On 05/29/2012 09:51 PM, Wen Congyang wrote: > At 05/30/2012 09:20 AM, Eric Blake Wrote: >> KAMEZAWA Hiroyuki reported a nasty double-free bug when virCommand >> is used to convert a string into input to a child command. The >> problem is that the poll() loop of virCommandProcessIO would close() >> the write end of the pipe in order to let the child see EOF, then >> the caller virCommandRun() would also close the same fd number, with >> the second close possibly nuking an fd opened by some other thread >> in the meantime. This in turn can have all sorts of bad effects. >> >> This is based on his first attempt at a patch, at >> https://bugzilla.redhat.com/show_bug.cgi?id=823716 > > close fd more twice is the cause of this bug. But there are some > other codes that have the same problem. I am searching all such > codes recent days. Thanks for helping on that front. >> + if (inoff == inlen && VIR_CLOSE(*inpipe) < 0) >> + VIR_DEBUG("ignoring failed close on fd %d", infd); >> + infd = -1; > > if inoff != inlen, we should not set infd to -1. Oh, good catch. I'll post a v2. -- Eric Blake eblake@xxxxxxxxxx +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list