Re: [PATCH 0/7] Misc g_auto() rewrites

Tuesday, 9 November 2021

On Mon, 2021-11-01 at 15:16 +0100, Michal Privoznik wrote:
...
 I've been looking at our tests lately and noticed an opportunity
to
 rewrite pieces of code to g_auto() magic.

 Michal Prívozník (7):
   qemuagenttest: Don't leak virTypedParameter on failure
   Prefer g_auto(GStrv) over g_strfreev()
   qemu: Use g_autoptr(qemuMonitorCPUModelInfo)
   qemuConnectStealCPUModelFromInfo: Drop needless 'cleanup' label
   tests: Use g_autoptr(qemuMonitorTest)
   test: Use g_autofree more
   tests: Drop cleanup/error labels

  src/bhyve/bhyve_command.c           |   3 +-
  src/bhyve/bhyve_parse_command.c     |  22 +--
  src/libxl/libxl_conf.c              |   9 +-
  src/libxl/xen_common.c              |  18 +-
  src/libxl/xen_xl.c                  |  17 +-
  src/lxc/lxc_container.c             |   4 +-
  src/lxc/lxc_native.c                |  24 +--
  src/qemu/qemu_driver.c              |  17 +-
  src/remote/remote_daemon_dispatch.c |   3 +-
  src/remote/remote_driver.c          |   4 +-
  src/storage/storage_backend_rbd.c   |   3 +-
  src/util/vircgroup.c                |   3 +-
  src/util/vircgroupv2.c              |   4 +-
  src/util/virfirmware.c              |   6 +-
  src/util/viruri.c                   |   3 +-
  src/vbox/vbox_common.c              |  12 +-
  src/vbox/vbox_snapshot_conf.c       |  40 ++--
  src/vbox/vbox_tmpl.c                |   3 +-
  src/vz/vz_sdk.c                     |   3 +-
  tests/qemuagenttest.c               | 286 ++++++++++++----------------
  tests/qemucapabilitiestest.c        |  22 +--
  tests/qemuhotplugtest.c             |   3 +-
  tests/qemumigparamstest.c           |  40 ++--
  tests/qemumonitorjsontest.c         |  95 ++++-----
  tests/qemumonitortestutils.c        |  63 +++---
  tests/vboxsnapshotxmltest.c         |   3 +-
  tests/virconftest.c                 |   3 +-
  tests/virfiletest.c                 |   3 +-
  tests/virstringtest.c               |   3 +-
  tools/virsh-host.c                  |  13 +-
  tools/virt-login-shell-helper.c     |   7 +-
  tools/vsh.c                         |   4 +-
  32 files changed, 279 insertions(+), 464 deletions(-)

When applying this series, compiling with ASAN enabled, and running
"virsh hypervisor-cpu-compare empty.xml" with "empty.xml" ==
"<cpu/>",
I see the following error message:

=================================================================
==45506==ERROR: AddressSanitizer: heap-use-after-free on address
0x602000009b70 at pc 0x5588d1c81aa8 bp 0x7fffc8510af0 sp 0x7fffc8510ae8
READ of size 8 at 0x602000009b70 thread T0
    #0 0x5588d1c81aa7 in cmdHypervisorCPUCompare
../../git/libvirt/tools/virsh-host.c:1605
    #1 0x5588d1cead5d in vshCommandRun
../../git/libvirt/tools/vsh.c:1309
    #2 0x5588d1bd5331 in main ../../git/libvirt/tools/virsh.c:899
    #3 0x7fc8c4f32b74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
    #4 0x5588d1bcef3d in _start
(/home/twiederh/build/libvirt/tools/virsh+0x16bf3d)

0x602000009b70 is located 0 bytes inside of 16-byte region
[0x602000009b70,0x602000009b80)
freed by thread T0 here:
    #0 0x7fc8c9020647 in free (/lib64/libasan.so.6+0xae647)
    #1 0x7fc8c5b3a24c in g_free (/lib64/libglib-2.0.so.0+0x5a24c)
    #2 0x5588d1c7ebcb in vshExtractCPUDefXMLs
../../git/libvirt/tools/virsh-host.c:1062
    #3 0x5588d1c819fe in cmdHypervisorCPUCompare
../../git/libvirt/tools/virsh-host.c:1602
    #4 0x5588d1cead5d in vshCommandRun
../../git/libvirt/tools/vsh.c:1309
    #5 0x5588d1bd5331 in main ../../git/libvirt/tools/virsh.c:899
    #6 0x7fc8c4f32b74 in __libc_start_main (/lib64/libc.so.6+0x27b74)

previously allocated by thread T0 here:
    #0 0x7fc8c9020af7 in calloc (/lib64/libasan.so.6+0xaeaf7)
    #1 0x7fc8c5b3de60 in g_malloc0 (/lib64/libglib-2.0.so.0+0x5de60)
    #2 0x5588d1c819fe in cmdHypervisorCPUCompare
../../git/libvirt/tools/virsh-host.c:1602
    #3 0x5588d1cead5d in vshCommandRun
../../git/libvirt/tools/vsh.c:1309
    #4 0x5588d1bd5331 in main ../../git/libvirt/tools/virsh.c:899
    #5 0x7fc8c4f32b74 in __libc_start_main (/lib64/libc.so.6+0x27b74)

SUMMARY: AddressSanitizer: heap-use-after-free
../../git/libvirt/tools/virsh-host.c:1605 in cmdHypervisorCPUCompare
Shadow bytes around the buggy address:
  0x0c047fff9310: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fff9320: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9330: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff9340: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9350: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c047fff9360: fa fa fd fd fa fa fd fd fa fa fd fa fa fa[fd]fd
  0x0c047fff9370: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff93a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==45506==ABORTING

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [PATCH 0/7] Misc g_auto() rewrites