Re: [libvirt] virStream double unref in virChrdevOpen()

2013-05-24 Thread Eric Blake 
On 05/18/2013 02:22 AM, Sergey Fionov wrote:
 Hello,
 
 There is double unref virChrdevOpen() (src/conf/virchrdev.c) when error 
 occured.
 
 if (virStreamRef(st)  0) {
 virMutexUnlock(devs-lock);
 return -1;
 }

Thanks again for the report.  I didn't see a reply to this email; so for
closure, I'll point out that it was fixed:

commit a32b41746c4e1a44fb998a93da99c72f6586b359
Author: Ján Tomko jto...@redhat.com
Date:   Wed May 22 12:56:23 2013 +0200

conf: fix use after free in virChrdevOpen

Don't free the stream on error if we've successfully added it
to the hash table, since it will be freed by virChrdevHashEntryFree
callback.

Preserve the error message before calling virStreamFree, since it
resets the error.

Introduced by 4716138, crashing since 6921892.

Reported by Sergey Fionov on libvir-list.


-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] virStream double unref in virChrdevOpen()

2013-05-18 Thread Sergey Fionov 
Hello,

There is double unref virChrdevOpen() (src/conf/virchrdev.c) when error occured.

if (virStreamRef(st)  0) {
virMutexUnlock(devs-lock);
return -1;
}
...
if (virHashAddEntry(devs-hash, path, st)  0)
goto error;

...
   if (virFDStreamOpenFile(st, path, 0, 0, O_RDWR)  0) /* error
occured here */
goto error;
...

error:
virStreamFree(st);
virHashRemoveEntry(devs-hash, path);

stream is virStreamRef'ed 1 time but if it is successfully placed into
hash then it will be unreferenced 2 times - in virStreamFree() and
virHashRemoveEntry()'s dataFree callback.

That leads to dispose stream object and segmentation fault due to use
after free.

Steps to reproduce:
# hide the /dev/pts to throw an error in virFDStreamOpenFile()
$ mount -t tmpfs empty-devpts /dev/pts
$ virsh console a111
Connected to domain a111
Escape character is ^]
error: End of file while reading data: Input/output error
error: One or more references were leaked after disconnect from the hypervisor
error: Failed to reconnect to the hypervisor
(libvirtd segfaults)
$ umount empty-devpts

wbr,
Sergey.

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list