lvm2/bug-1188141_toolcontext-fix-double-free-core-dumped-issue.patch

From db22a389cfb12eef77dfc2e1ce124ac83ed6c5a2 Mon Sep 17 00:00:00 2001
From: Heming Zhao <heming.zhao@suse.com>
Date: Tue, 13 Jul 2021 03:01:00 +0800
Subject: [PATCH] toolcontext: fix double free (core dumped) issue

How to trigger:

```
~ # export LVM_SYSTEM_DIR=_
~ # pvscan
  No matching physical volumes found
double free or corruption (!prev)
Aborted (core dumped)
```

when LVM_SYSTEM_DIR is empty, _load_config_file() won't be called.

when LVM_SYSTEM_DIR is not empty, cfl->cft links into cmd->config_files
by _load_config_file()@lib/commands/toolcontext.c

core dumped code: _destroy_config()@lib/commands/toolcontext.c

```
    /* CONFIG_FILE/CONFIG_MERGED_FILES */
    if ((cft = remove_config_tree_by_source(cmd, CONFIG_MERGED_FILES)))
        config_destroy(cft);
    else if ((cft = remove_config_tree_by_source(cmd, CONFIG_FILE)))
        config_destroy(cft); <=== first free the cft

    dm_list_iterate_items(cfl, &cmd->config_files)
        config_destroy(cfl->cft); <=== double free the cft
```

Fixes: c43f2f8ae08ed0555a300764c8644ea56f4f41e2

Signed-off-by: Heming Zhao <heming.zhao@suse.com>
---
 lib/commands/toolcontext.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/commands/toolcontext.c b/lib/commands/toolcontext.c
index b295a20efe52..742bdd9c2311 100644
--- a/lib/commands/toolcontext.c
+++ b/lib/commands/toolcontext.c
@@ -966,8 +966,13 @@ static void _destroy_config(struct cmd_context *cmd)
 	/* CONFIG_FILE/CONFIG_MERGED_FILES */
 	if ((cft = remove_config_tree_by_source(cmd, CONFIG_MERGED_FILES)))
 		config_destroy(cft);
-	else if ((cft = remove_config_tree_by_source(cmd, CONFIG_FILE)))
+	else if ((cft = remove_config_tree_by_source(cmd, CONFIG_FILE))) {
+		dm_list_iterate_items(cfl, &cmd->config_files) {
+			if (cfl->cft == cft)
+				dm_list_del(&cfl->list);
+		}
 		config_destroy(cft);
+	}
 
 	dm_list_iterate_items(cfl, &cmd->config_files)
 		config_destroy(cfl->cft);
-- 
1.8.3.1
Accepting request 906108 from home:hmzhao:branches:openSUSE:Factory - lvm2: double free or corruption with invalid LVM_SYSTEM_DIR breaks guestfs-tools (bsc#1188141) + bug-1188141_toolcontext-fix-double-free-core-dumped-issue.patch - replace exist patch with bug fixed patches - (remove) fate-31841_fsadm-add-support-for-btrfs.patch + (add) fate-31841-01_fsadm-add-support-to-resize-check-btrfs-filesystem.patch + (add) fate-31841-02_man-add-support-for-btrfs.patch + (add) fate-31841-03_tests-new-test-suite-of-fsadm-for-btrfs.patch OBS-URL: https://build.opensuse.org/request/show/906108 OBS-URL: https://build.opensuse.org/package/show/Base:System/lvm2?expand=0&rev=302 2021-07-14 05:55:59 +00:00			`From db22a389cfb12eef77dfc2e1ce124ac83ed6c5a2 Mon Sep 17 00:00:00 2001`
			`From: Heming Zhao <heming.zhao@suse.com>`
			`Date: Tue, 13 Jul 2021 03:01:00 +0800`
			`Subject: [PATCH] toolcontext: fix double free (core dumped) issue`

			`How to trigger:`

			```
			`~ # export LVM_SYSTEM_DIR=_`
			`~ # pvscan`
			`No matching physical volumes found`
			`double free or corruption (!prev)`
			`Aborted (core dumped)`
			```

			`when LVM_SYSTEM_DIR is empty, _load_config_file() won't be called.`

			`when LVM_SYSTEM_DIR is not empty, cfl->cft links into cmd->config_files`
			`by _load_config_file()@lib/commands/toolcontext.c`

			`core dumped code: _destroy_config()@lib/commands/toolcontext.c`

			```
			`/* CONFIG_FILE/CONFIG_MERGED_FILES */`
			`if ((cft = remove_config_tree_by_source(cmd, CONFIG_MERGED_FILES)))`
			`config_destroy(cft);`
			`else if ((cft = remove_config_tree_by_source(cmd, CONFIG_FILE)))`
			`config_destroy(cft); <=== first free the cft`

			`dm_list_iterate_items(cfl, &cmd->config_files)`
			`config_destroy(cfl->cft); <=== double free the cft`
			```

			`Fixes: c43f2f8ae08ed0555a300764c8644ea56f4f41e2`

			`Signed-off-by: Heming Zhao <heming.zhao@suse.com>`
			`---`
			`lib/commands/toolcontext.c \| 7 ++++++-`
			`1 file changed, 6 insertions(+), 1 deletion(-)`

			`diff --git a/lib/commands/toolcontext.c b/lib/commands/toolcontext.c`
			`index b295a20efe52..742bdd9c2311 100644`
			`--- a/lib/commands/toolcontext.c`
			`+++ b/lib/commands/toolcontext.c`
			`@@ -966,8 +966,13 @@ static void _destroy_config(struct cmd_context *cmd)`
			`/* CONFIG_FILE/CONFIG_MERGED_FILES */`
			`if ((cft = remove_config_tree_by_source(cmd, CONFIG_MERGED_FILES)))`
			`config_destroy(cft);`
			`- else if ((cft = remove_config_tree_by_source(cmd, CONFIG_FILE)))`
			`+ else if ((cft = remove_config_tree_by_source(cmd, CONFIG_FILE))) {`
			`+ dm_list_iterate_items(cfl, &cmd->config_files) {`
			`+ if (cfl->cft == cft)`
			`+ dm_list_del(&cfl->list);`
			`+ }`
			`config_destroy(cft);`
			`+ }`

			`dm_list_iterate_items(cfl, &cmd->config_files)`
			`config_destroy(cfl->cft);`
			`--`
			`1.8.3.1`