34114 – double free in virsh define

Bug 34114 - double free in virsh define

Summary: double free in virsh define

Status:	CLOSED DUPLICATE of bug 31032

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	Virtualization - Xen
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	UCS maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-02-13 08:10 CET by Tim Petersen
Modified:	2023-06-28 10:46 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:	00026
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Petersen

2014-02-13 08:10:44 CET

Reported by a customer at 2014021221003656

UCS 3.2-0-Errata51 memberserver, XEN
3.10.0-ucs43-amd64
libvirt: 0.9.12-5

root@server:~# virsh define xyz
Domain xyz defined from xyz

*** glibc detected *** virsh: double free or corruption (!prev): 0x0000000001269400 ***
======= Backtrace: =========
/lib/libc.so.6(+0x71e16)[0x7f956a3abe16]
/lib/libc.so.6(cfree+0x6c)[0x7f956a3b0b8c]
/usr/lib/libvirt.so.0(virFree+0x39)[0x7f956d523199]
/usr/lib/libvirt.so.0(+0x1216ff)[0x7f956d5ea6ff]
/usr/lib/libvirt.so.0(+0xe0a05)[0x7f956d5a9a05]
/usr/lib/libvirt.so.0(+0xe0bf8)[0x7f956d5a9bf8]
/usr/lib/libvirt.so.0(virUnrefDomain+0xc8)[0x7f956d5a9ed8]
/usr/lib/libvirt.so.0(virDomainFree+0xbb)[0x7f956d5d5feb]
/usr/lib/libvirt.so.0(+0x17010c)[0x7f956d63910c]
/usr/lib/libvirt.so.0(+0x1709bc)[0x7f956d6399bc]
/usr/lib/libvirt.so.0(+0x170d00)[0x7f956d639d00]
/usr/lib/libvirt.so.0(+0x51e15)[0x7f956d51ae15]
/usr/lib/libvirt.so.0(virEventRunDefaultImpl+0x45)[0x7f956d519a45]
virsh[0x41eb52]
/usr/lib/libvirt.so.0(+0x64ba6)[0x7f956d52dba6]
/lib/libpthread.so.0(+0x68ca)[0x7f956b03e8ca]
/lib/libc.so.6(clone+0x6d)[0x7f956a409b6d]
======= Memory map: ========
00400000-00450000 r-xp 00000000 fe:00 6040289                            /usr/bin/virsh
0064f000-00651000 rw-p 0004f000 fe:00 6040289                            /usr/bin/virsh
01215000-0128a000 rw-p 00000000 00:00 0                                  [heap]
7f9564000000-7f9564021000 rw-p 00000000 00:00 0
7f9564021000-7f9568000000 ---p 00000000 00:00 0
7f9568204000-7f956821a000 r-xp 00000000 fe:00 4718649                   
/lib/libgcc_s.so.1
7f956821a000-7f9568419000 ---p 00016000 fe:00 4718649                   
/lib/libgcc_s.so.1
7f9568419000-7f956841a000 rw-p 00015000 fe:00 4718649                   
/lib/libgcc_s.so.1
7f956841a000-7f956841b000 ---p 00000000 00:00 0
7f956841b000-7f9568c1b000 rw-p 00000000 00:00 0                          [stack:2816]
7f9568c1b000-7f9568c1c000 ---p 00000000 00:00 0
7f9568c1c000-7f956941c000 rw-p 00000000 00:00 0                          [stack:2806]
7f956941c000-7f956945e000 r-xp 00000000 fe:00 4718653                   
/lib/libncurses.so.5.7
7f956945e000-7f956965d000 ---p 00042000 fe:00 4718653                   
/lib/libncurses.so.5.7
7f956965d000-7f9569662000 rw-p 00041000 fe:00 4718653                   
/lib/libncurses.so.5.7
7f9569662000-7f95696e2000 r-xp 00000000 fe:00 4718634                   
/lib/libm-2.11.3.so
7f95696e2000-7f95698e2000 ---p 00080000 fe:00 4718634                   
/lib/libm-2.11.3.so
7f95698e2000-7f95698e3000 r--p 00080000 fe:00 4718634                   
/lib/libm-2.11.3.so
7f95698e3000-7f95698e4000 rw-p 00081000 fe:00 4718634                   
/lib/libm-2.11.3.so
7f95698e4000-7f95698e7000 r-xp 00000000 fe:00 6033329                   
/usr/lib/libgpg-error.so.0.4.0
7f95698e7000-7f9569ae6000 ---p 00003000 fe:00 6033329                   
/usr/lib/libgpg-error.so.0.4.0
7f9569ae6000-7f9569ae7000 rw-p 00002000 fe:00 6033329                   
/usr/lib/libgpg-error.so.0.4.0
7f9569ae7000-7f9569afe000 r-xp 00000000 fe:00 6032692                   
/usr/lib/libz.so.1.2.3.4
7f9569afe000-7f9569cfd000 ---p 00017000 fe:00 6032692                   
/usr/lib/libz.so.1.2.3.4
