WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-devel] [PATCH] tmem: fix double-free bug

from [Dan Magenheimer] [Permanent Link][Original]
To: "Xen-Devel (E-mail)" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] [PATCH] tmem: fix double-free bug
From: Dan Magenheimer <dan.magenheimer@xxxxxxxxxx>
Date: Mon, 16 Nov 2009 08:33:14 -0800 (PST)
Delivery-date: Mon, 16 Nov 2009 08:33:51 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx 
Tmem double-frees a high-level data structure
causing memory corruption under certain
circumstances.

Signed-off-by: Dan Magenheimer <dan.magenheimer@xxxxxxxxxx>

diff -r bec27eb6f72c xen/common/tmem.c
--- a/xen/common/tmem.c Sat Nov 14 10:32:59 2009 +0000
+++ b/xen/common/tmem.c Mon Nov 16 09:25:14 2009 -0700
@@ -943,7 +943,7 @@ static void client_free(client_t *client
 {
     list_del(&client->client_list);
     tmh_client_destroy(client->tmh);
-    tmem_free(client,sizeof(client_t),NULL);
+    tmh_free_infra(client);
 }
 
 /* flush all data from a client and, optionally, free it */
diff -r bec27eb6f72c xen/common/tmem_xen.c
--- a/xen/common/tmem_xen.c     Sat Nov 14 10:32:59 2009 +0000
+++ b/xen/common/tmem_xen.c     Mon Nov 16 09:25:14 2009 -0700
@@ -294,7 +294,7 @@ EXPORT tmh_client_t *tmh_client_init(voi
     if ( (tmh = xmalloc(tmh_client_t)) == NULL )
         return NULL;
     for (i = 0, shift = 12; i < 4; shift -=4, i++)
-        name[i] = ((unsigned short)domid >> shift) & 0xf;
+        name[i] = (((unsigned short)domid >> shift) & 0xf) + '0';
     name[4] = '\0';
 #ifndef __i386__
     tmh->persistent_pool = xmem_pool_create(name, tmh_persistent_pool_page_get,
@@ -315,7 +315,6 @@ EXPORT void tmh_client_destroy(tmh_clien
     xmem_pool_destroy(tmh->persistent_pool);
 #endif
     put_domain(tmh->domain);
-    xfree(tmh);
 }
 
 /******************  XEN-SPECIFIC HOST INITIALIZATION ********************/

Attachment: tmem-doublefree.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-devel] [PATCH] tmem: fix double-free bug, Dan Magenheimer <=
Previous by Date:  Re: [Xen-devel] Re: [PATCH] libxl: check for early failures of qemu-dm (v2), Vincent Hanquez
Next by Date:  Re: [Xen-devel] [PATCH Xen-unstable] Balloon down memory to achive enough DMA32 memory for PV guests with PCI pass-through to succesfully launch., Konrad Rzeszutek Wilk
Previous by Thread:  [Xen-devel] [PATCH] rombios: don't busy-wait for keystrokes., Tim Deegan
Next by Thread:  [Xen-devel] [PATCH] Relax assertion in VRAM tracking code, Tim Deegan
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy