Re: [PATCH 1/1] Fix the crash when seclable is freed

Michal Privoznik <mprivozn@xxxxxxxxxx> · Tue, 02 Apr 2013 13:29:23 +0200

On 02.04.2013 07:58, Li Zhang wrote:
> From: Li Zhang <zhlcindy@xxxxxxxxxxxxxxxxxx>
> 
> When seclabel's type is VIR_DOMAIN_SECLABEL_NONE,
> virSecurityLabelDefPtr's members are not allocated.
> So it will cause crash when calling VIR_FREE.
> 
> This problem is found when running autotest on PPC.
> 
>  Failed to remove cgroup for virt-tests-vm1
>  *** glibc detected *** /usr/sbin/libvirtd: free(): invalid pointer: 0x00003fff9c187510 ***
>  ======= Backtrace: =========
>  /lib64/libc.so.6(+0xb89c4)[0x3fffa9bc89c4]
>  /lib64/libvirt.so.0(virFree-0x3e2320)[0x3fffaa82e9c0]
>  /lib64/libvirt.so.0(virSecurityLabelDefFree-0x378984)[0x3fffaa89d69c]
>  /lib64/libvirt.so.0(virDomainDefFree-0x367c98)[0x3fffaa8ae968]
>  /usr/lib64/libvirt/connection-driver/libvirt_driver_qemu.so(qemuProcessStop-0xc85f8)[0x3fffa2899d58]
>  /usr/lib64/libvirt/connection-driver/libvirt_driver_qemu.so(+0xc3668)[0x3fffa28e3668]
>  /lib64/libvirt.so.0(virDomainDestroy-0x309bd0)[0x3fffaa90f6f0]
>  /usr/sbin/libvirtd[0x10035230]
>  /lib64/libvirt.so.0(virNetServerProgramDispatch-0x289b50)[0x3fffaa995930]
>  /lib64/libvirt.so.0(+0x20db18)[0x3fffaa98db18]
>  /lib64/libvirt.so.0(+0xfbd24)[0x3fffaa87bd24]
>  /lib64/libvirt.so.0(+0xfaec8)[0x3fffaa87aec8]
>  /lib64/libpthread.so.0(+0xc604)[0x3fffa9d7c604]
>  /lib64/libc.so.6(clone-0xb8fe4)[0x3fffa9c3f094]
> 
> Signed-off-by: Li Zhang <zhlcindy@xxxxxxxxxxxxxxxxxx>
> ---
>  src/conf/domain_conf.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index f3fca7f..2856660 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -1006,6 +1006,8 @@ virSecurityLabelDefFree(virSecurityLabelDefPtr def)
>  {
>      if (!def)
>          return;
> +    if (def->type == VIR_DOMAIN_SECLABEL_NONE)
> +        return;
>      VIR_FREE(def->model);
>      VIR_FREE(def->label);
>      VIR_FREE(def->imagelabel);
> 

NACK

As you already found out, we are freeing invalid pointers. We need to
find out root cause. I wonder where those pointers come from, as
VIR_ALLOC(), which is used to alloc a virSecurityLabelDefPtr, fill
allocated memory with zeros, so calling VIR_FREE() even for struct
members is just fine. Are you able to reproduce this crash? What are the
steps?

Michal

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list