Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 983690 - libguestfs double free when kernel link fails during launch
libguestfs double free when kernel link fails during launch
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libguestfs (Show other bugs)
6.5
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Richard W.M. Jones
Virtualization Bugs
: Regression
Depends On: 983218
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-11 13:49 EDT by Richard W.M. Jones
Modified: 2013-11-20 23:45 EST (History)
7 users (show)

See Also:
Fixed In Version: libguestfs-1.20.10-1.el6
Doc Type: Bug Fix
Doc Text:
(This was never in a released version and does not need to be documented)
Story Points: ---
Clone Of: 983218
Environment:
Last Closed: 2013-11-20 23:45:52 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Updated reproducer script. (1.25 KB, text/plain)
2013-07-11 14:14 EDT, Richard W.M. Jones
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1536 normal SHIPPED_LIVE Moderate: libguestfs security, bug fix, and enhancement update 2013-11-20 19:40:55 EST

  None (edit)
Description Richard W.M. Jones 2013-07-11 13:49:47 EDT
+++ This bug was initially created as a clone of Bug #983218 +++

--- Additional comment from Richard W.M. Jones on 2013-07-11 12:25:20 EDT ---

I can see how a double free could occur.

The key observation is the last error message which was captured
in the guestfs handle:

(gdb) print g->last_error 
$5 = 0x7f296400c370 "link: /var/tmp/.guestfs-1002/kernel /var/tmp/.guestfs-1002/kernel.29013: Operation not permitted"

This errors occurs in hard_link_to_cached_appliance:

https://github.com/libguestfs/libguestfs/blob/af1c53d104180415a8584c48f19fd4ea7df224f5/src/appliance.c#L607

In hard_link_to_cached_appliance, along this error path
params.kernel would be allocated and then free (but not set
back to NULL).

Two levels higher up in the stack, the libvirt backend returns
from guestfs___build_appliance with an error:

https://github.com/libguestfs/libguestfs/blob/823628d41f898982979ab7dd53656377bef8ce1d/src/launch-libvirt.c#L232

and jumps to cleanup: which frees params.kernel again.  A
double-free.

The fix may be to set the kernel pointer to NULL after
freeing it the first time, but I need to systematically
check this code.

--- Additional comment from Richard W.M. Jones on 2013-07-11 12:53:49 EDT ---

Attached is a reproducer (although I think what it may be
reproducing is a related but ever so slightly different
bug in the same area of code).

It requires a working 'sudo' command in order to run
the following:

  sudo chattr +i /some/temporary/file

Install perl-Sys-Guestfs, download the attached script,
chmod +x the script, and just run it.

If it *segfaults* => bug reproduced.

If it prints "bug 983218 appears to be fixed" => bug fixed.

If it does/prints anything else, result is INVALID.  Please
let me know if this happens.

https://bugzilla.redhat.com/attachment.cgi?id=772313
Comment 2 Richard W.M. Jones 2013-07-11 14:14:57 EDT
Created attachment 772357 [details]
Updated reproducer script.

Updated reproducer script.  Ignore link in previous comment.
Comment 4 bfan 2013-07-24 04:21:22 EDT
Reproduced with libguestfs-1.20.9-6.el6.x86_64, using the attached script

[root@dhcp-9-42 home]# ./test.pl 
Segmentation fault (core dumped)
Comment 6 bfan 2013-08-06 03:25:14 EDT
Verified with libguestfs-1.20.10-2.el6.x86_64

[root@intel-8400-8-2 home]# ./test.pl 
bug 983218 appears to be fixed

So change the status to verified
Comment 8 errata-xmlrpc 2013-11-20 23:45:52 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-1536.html

Note You need to log in before you can comment on or make changes to this bug.