From 6dca93e4bcaf1906fb3379dd98fc8056a597c4cc Mon Sep 17 00:00:00 2001 From: Peter Krempa Date: Sun, 2 May 2021 11:45:22 +0200 Subject: [PATCH] conf: Fix heap corruption when hot-adding a lease Commit 28a86993162f7d2f ( v6.9.0-179-g28a8699316 ) incorrectly replaced VIR_EXPAND_N by g_renew. VIR_EXPAND_N has these two extra effects apart from reallocating memory: 1) The newly allocated memory is zeroed out 2) The number of elements in the array which is passed to VIR_EXPAND_N is increased. This comes into play when used with virDomainLeaseInsertPreAlloced, which expects that the array element count already includes the space for the added 'lease', by plainly just assigning to 'leases[nleases - 1]' Since g_renew does not increase the number of elements in the array any existing code which calls virDomainLeaseInsertPreAlloced thus either overwrites a lease definition or corrupts the heap if there are no leases to start with. To preserve existing functionality we revert the code back to using VIR_EXPAND_N which at this point doesn't return any value, so other commits don't need to be reverted. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1953577 Signed-off-by: Peter Krempa Reviewed-by: Jiri Denemark --- src/conf/domain_conf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 9d98f487ea..84570c001c 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -16837,7 +16837,7 @@ int virDomainLeaseIndex(virDomainDef *def, void virDomainLeaseInsertPreAlloc(virDomainDef *def) { - def->leases = g_renew(virDomainLeaseDef *, def->leases, def->nleases + 1); + VIR_EXPAND_N(def->leases, def->nleases, 1); } void virDomainLeaseInsert(virDomainDef *def, virDomainLeaseDef *lease)