[libvirt] [PATCH] Fix libvirtd free() segfault when migrating guest with deleted open vswitch port

libvirtd crashes on free()ing portData for an open vswitch port if that port was deleted. To reproduce: ovs-vsctl del-port vnet0 virsh migrate --live kvm1 qemu+ssh://dstHost/system Error message: libvirtd: *** Error in `/usr/sbin/libvirtd': free(): invalid pointer: 0x000003ff90001e20 *** The problem is that virCommandRun can return an empty string in the event that the port being queried does not exist. When this happens then we are unconditionally overwriting a newline character at position strlen()-1. When strlen is 0, we overwrite memory that does not belong to the string. The fix: Only overwrite the newline if the string is not empty. Reviewed-by: Bjoern Walk <bwalk@linux.vnet.ibm.com> Signed-off-by: Jason J. Herne <jjherne@linux.vnet.ibm.com> --- src/util/virnetdevopenvswitch.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c index 6780fb5..0f640d0 100644 --- a/src/util/virnetdevopenvswitch.c +++ b/src/util/virnetdevopenvswitch.c @@ -222,8 +222,10 @@ int virNetDevOpenvswitchGetMigrateData(char **migrate, const char *ifname) goto cleanup; } - /* Wipeout the newline */ - (*migrate)[strlen(*migrate) - 1] = '\0'; + /* Wipeout the newline, if it exists */ + if (strlen(*migrate) > 0) { + (*migrate)[strlen(*migrate) - 1] = '\0'; + } ret = 0; cleanup: virCommandFree(cmd); -- 1.9.1

On Tue, 2016-01-26 at 13:25 -0500, Jason J. Herne wrote:
libvirtd crashes on free()ing portData for an open vswitch port if that port was deleted. To reproduce: ovs-vsctl del-port vnet0 virsh migrate --live kvm1 qemu+ssh://dstHost/system Error message: libvirtd: *** Error in `/usr/sbin/libvirtd': free(): invalid pointer: 0x000003ff90001e20 *** The problem is that virCommandRun can return an empty string in the event that the port being queried does not exist. When this happens then we are unconditionally overwriting a newline character at position strlen()-1. When strlen is 0, we overwrite memory that does not belong to the string. The fix: Only overwrite the newline if the string is not empty. Reviewed-by: Bjoern Walk <bwalk@linux.vnet.ibm.com> Signed-off-by: Jason J. Herne <jjherne@linux.vnet.ibm.com> --- src/util/virnetdevopenvswitch.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c index 6780fb5..0f640d0 100644 --- a/src/util/virnetdevopenvswitch.c +++ b/src/util/virnetdevopenvswitch.c @@ -222,8 +222,10 @@ int virNetDevOpenvswitchGetMigrateData(char **migrate, const char *ifname) goto cleanup; } - /* Wipeout the newline */ - (*migrate)[strlen(*migrate) - 1] = '\0'; + /* Wipeout the newline, if it exists */ + if (strlen(*migrate) > 0) { + (*migrate)[strlen(*migrate) - 1] = '\0'; + } ret = 0; cleanup: virCommandFree(cmd);
Amended to prevent Curly brackets around single-line body: src/util/virnetdevopenvswitch.c:226-228: if (strlen(*migrate) > 0) { (*migrate)[strlen(*migrate) - 1] = '\0'; } maint.mk: incorrect formatting, see HACKING for rules cfg.mk:1084: recipe for target 'bracket-spacing-check' failed on 'make syntax-check' and pushed. Cheers. -- Andrea Bolognani Software Engineer - Virtualization Team

On 26.01.2016 19:25, Jason J. Herne wrote:
libvirtd crashes on free()ing portData for an open vswitch port if that port was deleted. To reproduce:
ovs-vsctl del-port vnet0 virsh migrate --live kvm1 qemu+ssh://dstHost/system
Error message: libvirtd: *** Error in `/usr/sbin/libvirtd': free(): invalid pointer: 0x000003ff90001e20 ***
The problem is that virCommandRun can return an empty string in the event that the port being queried does not exist. When this happens then we are unconditionally overwriting a newline character at position strlen()-1. When strlen is 0, we overwrite memory that does not belong to the string.
The fix: Only overwrite the newline if the string is not empty.
Reviewed-by: Bjoern Walk <bwalk@linux.vnet.ibm.com> Signed-off-by: Jason J. Herne <jjherne@linux.vnet.ibm.com> --- src/util/virnetdevopenvswitch.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c index 6780fb5..0f640d0 100644 --- a/src/util/virnetdevopenvswitch.c +++ b/src/util/virnetdevopenvswitch.c @@ -222,8 +222,10 @@ int virNetDevOpenvswitchGetMigrateData(char **migrate, const char *ifname) goto cleanup; }
- /* Wipeout the newline */ - (*migrate)[strlen(*migrate) - 1] = '\0'; + /* Wipeout the newline, if it exists */ + if (strlen(*migrate) > 0) { + (*migrate)[strlen(*migrate) - 1] = '\0'; + }
I'd rather see us computing the length of string once but I guess compiler is wise enough to optimize the code for us. Michal

Commit 871e10f fixed a memory corruption error, but called strlen() twice on the same string to do so. Even though the compiler is probably smart enough to optimize the second call away, having a single invocation makes the code slightly cleaner. Suggested-by: Michal Privoznik <mprivozn@redhat.com> --- How about this? :) src/util/virnetdevopenvswitch.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c index db01dcf..9283bbb 100644 --- a/src/util/virnetdevopenvswitch.c +++ b/src/util/virnetdevopenvswitch.c @@ -207,6 +207,7 @@ int virNetDevOpenvswitchRemovePort(const char *brname ATTRIBUTE_UNUSED, const ch int virNetDevOpenvswitchGetMigrateData(char **migrate, const char *ifname) { virCommandPtr cmd = NULL; + size_t len; int ret = -1; cmd = virCommandNewArgList(OVSVSCTL, "--timeout=5", "--if-exists", "get", "Interface", @@ -223,8 +224,9 @@ int virNetDevOpenvswitchGetMigrateData(char **migrate, const char *ifname) } /* Wipeout the newline, if it exists */ - if (strlen(*migrate) > 0) - (*migrate)[strlen(*migrate) - 1] = '\0'; + len = strlen(*migrate); + if (len > 0) + (*migrate)[len - 1] = '\0'; ret = 0; cleanup: -- 2.5.0

On Wed, Jan 27, 2016 at 10:41:15 +0100, Andrea Bolognani wrote:
Commit 871e10f fixed a memory corruption error, but called strlen() twice on the same string to do so. Even though the compiler is probably smart enough to optimize the second call away, having a single invocation makes the code slightly cleaner.
Suggested-by: Michal Privoznik <mprivozn@redhat.com> ---
How about this? :)
src/util/virnetdevopenvswitch.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c index db01dcf..9283bbb 100644 --- a/src/util/virnetdevopenvswitch.c +++ b/src/util/virnetdevopenvswitch.c @@ -207,6 +207,7 @@ int virNetDevOpenvswitchRemovePort(const char *brname ATTRIBUTE_UNUSED, const ch int virNetDevOpenvswitchGetMigrateData(char **migrate, const char *ifname) { virCommandPtr cmd = NULL; + size_t len; int ret = -1;
cmd = virCommandNewArgList(OVSVSCTL, "--timeout=5", "--if-exists", "get", "Interface", @@ -223,8 +224,9 @@ int virNetDevOpenvswitchGetMigrateData(char **migrate, const char *ifname) }
/* Wipeout the newline, if it exists */ - if (strlen(*migrate) > 0) - (*migrate)[strlen(*migrate) - 1] = '\0';
Or just if (**migrate) (*migrate)[strlen(*migrate) - 1] = '\0'; (or similar check for the first character in *migrate) since we only need to check if it's empty or not :-) Jirka

