[libvirt] [PATCH] util: fix heap-buffer-overflow in virFileWrapperFdFree

Jay Zhou jianjay.zhou at huawei.com
Tue Feb 19 07:40:31 UTC 2019

From: Jing Wu <wujing42 at huawei.com>

Some functions like doCoreDump call virFileWrapperFdNew to execute async
cmds, if a step after virFileWrapperFdNew failed, the func may skip
virFileWrapperFdClose and jump to cleanup label to call
virFileWrapperFdFree directly. If the child process of the cmd is running
and asyncioThread is polling, cmd->errbuf have been alloced at least one
byte but not yet operate (*cmd->errbuf)[errlen] = '\0', access of
wfd->err_msg in virFileWrapperFdFree at this time will cause risk of
So, we need to put VIR_WARN(wfd->err_msg) after VIR_FREE(wfd->err_msg).
Besides, since virCommandFree has included virCommandAbort, there is no
need to call virCommandAbort extraly.

Signed-off-by: Jing Wu <wujing42 at huawei.com>
Signed-off-by: Jay Zhou <jianjay.zhou at huawei.com>
 src/util/virfile.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/util/virfile.c b/src/util/virfile.c
index f6f9e4c..d488158 100644
--- a/src/util/virfile.c
+++ b/src/util/virfile.c
@@ -347,13 +347,12 @@ virFileWrapperFdFree(virFileWrapperFdPtr wfd)
     if (!wfd)
+    virCommandFree(wfd->cmd);
     if (wfd->err_msg && *wfd->err_msg)
         VIR_WARN("iohelper reports: %s", wfd->err_msg);
-    virCommandAbort(wfd->cmd);
-    virCommandFree(wfd->cmd);

More information about the libvir-list mailing list