[libvirt] [PATCH] virConfSaveValue: protect against a NULL pointer reference
From: Wim ten Have <wim.ten.have@oracle.com> This patch protects against a NULL pointer dereference leading to a SEGV under xlconfigtest per DO_TEST("channel-pty"); VIR_TEST_OOM=1 VIR_TEST_RANGE=29 ./tests/xlconfigtest Wim ten Have (1): virConfSaveValue: protect against a NULL pointer reference src/util/virconf.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) -- 2.9.3
From: Wim ten Have <wim.ten.have@oracle.com> Fix xlconfigtest runs build for --enable-test-oom on Xen XL-2-XML Parse channel-pty Program received signal SIGSEGV, Segmentation fault. #0 0x00007ffff3c2b373 in __strchr_sse2 () from /lib64/libc.so.6 ==> #1 0x00007ffff7875701 in virConfSaveValue (buf=buf@entry=0x7fffffffd8a0, val=val@entry=0x674750) at util/virconf.c:290 #2 0x00007ffff7875668 in virConfSaveValue (buf=buf@entry=0x7fffffffd8a0, val=<optimized out>) at util/virconf.c:306 #3 0x00007ffff78757ef in virConfSaveEntry (buf=buf@entry=0x7fffffffd8a0, cur=cur@entry=0x674780) at util/virconf.c:338 #4 0x00007ffff78783eb in virConfWriteMem (memory=0x665570 "", len=len@entry=0x7fffffffd910, conf=conf@entry=0x65b940) at util/virconf.c:1543 #5 0x000000000040eccb in testCompareParseXML (replaceVars=<optimized out>, xml=<optimized out>, xlcfg=0x662c00 "/home/wtenhave/WORK/libvirt/OOMtesting/libvirt-devel/tests/xlconfigdata/test-channel-pty.cfg") at xlconfigtest.c:108 #6 testCompareHelper (data=<optimized out>) at xlconfigtest.c:205 #7 0x0000000000410b3a in virTestRun (title=title@entry=0x432cc0 "Xen XL-2-XML Parse channel-pty", body=body@entry=0x40e9b0 <testCompareHelper>, data=data@entry=0x7fffffffd9f0) at testutils.c:247 #8 0x000000000040f322 in mymain () at xlconfigtest.c:278 #9 0x0000000000411410 in virTestMain (argc=1, argv=0x7fffffffdba8, func=0x40f660 <mymain>) at testutils.c:992 #10 0x00007ffff3bc0401 in __libc_start_main () from /lib64/libc.so.6 #11 0x000000000040e86a in _start () (gdb) frame 1 #1 0x00007ffff7875701 in virConfSaveValue (buf=buf@entry=0x7fffffffd8a0, val=val@entry=0x674750) at util/virconf.c:290 290 if (strchr(val->str, '\n') != NULL) { (gdb) print *val $1 = {type = VIR_CONF_STRING, next = 0x0, l = 0, str = 0x0, list = 0x0} Signed-off-by: Wim ten Have <wim.ten.have@oracle.com> --- src/util/virconf.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/src/util/virconf.c b/src/util/virconf.c index a85a307..9840ca6 100644 --- a/src/util/virconf.c +++ b/src/util/virconf.c @@ -287,14 +287,16 @@ virConfSaveValue(virBufferPtr buf, virConfValuePtr val) virBufferAsprintf(buf, "%llu", val->l); break; case VIR_CONF_STRING: - if (strchr(val->str, '\n') != NULL) { - virBufferAsprintf(buf, "\"\"\"%s\"\"\"", val->str); - } else if (strchr(val->str, '"') == NULL) { - virBufferAsprintf(buf, "\"%s\"", val->str); - } else if (strchr(val->str, '\'') == NULL) { - virBufferAsprintf(buf, "'%s'", val->str); - } else { - virBufferAsprintf(buf, "\"\"\"%s\"\"\"", val->str); + if (val->str) { + if (strchr(val->str, '\n') != NULL) { + virBufferAsprintf(buf, "\"\"\"%s\"\"\"", val->str); + } else if (strchr(val->str, '"') == NULL) { + virBufferAsprintf(buf, "\"%s\"", val->str); + } else if (strchr(val->str, '\'') == NULL) { + virBufferAsprintf(buf, "'%s'", val->str); + } else { + virBufferAsprintf(buf, "\"\"\"%s\"\"\"", val->str); + } } break; case VIR_CONF_LIST: { -- 2.9.3
Wim Ten Have wrote:
From: Wim ten Have <wim.ten.have@oracle.com>
Sorry for the delay. I've not had time to work on upstream libvirt activities recently...
Fix xlconfigtest runs build for --enable-test-oom on Xen XL-2-XML Parse channel-pty
Program received signal SIGSEGV, Segmentation fault.