7f9569cfd000-7f9569cfe000 rw-p 00016000 fe:00 6032692                   
/usr/lib/libz.so.1.2.3.4
7f9569cfe000-7f9569d0e000 r-xp 00000000 fe:00 6033466                   
/usr/lib/libtasn1.so.3.1.9
7f9569d0e000-7f9569f0d000 ---p 00010000 fe:00 6033466                   
/usr/lib/libtasn1.so.3.1.9
7f9569f0d000-7f9569f0e000 rw-p 0000f000 fe:00 6033466                   
/usr/lib/libtasn1.so.3.1.9
7f9569f0e000-7f9569f1b000 r-xp 00000000 fe:00 4718683                   
/lib/libudev.so.0.9.3
7f9569f1b000-7f956a11a000 ---p 0000d000 fe:00 4718683                   
/lib/libudev.so.0.9.3
7f956a11a000-7f956a11b000 r--p 0000c000 fe:00 4718683                   
/lib/libudev.so.0.9.3
7f956a11b000-7f956a11c000 rw-p 0000d000 fe:00 4718683                   
/lib/libudev.so.0.9.3
7f956a11c000-7f956a138000 r-xp 00000000 fe:00 4718675                   
/lib/libselinux.so.1
7f956a138000-7f956a337000 ---p 0001c000 fe:00 4718675                   
/lib/libselinux.so.1
7f956a337000-7f956a338000 r--p 0001b000 fe:00 4718675                   
/lib/libselinux.so.1
7f956a338000-7f956a339000 rw-p 0001c000 fe:00 4718675                   
/lib/libselinux.so.1
7f956a339000-7f956a33a000 rw-p 00000000 00:00 0
7f956a33a000-7f956a493000 r-xp 00000000 fe:00 4718632                   
/lib/libc-2.11.3.so
7f956a493000-7f956a692000 ---p 00159000 fe:00 4718632                   
/lib/libc-2.11.3.so
7f956a692000-7f956a696000 r--p 00158000 fe:00 4718632                   
/lib/libc-2.11.3.so
7f956a696000-7f956a697000 rw-p 0015c000 fe:00 4718632                   
/lib/libc-2.11.3.so
7f956a697000-7f956a69c000 rw-p 00000000 00:00 0
7f956a69c000-7f956a69e000 r-xp 00000000 fe:00 4718633                   
/lib/libdl-2.11.3.so
7f956a69e000-7f956a89e000 ---p 00002000 fe:00 4718633                   
/lib/libdl-2.11.3.so
7f956a89e000-7f956a89f000 r--p 00002000 fe:00 4718633                   
/lib/libdl-2.11.3.so
7f956a89f000-7f956a8a0000 rw-p 00003000 fe:00 4718633                   
/lib/libdl-2.11.3.so
7f956a8a0000-7f956a8db000 r-xp 00000000 fe:00 4718894                   
/lib/libreadline.so.6.1
7f956a8db000-7f956aadb000 ---p 0003b000 fe:00 4718894                   
/lib/libreadline.so.6.1
7f956aadb000-7f956aae3000 rw-p 0003b000 fe:00 4718894                   
/lib/libreadline.so.6.1
7f956aae3000-7f956aae4000 rw-p 00000000 00:00 0
7f956aae4000-7f956ac2b000 r-xp 00000000 fe:00 6036784                   
/usr/lib/libxml2.so.2.7.8
7f956ac2b000-7f956ae2a000 ---p 00147000 fe:00 6036784                   
/usr/lib/libxml2.so.2.7.8
7f956ae2a000-7f956ae33000 rw-p 00146000 fe:00 6036784                   
/usr/lib/libxml2.so.2.7.8
7f956ae33000-7f956ae35000 rw-p 00000000 00:00 0
7f956ae35000-7f956ae37000 r-xp 00000000 fe:00 4718637                   
/lib/libutil-2.11.3.so
7f956ae37000-7f956b036000 ---p 00002000 fe:00 4718637                   
/lib/libutil-2.11.3.so
7f956b036000-7f956b037000 r--p 00001000 fe:00 4718637                   
/lib/libutil-2.11.3.so
7f956b037000-7f956b038000 rw-p 00002000 fe:00 4718637                   
/lib/libutil-2.11.3.so
7f956b038000-7f956b04f000 r-xp 00000000 fe:00 4718638                   
/lib/libpthread-2.11.3.so
7f956b04f000-7f956b24e000 ---p 00017000 fe:00 4718638                   
/lib/libpthread-2.11.3.so
7f956b24e000-7f956b24f000 r--p 00016000 fe:00 4718638                   
/lib/libpthread-2.11.3.so
7f956b24f000-7f956b250000 rw-p 00017000 fe:00 4718638                   
/lib/libpthread-2.11.3.soAbgebrochen

I suppose its located in /src/xen/xend_internal.c in xenDaemonCreateXML and fixed upstream.

Comment 1 Philipp Hahn

2014-02-13 11:51:32 CET

Not exactly the same BT, but close enough to look closely related.

*** This bug has been marked as a duplicate of bug 31032 ***