ishcherb / rpms / libguestfs

Forked from rpms/libguestfs 6 years ago
Clone
Source Code
GIT

Files

  1.   8676b6b94fe83c8dfe3f1403b460b7bc4195f052
  2.   0001-inspection-Fix-double-free-when-certain-guest-files-.patch
Blob Blame History Raw 
From 93b76d6b7287e4f418292a73befbcc990686b296 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Tue, 28 May 2013 16:15:59 +0100
Subject: [PATCH] inspection: Fix double-free when certain guest files are
 empty.

The following commit:

  commit 5a3da366268825b26b470cde35658b67c1d11cd4
  Author: Richard W.M. Jones <rjones@redhat.com>
  Date:   Thu Jan 24 17:07:38 2013 +0000

      inspect: Use CLEANUP_* macros in inspection code.

can cause a double-free along an error path when certain guest files
are empty where we expected those files to contain at least one line.

This causes virt-inspector to crash when run on these guests.

The following is a test case which demonstrates the crash.
`f20rawhidex64' is a Fedora guest, but with small adjustments to the
test you could use any Linux guest for this test.

  $ qemu-img create -f qcow2 -b f20rawhidex64 /tmp/test.qcow2
  Formatting '/tmp/test.qcow2', fmt=qcow2 size=21474836480 backing_file='f20rawhidex64' encryption=off cluster_size=65536 lazy_refcounts=off
  $ guestfish -i -a /tmp/test.qcow2 -- rm /etc/redhat-release : touch /etc/redhat-release
  $ virt-inspector /tmp/test.qcow2
  *** glibc detected *** virt-inspector: double free or corruption (fasttop): 0x00007f18bc9925a0 ***
  ======= Backtrace: =========
  /lib64/libc.so.6(+0x34ecc7ca8e)[0x7f18b8e64a8e]
  /lib64/libguestfs.so.0(+0x3f91898078)[0x7f18ba13c078]
  /lib64/libguestfs.so.0(+0x3f91899761)[0x7f18ba13d761]
  /lib64/libguestfs.so.0(+0x3f91896d12)[0x7f18ba13ad12]
  /lib64/libguestfs.so.0(+0x3f91894140)[0x7f18ba138140]
  /lib64/libguestfs.so.0(guestfs_inspect_os+0x35)[0x7f18ba0bcc35]
  virt-inspector(main+0x547)[0x7f18ba7c57d7]
  /lib64/libc.so.6(__libc_start_main+0xf5)[0x7f18b8e09a05]
  virt-inspector(+0x6665)[0x7f18ba7c7665]

This is a denial of service, but not likely to be exploitable.

(Found by Coverity)
(cherry picked from commit fa6a76050d82894365dfe32916903ef7fee3ffcd)
---
 src/inspect-fs.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/inspect-fs.c b/src/inspect-fs.c
index b60725a..e4d3c28 100644
--- a/src/inspect-fs.c
+++ b/src/inspect-fs.c
@@ -530,7 +530,7 @@ guestfs___check_package_management (guestfs_h *g, struct inspect_fs *fs)
 char *
 guestfs___first_line_of_file (guestfs_h *g, const char *filename)
 {
-  CLEANUP_FREE char **lines = NULL; /* sic: not CLEANUP_FREE_STRING_LIST */
+  char **lines = NULL; /* sic: not CLEANUP_FREE_STRING_LIST */
   int64_t size;
   char *ret;
 
@@ -559,6 +559,8 @@ guestfs___first_line_of_file (guestfs_h *g, const char *filename)
 
   ret = lines[0];               /* caller frees */
 
+  free (lines);
+
   return ret;
 }
 
-- 
1.8.2.1
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.