Red Hat Bugzilla – Bug 983690
libguestfs double free when kernel link fails during launch
Last modified: 2013-11-20 23:45:52 EST
+++ This bug was initially created as a clone of Bug #983218 +++ --- Additional comment from Richard W.M. Jones on 2013-07-11 12:25:20 EDT --- I can see how a double free could occur. The key observation is the last error message which was captured in the guestfs handle: (gdb) print g->last_error $5 = 0x7f296400c370 "link: /var/tmp/.guestfs-1002/kernel /var/tmp/.guestfs-1002/kernel.29013: Operation not permitted" This errors occurs in hard_link_to_cached_appliance: https://github.com/libguestfs/libguestfs/blob/af1c53d104180415a8584c48f19fd4ea7df224f5/src/appliance.c#L607 In hard_link_to_cached_appliance, along this error path params.kernel would be allocated and then free (but not set back to NULL). Two levels higher up in the stack, the libvirt backend returns from guestfs___build_appliance with an error: https://github.com/libguestfs/libguestfs/blob/823628d41f898982979ab7dd53656377bef8ce1d/src/launch-libvirt.c#L232 and jumps to cleanup: which frees params.kernel again. A double-free. The fix may be to set the kernel pointer to NULL after freeing it the first time, but I need to systematically check this code. --- Additional comment from Richard W.M. Jones on 2013-07-11 12:53:49 EDT --- Attached is a reproducer (although I think what it may be reproducing is a related but ever so slightly different bug in the same area of code). It requires a working 'sudo' command in order to run the following: sudo chattr +i /some/temporary/file Install perl-Sys-Guestfs, download the attached script, chmod +x the script, and just run it. If it *segfaults* => bug reproduced. If it prints "bug 983218 appears to be fixed" => bug fixed. If it does/prints anything else, result is INVALID. Please let me know if this happens. https://bugzilla.redhat.com/attachment.cgi?id=772313
Created attachment 772357 [details] Updated reproducer script. Updated reproducer script. Ignore link in previous comment.
Upstream fix: https://github.com/libguestfs/libguestfs/commit/ae78381287771a781f939f26a414fc8cfdc05fd6
Reproduced with libguestfs-1.20.9-6.el6.x86_64, using the attached script [root@dhcp-9-42 home]# ./test.pl Segmentation fault (core dumped)
Verified with libguestfs-1.20.10-2.el6.x86_64 [root@intel-8400-8-2 home]# ./test.pl bug 983218 appears to be fixed So change the status to verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-1536.html