[PATCH for 7.3] conf: Fix heap corruption when hot-adding a lease
pkrempa at redhat.com
Sun May 2 10:13:50 UTC 2021
Commit 28a86993162f7d2f ( v6.9.0-179-g28a8699316 ) incorrectly replaced
VIR_EXPAND_N by g_renew.
VIR_EXPAND_N has these two extra effects apart from reallocating memory:
1) The newly allocated memory is zeroed out
2) The number of elements in the array which is passed to VIR_EXPAND_N
This comes into play when used with virDomainLeaseInsertPreAlloced,
which expects that the array element count already includes the space
for the added 'lease', by plainly just assigning to 'leases[nleases - 1'
Since g_renew does not increase the number of elements in the array
any existing code which calls virDomainLeaseInsertPreAlloced thus either
overwrites a lease definition or corrupts the heap if there are no
leases to start with.
To preserve existing functionality we revert the code back to using
VIR_EXPAND_N which at this point doesn't return any value, so other
commits don't need to be reverted.
Signed-off-by: Peter Krempa <pkrempa at redhat.com>
src/conf/domain_conf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 9d98f487ea..84570c001c 100644
@@ -16837,7 +16837,7 @@ int virDomainLeaseIndex(virDomainDef *def,
void virDomainLeaseInsertPreAlloc(virDomainDef *def)
- def->leases = g_renew(virDomainLeaseDef *, def->leases, def->nleases + 1);
+ VIR_EXPAND_N(def->leases, def->nleases, 1);
void virDomainLeaseInsert(virDomainDef *def, virDomainLeaseDef *lease)
More information about the libvir-list