File 4dfc34c3-libxl-vnc-fix.patch of Package libvirt
commit 4dfc34c301206d50d41b3122a6dbfe6e687afd0f
Author: Jim Fehlig <jfehlig@suse.com>
Date: Mon Aug 25 16:46:00 2014 -0600
libxl: fix memory corruption introduced by commit b55cc5f4e
Commit b55cc5f4e did a shallow copy of libxl_{sdl,vnc}_info from the
domain config to the build info, which resulted in double-freeing
strings contained in the structures during cleanup, which later
resulted in a libvirtd crash. Fix by performing a deep copy of the
structure, VIR_STRDUP'ing embedded strings instead of simply copying
their pointers.
Fixes the following issue reported on the libvirt dev list
https://www.redhat.com/archives/libvir-list/2014-August/msg01112.html
Index: libvirt-1.2.5/src/libxl/libxl_conf.c
===================================================================
--- libvirt-1.2.5.orig/src/libxl/libxl_conf.c
+++ libvirt-1.2.5/src/libxl/libxl_conf.c
@@ -1096,10 +1096,24 @@ libxlMakeVfbList(libxlDriverPrivatePtr d
libxl_domain_build_info *b_info = &d_config->b_info;
libxl_device_vfb vfb = d_config->vfbs[0];
- if (libxl_defbool_val(vfb.vnc.enable))
- memcpy(&b_info->u.hvm.vnc, &vfb.vnc, sizeof(libxl_vnc_info));
- else if (libxl_defbool_val(vfb.sdl.enable))
- memcpy(&b_info->u.hvm.sdl, &vfb.sdl, sizeof(libxl_sdl_info));
+ if (libxl_defbool_val(vfb.vnc.enable)) {
+ libxl_defbool_set(&b_info->u.hvm.vnc.enable, true);
+ if (VIR_STRDUP(b_info->u.hvm.vnc.listen, vfb.vnc.listen) < 0)
+ goto error;
+ if (VIR_STRDUP(b_info->u.hvm.vnc.passwd, vfb.vnc.passwd) < 0)
+ goto error;
+ b_info->u.hvm.vnc.display = vfb.vnc.display;
+ libxl_defbool_set(&b_info->u.hvm.vnc.findunused,
+ libxl_defbool_val(vfb.vnc.findunused));
+ } else if (libxl_defbool_val(vfb.sdl.enable)) {
+ libxl_defbool_set(&b_info->u.hvm.sdl.enable, true);
+ libxl_defbool_set(&b_info->u.hvm.sdl.opengl,
+ libxl_defbool_val(vfb.sdl.opengl));
+ if (VIR_STRDUP(b_info->u.hvm.sdl.display, vfb.sdl.display) < 0)
+ goto error;
+ if (VIR_STRDUP(b_info->u.hvm.sdl.xauthority, vfb.sdl.xauthority) < 0)
+ goto error;
+ }
}
return 0;
