
On 05/29/2012 09:51 PM, Wen Congyang wrote:
At 05/30/2012 09:20 AM, Eric Blake Wrote:
KAMEZAWA Hiroyuki reported a nasty double-free bug when virCommand is used to convert a string into input to a child command. The problem is that the poll() loop of virCommandProcessIO would close() the write end of the pipe in order to let the child see EOF, then the caller virCommandRun() would also close the same fd number, with the second close possibly nuking an fd opened by some other thread in the meantime. This in turn can have all sorts of bad effects.
This is based on his first attempt at a patch, at https://bugzilla.redhat.com/show_bug.cgi?id=823716
close fd more twice is the cause of this bug. But there are some other codes that have the same problem. I am searching all such codes recent days.
Thanks for helping on that front.
+ if (inoff == inlen && VIR_CLOSE(*inpipe) < 0) + VIR_DEBUG("ignoring failed close on fd %d", infd); + infd = -1;
if inoff != inlen, we should not set infd to -1.
Oh, good catch. I'll post a v2. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org