[libvirt] [PATCH] lxc: avoid use-after-free

Daniel P. Berrange berrange at redhat.com
Fri Nov 4 13:32:36 UTC 2011 

On Thu, Nov 03, 2011 at 05:33:38PM -0600, Eric Blake wrote:
> I got this weird failure:
> 
> error: Failed to start domain simple
> error: internal error cannot mix caller fds with blocking execution
> 
> and tracked it down to a use-after-free - virCommandSetOutputFD
> was storing the address of a stack-local variable, which then
> went out of scope before the virCommandRun that dereferenced it.
> 
> Bug introduced in commit 451cfd05 (0.9.2).
> 
> * src/lxc/lxc_driver.c (lxcBuildControllerCmd): Move log fd
> registration...
> (lxcVmStart): ...to caller.
> ---
> 
> I have no idea how danpb got so lucky in being able to test
> recent lxc addtions, given the fact that booting an LXC domain
> has basically been broken for several months now, depending on
> whether the compiler happened to smash the stack variable in
> question.
> 
>  src/lxc/lxc_driver.c |    7 +++----
>  1 files changed, 3 insertions(+), 4 deletions(-)
> 
> diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
> index d6e5e20..37092bc 100644
> --- a/src/lxc/lxc_driver.c
> +++ b/src/lxc/lxc_driver.c
> @@ -1449,7 +1449,6 @@ lxcBuildControllerCmd(lxc_driver_t *driver,
>                        char **veths,
>                        int *ttyFDs,
>                        size_t nttyFDs,
> -                      int logfile,
>                        int handshakefd)
>  {
>      size_t i;
> @@ -1524,8 +1523,6 @@ lxcBuildControllerCmd(lxc_driver_t *driver,
>      }
> 
>      virCommandPreserveFD(cmd, handshakefd);
> -    virCommandSetOutputFD(cmd, &logfile);
> -    virCommandSetErrorFD(cmd, &logfile);
> 
>      return cmd;
>  cleanup:
> @@ -1747,8 +1744,10 @@ static int lxcVmStart(virConnectPtr conn,
>                                        vm,
>                                        nveths, veths,
>                                        ttyFDs, nttyFDs,
> -                                      logfd, handshakefds[1])))
> +                                      handshakefds[1])))
>          goto cleanup;
> +    virCommandSetOutputFD(cmd, &logfd);
> +    virCommandSetErrorFD(cmd, &logfd);
> 
>      /* Log timestamp */
>      if ((timestamp = virTimestamp()) == NULL) {

ACK


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list