xenbits.xensource.com Git - libvirt.git/commit

author	Eric Blake <eblake@redhat.com>
	Fri, 21 Jan 2011 19:57:03 +0000 (12:57 -0700)
committer	Eric Blake <eblake@redhat.com>
	Thu, 27 Jan 2011 16:12:36 +0000 (09:12 -0700)
commit	a7483a5631e2f5106c0f57ced13e5689dd8c3347
tree	b3025dca9fbd218a0b917088acafba5a124f8f9f	tree
parent	6014485cdbaecf08f777b68553ae29035cf8ef77	commit \| diff

event: fix event-handling allocation crash

Regression introduced in commit e6b68d7 (Nov 2010).

Prior to that point, handlesAlloc was always a multiple of
EVENT_ALLOC_EXTENT (10), and was an int (so even if the subtraction
had been able to wrap, a negative value would be less than the count
not try to free the handles array). But after that point,
VIR_RESIZE_N made handlesAlloc grow geometrically (with a pattern of
10, 20, 30, 45 for the handles array) but still freed in multiples of
EVENT_ALLOC_EXTENT; and the count changed to size_t. Which means that
after 31 handles have been created, then 30 handles destroyed,
handlesAlloc is 5 while handlesCount is 1, and since (size_t)(1 - 5)
is indeed greater than 1, this then tried to free 10 elements, which
had the awful effect of nuking the handles array while there were
still live handles.

Nuking live handles puts libvirtd in an inconsistent state, and was
easily reproducible by starting and then stopping 60 faqemu guests.

* daemon/event.c (virEventCleanupTimeouts, virEventCleanupHandles):
Avoid integer wrap-around causing us to delete the entire array
while entries are still active.
* tests/eventtest.c (mymain): Expose the bug.

daemon/event.c		diff \| blob \| blame \| history
tests/eventtest.c		diff \| blob \| blame \| history