diff --git a/2dc1cf19-libxl-double-free.patch b/2dc1cf19-libxl-double-free.patch new file mode 100644 index 0000000..eaca4ed --- /dev/null +++ b/2dc1cf19-libxl-double-free.patch @@ -0,0 +1,27 @@ +commit 2dc1cf19dbaf648662fbf3c810db65ddcf5d0444 +Author: Jim Fehlig +Date: Wed Feb 15 10:45:27 2017 -0700 + + libxl: fix potential double free in libxlDriverGetDom0MaxmemConf + + Commit 4ab0c959 fixed a memory leak in libxlDriverGetDom0MaxmemConf + but introduced a potential double free of mem_tokens + + *** Error in `/usr/sbin/libvirtd': double free or corruption (out): + 0x00007fffc808cfd0 *** + + Avoid double free by setting mem_tokens to NULL after calling + virStringListFree. + +Index: libvirt-3.0.0/src/libxl/libxl_conf.c +=================================================================== +--- libvirt-3.0.0.orig/src/libxl/libxl_conf.c ++++ libvirt-3.0.0/src/libxl/libxl_conf.c +@@ -1623,6 +1623,7 @@ libxlDriverGetDom0MaxmemConf(libxlDriver + } + } + virStringListFree(mem_tokens); ++ mem_tokens = NULL; + } + + physmem: diff --git a/4ab0c959-libxl-mem-leak.patch b/4ab0c959-libxl-mem-leak.patch new file mode 100644 index 0000000..cc12b64 --- /dev/null +++ b/4ab0c959-libxl-mem-leak.patch @@ -0,0 +1,25 @@ +commit 4ab0c959e936de7fa2752160ff532913740d4da9 +Author: John Ferlan +Date: Fri Feb 10 06:54:56 2017 -0500 + + libxl: Resolve possible resource leak in dom0 maximum memory setting + + If either the "if (STRPREFIX(mem_tokens[j], "max:"))" is never entered + or the "if (virStrToLong_ull(mem_tokens[j] + 4, &p, 10, maxmem) < 0)" break + is hit, control goes back to the outer loop processing 'cmd_tokens' and + it's possible that the 'mem_tokens' would be overwritten. + + Found by Coverity + +Index: libvirt-3.0.0/src/libxl/libxl_conf.c +=================================================================== +--- libvirt-3.0.0.orig/src/libxl/libxl_conf.c ++++ libvirt-3.0.0/src/libxl/libxl_conf.c +@@ -1622,6 +1622,7 @@ libxlDriverGetDom0MaxmemConf(libxlDriver + goto cleanup; + } + } ++ virStringListFree(mem_tokens); + } + + physmem: diff --git a/libvirt.changes b/libvirt.changes index ad463df..02745d2 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Feb 16 23:57:37 UTC 2017 - jfehlig@suse.com + +- libxl: more fixes for dom0 maxmem setting + 4ab0c959-libxl-mem-leak.patch, 2dc1cf19-libxl-double-free.patch + bsc#1017762 + ------------------------------------------------------------------- Fri Feb 10 20:29:46 UTC 2017 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index f232ef6..2f0d841 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -325,6 +325,8 @@ Patch8: ff225538-libxl-autoballoon-setting.patch Patch9: c89a6e78-libxl-physinfo-cleanup.patch Patch10: d2b77608-libxl-maxmem-fix.patch Patch11: 79692c38-libxl-dom0-maxmem.patch +Patch12: 4ab0c959-libxl-mem-leak.patch +Patch13: 2dc1cf19-libxl-double-free.patch # Patches pending upstream review Patch100: libxl-dom-reset.patch Patch101: apparmor-errormsg-fix.patch @@ -737,9 +739,9 @@ capabilities of recent versions of Linux (and other OSes). %package libs Summary: Client side libraries -Group: Development/Libraries/C and C++ # So remote clients can access libvirt over SSH tunnel # (client invokes 'nc' against the UNIX socket on the server) +Group: Development/Libraries/C and C++ Requires: netcat-openbsd # Not technically required, but makes 'out-of-box' config # work correctly & doesn't have onerous dependencies @@ -817,6 +819,8 @@ libvirt plugin for NSS for translating domain names into IP addresses. %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 +%patch13 -p1 %patch100 -p1 %patch101 -p1 %patch102 -p1