On 2025-12-17 12:26, Anthony PERARD wrote:
From: Anthony PERARD <[email protected]>
If we start a guest with 'cpus="all"' and without 'vcpus' or
'maxvcpus' (or sets them to 0), we execute parse_vcpu_affinity() with
`num_cpus=0`. This malloc "b_info->vcpu_hard_affinity" with a buffer
of size 0, which is implementation defined, and we still initialise
the "first" bitmap of this allocation, which mean we have a buffer
overflow.
On Alpine Linux, this result in a segv when the buffer is being
disposed of.
Since libxl will assume there's at least 1 vcpu, we default to 1 in
xl as well. (libxl sets max_vcpus to 1 if unset, and allocate
avail_vcpus if its size is 0.)
Link: https://gitlab.alpinelinux.org/alpine/aports/-/issues/17809
Fixes: a5dbdcf6743a ("libxl/xl: push VCPU affinity pinning down to libxl")
Signed-off-by: Anthony PERARD <[email protected]>
Reviewed-by: Jason Andryuk <[email protected]>
Thanks,
Jason
