libvirt/libvirt-nodedev-fix-potential-heap-use-after-free.patch

From c53f20683ef66939d94e690e875500628a5b4f3f Mon Sep 17 00:00:00 2001
From: Xu Yandong <xuyandong2@huawei.com>
Date: Thu, 29 Aug 2019 16:31:30 +0800
Subject: [PATCH] nodedev: fix potential heap use after free

After move device enumumeration into a thread(commit 9f0ae0b18e3),
flag driversInitialized no longer represent stateInitialized finished
complete, so reference driver->devs before use it to prevent devs freed
by virStateCleanup.

Signed-off-by: Xu Yandong <xuyandong2@huawei.com>
---
 src/node_device/node_device_udev.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/node_device/node_device_udev.c b/src/node_device/node_device_udev.c
index 276bf3d..cac9447 100644
--- a/src/node_device/node_device_udev.c
+++ b/src/node_device/node_device_udev.c
@@ -1321,9 +1321,12 @@ udevAddOneDevice(struct udev_device *device)
     virNodeDeviceObjPtr obj = NULL;
     virNodeDeviceDefPtr objdef;
     virObjectEventPtr event = NULL;
+    virNodeDeviceObjListPtr devs = driver->devs;
     bool new_device = true;
     int ret = -1;
 
+    virObjectRef(devs);
+
     if (VIR_ALLOC(def) != 0)
         goto cleanup;
 
@@ -1348,14 +1351,14 @@ udevAddOneDevice(struct udev_device *device)
     if (udevSetParent(device, def) != 0)
         goto cleanup;
 
-    if ((obj = virNodeDeviceObjListFindByName(driver->devs, def->name))) {
+    if ((obj = virNodeDeviceObjListFindByName(devs, def->name))) {
         virNodeDeviceObjEndAPI(&obj);
         new_device = false;
     }
 
     /* If this is a device change, the old definition will be freed
      * and the current definition will take its place. */
-    if (!(obj = virNodeDeviceObjListAssignDef(driver->devs, def)))
+    if (!(obj = virNodeDeviceObjListAssignDef(devs, def)))
         goto cleanup;
     objdef = virNodeDeviceObjGetDef(obj);
 
@@ -1371,6 +1374,7 @@ udevAddOneDevice(struct udev_device *device)
     ret = 0;
 
  cleanup:
+    virObjectUnref(devs);
     virObjectEventStateQueue(driver->nodeDeviceEventState, event);
 
     if (ret != 0) {
-- 
2.19.1
Package init 2019-09-30 10:58:53 -04:00			`From c53f20683ef66939d94e690e875500628a5b4f3f Mon Sep 17 00:00:00 2001`
			`From: Xu Yandong <xuyandong2@huawei.com>`
			`Date: Thu, 29 Aug 2019 16:31:30 +0800`
			`Subject: [PATCH] nodedev: fix potential heap use after free`

			`After move device enumumeration into a thread(commit 9f0ae0b18e3),`
			`flag driversInitialized no longer represent stateInitialized finished`
			`complete, so reference driver->devs before use it to prevent devs freed`
			`by virStateCleanup.`

			`Signed-off-by: Xu Yandong <xuyandong2@huawei.com>`
			`---`
			`src/node_device/node_device_udev.c \| 8 ++++++--`
			`1 file changed, 6 insertions(+), 2 deletions(-)`

			`diff --git a/src/node_device/node_device_udev.c b/src/node_device/node_device_udev.c`
			`index 276bf3d..cac9447 100644`
			`--- a/src/node_device/node_device_udev.c`
			`+++ b/src/node_device/node_device_udev.c`
			`@@ -1321,9 +1321,12 @@ udevAddOneDevice(struct udev_device *device)`
			`virNodeDeviceObjPtr obj = NULL;`
			`virNodeDeviceDefPtr objdef;`
			`virObjectEventPtr event = NULL;`
			`+ virNodeDeviceObjListPtr devs = driver->devs;`
			`bool new_device = true;`
			`int ret = -1;`

			`+ virObjectRef(devs);`
			`+`
			`if (VIR_ALLOC(def) != 0)`
			`goto cleanup;`

			`@@ -1348,14 +1351,14 @@ udevAddOneDevice(struct udev_device *device)`
			`if (udevSetParent(device, def) != 0)`
			`goto cleanup;`

			`- if ((obj = virNodeDeviceObjListFindByName(driver->devs, def->name))) {`
			`+ if ((obj = virNodeDeviceObjListFindByName(devs, def->name))) {`
			`virNodeDeviceObjEndAPI(&obj);`
			`new_device = false;`
			`}`

			`/* If this is a device change, the old definition will be freed`
			`* and the current definition will take its place. */`
			`- if (!(obj = virNodeDeviceObjListAssignDef(driver->devs, def)))`
			`+ if (!(obj = virNodeDeviceObjListAssignDef(devs, def)))`
			`goto cleanup;`
			`objdef = virNodeDeviceObjGetDef(obj);`

			`@@ -1371,6 +1374,7 @@ udevAddOneDevice(struct udev_device *device)`
			`ret = 0;`

			`cleanup:`
			`+ virObjectUnref(devs);`
			`virObjectEventStateQueue(driver->nodeDeviceEventState, event);`

			`if (ret != 0) {`
			`--`
			`2.19.1`