On 07/09/2014 09:57 AM, Michal Privoznik wrote: > When dispatching events from the event loop, the array of registered > handles is searched to see what handles happened an event on. However, > the array is searched in weird way: the check for the array boundaries > is at the end, so we may touch the elements after the end of the > array: > > ==10434== Invalid read of size 4 > ==10434== at 0x52D06B6: virEventPollDispatchHandles (vireventpoll.c:486) > ==10434== by 0x52D10E4: virEventPollRunOnce (vireventpoll.c:660) > ==10434== by 0x52CF207: virEventRunDefaultImpl (virevent.c:308) > ==10434== by 0x1639D1: virNetServerRun (virnetserver.c:1139) > ==10434== by 0x1220DC: main (libvirtd.c:1507) > ==10434== Address 0xc11ff04 is 4 bytes after a block of size 960 alloc'd > ==10434== at 0x4C2CA5E: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) > ==10434== by 0x52AD378: virReallocN (viralloc.c:245) > ==10434== by 0x52AD46E: virExpandN (viralloc.c:294) > ==10434== by 0x52AD5B1: virResizeN (viralloc.c:352) > ==10434== by 0x52CF2EC: virEventPollAddHandle (vireventpoll.c:116) > ==10434== by 0x52CEF5B: virEventAddHandle (virevent.c:78) > ==10434== by 0x11F69A90: nodeStateInitialize (node_device_udev.c:1797) > ==10434== by 0x53C3C89: virStateInitialize (libvirt.c:743) > ==10434== by 0x120563: daemonRunStateInit (libvirtd.c:919) > ==10434== by 0x5317719: virThreadHelper (virthread.c:197) > ==10434== by 0x8376F39: start_thread (in /lib64/libpthread-2.17.so) > ==10434== by 0x8A7F9FC: clone (in /lib64/libc-2.17.so) > > Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> > --- > src/util/vireventpoll.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) ACK Jan
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list