From b34c7c91040bf61703407bd24056866d2441bc10 Mon Sep 17 00:00:00 2001 From: Peter Krempa Date: Mon, 19 Sep 2022 10:18:14 +0200 Subject: [PATCH] virdomainjob: virDomainObjInitJob: Avoid borrowing memory from 'virDomainXMLOption' The 'cb' and 'jobDataPrivateCb' pointers are stored in the job object but made point to the memory owned by the virDomainXMLOption struct in the callers. Since the 'virdomainjob' module isn't in control the lifetime of the virDomainXMLOption, which in some cases is freed before the domain job data, freed memory would be dereferenced in some cases. Copy the structs from virDomainXMLOption to ensure the lifetime. This is possible since the callback functions are immutable. Fixes: 84e9fd068ccad6e19e037cd6680df437617e2de5 Signed-off-by: Peter Krempa Reviewed-by: Martin Kletzander --- src/conf/virdomainjob.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/conf/virdomainjob.c b/src/conf/virdomainjob.c index 7915faa125..aca801af38 100644 --- a/src/conf/virdomainjob.c +++ b/src/conf/virdomainjob.c @@ -128,8 +128,8 @@ virDomainObjInitJob(virDomainJobObj *job, virDomainJobDataPrivateDataCallbacks *jobDataPrivateCb) { memset(job, 0, sizeof(*job)); - job->cb = cb; - job->jobDataPrivateCb = jobDataPrivateCb; + job->cb = g_memdup(cb, sizeof(*cb)); + job->jobDataPrivateCb = g_memdup(jobDataPrivateCb, sizeof(*jobDataPrivateCb)); if (virCondInit(&job->cond) < 0) return -1; @@ -229,6 +229,9 @@ virDomainObjClearJob(virDomainJobObj *job) if (job->cb && job->cb->freeJobPrivate) g_clear_pointer(&job->privateData, job->cb->freeJobPrivate); + + g_clear_pointer(&job->cb, g_free); + g_clear_pointer(&job->jobDataPrivateCb, g_free); } void