#0 0x00007ffff3c2b373 in __strchr_sse2 () from /lib64/libc.so.6 ==> #1 0x00007ffff7875701 in virConfSaveValue (buf=buf@entry=0x7fffffffd8a0, val=val@entry=0x674750) at util/virconf.c:290 #2 0x00007ffff7875668 in virConfSaveValue (buf=buf@entry=0x7fffffffd8a0, val=<optimized out>) at util/virconf.c:306 #3 0x00007ffff78757ef in virConfSaveEntry (buf=buf@entry=0x7fffffffd8a0, cur=cur@entry=0x674780) at util/virconf.c:338 #4 0x00007ffff78783eb in virConfWriteMem (memory=0x665570 "", len=len@entry=0x7fffffffd910, conf=conf@entry=0x65b940) at util/virconf.c:1543 #5 0x000000000040eccb in testCompareParseXML (replaceVars=<optimized out>, xml=<optimized out>, xlcfg=0x662c00 "/home/wtenhave/WORK/libvirt/OOMtesting/libvirt-devel/tests/xlconfigdata/test-channel-pty.cfg") at xlconfigtest.c:108 #6 testCompareHelper (data=<optimized out>) at xlconfigtest.c:205 #7 0x0000000000410b3a in virTestRun (title=title@entry=0x432cc0 "Xen XL-2-XML Parse channel-pty", body=body@entry=0x40e9b0 <testCompareHelper>, data=data@entry=0x7fffffffd9f0) at testutils.c:247 #8 0x000000000040f322 in mymain () at xlconfigtest.c:278 #9 0x0000000000411410 in virTestMain (argc=1, argv=0x7fffffffdba8, func=0x40f660 <mymain>) at testutils.c:992 #10 0x00007ffff3bc0401 in __libc_start_main () from /lib64/libc.so.6 #11 0x000000000040e86a in _start ()
(gdb) frame 1 #1 0x00007ffff7875701 in virConfSaveValue (buf=buf@entry=0x7fffffffd8a0, val=val@entry=0x674750) at util/virconf.c:290 290 if (strchr(val->str, '\n') != NULL) { (gdb) print *val $1 = {type = VIR_CONF_STRING, next = 0x0, l = 0, str = 0x0, list = 0x0}
Signed-off-by: Wim ten Have <wim.ten.have@oracle.com> --- src/util/virconf.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/util/virconf.c b/src/util/virconf.c index a85a307..9840ca6 100644 --- a/src/util/virconf.c +++ b/src/util/virconf.c @@ -287,14 +287,16 @@ virConfSaveValue(virBufferPtr buf, virConfValuePtr val) virBufferAsprintf(buf, "%llu", val->l); break; case VIR_CONF_STRING: - if (strchr(val->str, '\n') != NULL) { - virBufferAsprintf(buf, "\"\"\"%s\"\"\"", val->str); - } else if (strchr(val->str, '"') == NULL) { - virBufferAsprintf(buf, "\"%s\"", val->str); - } else if (strchr(val->str, '\'') == NULL) { - virBufferAsprintf(buf, "'%s'", val->str); - } else { - virBufferAsprintf(buf, "\"\"\"%s\"\"\"", val->str); + if (val->str) { + if (strchr(val->str, '\n') != NULL) { + virBufferAsprintf(buf, "\"\"\"%s\"\"\"", val->str); + } else if (strchr(val->str, '"') == NULL) { + virBufferAsprintf(buf, "\"%s\"", val->str); + } else if (strchr(val->str, '\'') == NULL) { + virBufferAsprintf(buf, "'%s'", val->str); + } else { + virBufferAsprintf(buf, "\"\"\"%s\"\"\"", val->str); + }
Odd that we've not stumbled across this earlier. But ACK to making this code a bit more resilient. Patch has been pushed now. BTW, I noticed a few more OOM test failures in the channel formating code. Patch sent. Can you help review it? https://www.redhat.com/archives/libvir-list/2017-April/msg00740.html Regards, Jim
On Thu, 13 Apr 2017 11:12:36 -0600 Jim Fehlig <jfehlig@suse.com> wrote:
Wim Ten Have wrote:
From: Wim ten Have <wim.ten.have@oracle.com>
Sorry for the delay. I've not had time to work on upstream libvirt activities recently...
Understood. There is one more PATCH out per me. Let me send a reminder under its specific cover letter.
Fix xlconfigtest runs build for --enable-test-oom on Xen XL-2-XML Parse channel-pty
Program received signal SIGSEGV, Segmentation fault. ..
Odd that we've not stumbled across this earlier. But ACK to making this code a bit more resilient. Patch has been pushed now.
BTW, I noticed a few more OOM test failures in the channel formating code. Patch sent. Can you help review it?
Sure, i actually had that one in my list to come along soon.
https://www.redhat.com/archives/libvir-list/2017-April/msg00740.html
This marks correct fix! Pls go forward. Regards, - Wim.
participants (3)
-
Jim Fehlig -
Wim Ten Have -
Wim ten Have