n Wed, 2016-01-27 at 10:49 +0100, Jiri Denemark wrote:
On Wed, Jan 27, 2016 at 10:41:15 +0100, Andrea Bolognani wrote:
Commit 871e10f fixed a memory corruption error, but called strlen() twice on the same string to do so. Even though the compiler is probably smart enough to optimize the second call away, having a single invocation makes the code slightly cleaner. Suggested-by: Michal Privoznik <mprivozn@redhat.com> --- How about this? :) src/util/virnetdevopenvswitch.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c index db01dcf..9283bbb 100644 --- a/src/util/virnetdevopenvswitch.c +++ b/src/util/virnetdevopenvswitch.c @@ -207,6 +207,7 @@ int virNetDevOpenvswitchRemovePort(const char *brname ATTRIBUTE_UNUSED, const ch int virNetDevOpenvswitchGetMigrateData(char **migrate, const char *ifname) { virCommandPtr cmd = NULL; + size_t len; int ret = -1; cmd = virCommandNewArgList(OVSVSCTL, "--timeout=5", "--if-exists", "get", "Interface", @@ -223,8 +224,9 @@ int virNetDevOpenvswitchGetMigrateData(char **migrate, const char *ifname) } /* Wipeout the newline, if it exists */ - if (strlen(*migrate) > 0) - (*migrate)[strlen(*migrate) - 1] = '\0'; Or just if (**migrate) (*migrate)[strlen(*migrate) - 1] = '\0'; (or similar check for the first character in *migrate) since we only need to check if it's empty or not :-)
Yeah, that would work just as nicely, and would even save us the call to strlen() altogether when the string is empty. However, I'd argue that it makes the code a tiny bit more opaque rather than a tiny bit cleaner, so I'd still go with the version I posted if that's okay with you :) Cheers. -- Andrea Bolognani Software Engineer - Virtualization Team

On Wed, 2016-01-27 at 11:00 +0100, Andrea Bolognani wrote:
n Wed, 2016-01-27 at 10:49 +0100, Jiri Denemark wrote:
Or just if (**migrate) (*migrate)[strlen(*migrate) - 1] = '\0'; (or similar check for the first character in *migrate) since we only need to check if it's empty or not :-)
Yeah, that would work just as nicely, and would even save us the call to strlen() altogether when the string is empty.
However, I'd argue that it makes the code a tiny bit more opaque rather than a tiny bit cleaner, so I'd still go with the version I posted if that's okay with you :)
Pushed as Jirka confirmed on IRC he's okay with that :) Cheers. -- Andrea Bolognani Software Engineer - Virtualization Team

On 27.01.2016 10:41, Andrea Bolognani wrote:
Commit 871e10f fixed a memory corruption error, but called strlen() twice on the same string to do so. Even though the compiler is probably smart enough to optimize the second call away, having a single invocation makes the code slightly cleaner.
Suggested-by: Michal Privoznik <mprivozn@redhat.com> ---
How about this? :)
src/util/virnetdevopenvswitch.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c index db01dcf..9283bbb 100644 --- a/src/util/virnetdevopenvswitch.c +++ b/src/util/virnetdevopenvswitch.c @@ -207,6 +207,7 @@ int virNetDevOpenvswitchRemovePort(const char *brname ATTRIBUTE_UNUSED, const ch int virNetDevOpenvswitchGetMigrateData(char **migrate, const char *ifname) { virCommandPtr cmd = NULL; + size_t len; int ret = -1;
cmd = virCommandNewArgList(OVSVSCTL, "--timeout=5", "--if-exists", "get", "Interface", @@ -223,8 +224,9 @@ int virNetDevOpenvswitchGetMigrateData(char **migrate, const char *ifname) }
/* Wipeout the newline, if it exists */ - if (strlen(*migrate) > 0) - (*migrate)[strlen(*migrate) - 1] = '\0'; + len = strlen(*migrate); + if (len > 0) + (*migrate)[len - 1] = '\0';
ret = 0; cleanup:
Much better. Thank you. ACK. Michal
participants (4)
-
Andrea Bolognani
-
Jason J. Herne
-
Jiri Denemark
-
Michal Privoznik