[PATCH for 7.3] conf: Fix heap corruption when hot-adding a lease

Jiri Denemark jdenemar at redhat.com
Mon May 3 06:37:20 UTC 2021

On Sun, May 02, 2021 at 12:13:50 +0200, Peter Krempa wrote:
> Commit 28a86993162f7d2f ( v6.9.0-179-g28a8699316 ) incorrectly replaced
> VIR_EXPAND_N by g_renew.
> VIR_EXPAND_N has these two extra effects apart from reallocating memory:
> 1) The newly allocated memory is zeroed out
> 2) The number of elements in the array which is passed to VIR_EXPAND_N
>    is increased.
> This comes into play when used with virDomainLeaseInsertPreAlloced,
> which expects that the array element count already includes the space
> for the added 'lease', by plainly just assigning to 'leases[nleases - 1'


> Since g_renew does not increase the number of elements in the array
> any existing code which calls virDomainLeaseInsertPreAlloced thus either
> overwrites a lease definition or corrupts the heap if there are no
> leases to start with.
> To preserve existing functionality we revert the code back to using
> VIR_EXPAND_N which at this point doesn't return any value, so other
> commits don't need to be reverted.

The second point could have been solved by passing ++def->nleases to
g_renew. But using VIR_EXPAND_N instead solves both issues and we have a
lot places with VIR_EXPAND_N so we can fix them all at some point if we
want to drop this wrapper for some reason.

Reviewed-by: Jiri Denemark <jdenemar at redhat.com>

More information about the libvir-list mailing list