allocated to 'res->nOwners' elements, but unfortunately`
			`'res->nOwners' doesn't contain the proper value until after the`
			`allocation so 0 elements are allocated. The following loop which assumes`
			`that the array has the right number of elements then accesses the`
			`pointer out of bounds. The bug was also faithfully converted from`
			`VIR_ALLOC_N to g_new0.`

			`Fixes: 4a3d6ed5ee0`
			`Signed-off-by: Peter Krempa <pkrempa@redhat.com>`
			`Reviewed-by: Michal Privoznik <mprivozn@redhat.com>`

			`Index: libvirt-7.1.0/src/util/virlockspace.c`
			`===================================================================`
			`--- libvirt-7.1.0.orig/src/util/virlockspace.c`
			`+++ libvirt-7.1.0/src/util/virlockspace.c`
			`@@ -324,7 +324,6 @@ virLockSpacePtr virLockSpaceNewPostExecR`
			`const char *tmp;`
			`virJSONValuePtr owners;`
			`size_t j;`
			`- size_t m;`

			`res = g_new0(virLockSpaceResource, 1);`
			`res->fd = -1;`
			`@@ -384,9 +383,8 @@ virLockSpacePtr virLockSpaceNewPostExecR`
			`goto error;`
			`}`

			`- m = virJSONValueArraySize(owners);`
			`+ res->nOwners = virJSONValueArraySize(owners);`
			`res->owners = g_new0(pid_t, res->nOwners);`
			`- res->nOwners = m;`

			`for (j = 0; j < res->nOwners; j++) {`
			`unsigned long long int owner;`