[PATCH v2 4/8] util: Add safety net of checks to ensure valid object

John Ferlan <jferlan@xxxxxxxxxx> · Fri, 2 Jun 2017 06:17:18 -0400

The virObject logic "assumes" that whatever is passed to its API's
would be some sort of virObjectPtr; however, if it is not then some
really bad things can happen.

So far there's been only virObject{Ref|Unref}, virObject{Lock|Unlock},
and virObjectIsClass and the virObject and virObjectLockable class
consumers have been well behaved and code well tested. Soon there will
be more consumers and one such consumer tripped over this during testing
by passing a virHashTablePtr to virObjectIsClass which ends up calling
virClassIsDerivedFrom using "obj->klass", which wasn't really a klass
object causing one of those bad things to happen.

To avoid the future possibility that a non virObject class memory was
passed to some virObject* API, this patch adds two new checks - one
to validate that the object has the 0xCAFExxxx value in obj->->u.s.magic
and the other to ensure obj->u.s.magic doesn't "wrap" some day to
0xCAFF0000 if we ever get that many objects.

It is still left up to the caller to handle the failed API calls just
as it would be if it passed a NULL opaque pointer anyobj.

Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx>
---
 src/util/virobject.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/util/virobject.c b/src/util/virobject.c
index 9f5f187..e0465b1 100644
--- a/src/util/virobject.c
+++ b/src/util/virobject.c
@@ -22,6 +22,7 @@
 #include <config.h>
 
 #define VIR_PARENT_REQUIRED /* empty, to allow virObject to have no parent */
+#include <assert.h>
 #include "virobject.h"
 #include "virthread.h"
 #include "viralloc.h"
@@ -47,10 +48,12 @@ struct _virClass {
     virObjectDisposeCallback dispose;
 };
 
+#define VIR_OBJECT_NOTVALID(obj) (!obj || ((obj->u.s.magic & 0xCAFE0000) != 0xCAFE0000))
+
 #define VIR_OBJECT_USAGE_PRINT_WARNING(anyobj, objclass)                    \
     do {                                                                    \
         virObjectPtr obj = anyobj;                                          \
-        if (!obj)                                                           \
+        if (VIR_OBJECT_NOTVALID(obj))                                       \
             VIR_WARN("Object %p is not a virObject class instance", anyobj);\
         else                                                                \
             VIR_WARN("Object %p (%s) is not a %s instance",                 \
@@ -156,6 +159,7 @@ virClassNew(virClassPtr parent,
     if (VIR_STRDUP(klass->name, name) < 0)
         goto error;
     klass->magic = virAtomicIntInc(&magicCounter);
+    assert(klass->magic <= 0xCAFEFFFF);
     klass->objectSize = objectSize;
     klass->dispose = dispose;
 
@@ -272,7 +276,7 @@ virObjectUnref(void *anyobj)
 {
     virObjectPtr obj = anyobj;
 
-    if (!obj)
+    if (VIR_OBJECT_NOTVALID(obj))
         return false;
 
     bool lastRef = virAtomicIntDecAndTest(&obj->u.s.refs);
@@ -311,7 +315,7 @@ virObjectRef(void *anyobj)
 {
     virObjectPtr obj = anyobj;
 
-    if (!obj)
+    if (VIR_OBJECT_NOTVALID(obj))
         return NULL;
     virAtomicIntInc(&obj->u.s.refs);
     PROBE(OBJECT_REF, "obj=%p", obj);
@@ -389,7 +393,7 @@ virObjectIsClass(void *anyobj,
                  virClassPtr klass)
 {
     virObjectPtr obj = anyobj;
-    if (!obj)
+    if (VIR_OBJECT_NOTVALID(obj))
         return false;
 
     return virClassIsDerivedFrom(obj->klass, klass);
-- 
2.9.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list






