Fix use of released vgname and vgid

Avoid using of already released memory when duplicated MDA is found.

As get_pv_from_vg_by_id() may call lvmcache_label_scan() use the local copy
of the vgname and vgid on the stack as vginfo may dissapear and code was
then accessing garbage in memory.

i.e.  pvs  /dev/loop0
(when /dev/loop0 and /dev/loop1 has same MDA content)

Invalid read of size 1
   at 0x523C986: dm_hash_lookup (hash.c:325)
   by 0x440C8C: vginfo_from_vgname (lvmcache.c:399)
   by 0x4605C0: _create_vg_text_instance (format-text.c:1882)
   by 0x46140D: _text_create_text_instance (format-text.c:2243)
   by 0x47EB49: _vg_read (metadata.c:2887)
   by 0x47FBD8: vg_read_internal (metadata.c:3231)
   by 0x477594: get_pv_from_vg_by_id (metadata.c:344)
   by 0x45F07A: _get_pv_if_in_vg (format-text.c:1400)
   by 0x45F0B9: _populate_pv_fields (format-text.c:1414)
   by 0x45F40F: _text_pv_read (format-text.c:1493)
   by 0x480431: _pv_read (metadata.c:3500)
   by 0x4802B2: pv_read (metadata.c:3462)
 Address 0x652ab80 is 0 bytes inside a block of size 4 free'd
   at 0x4C2756E: free (vg_replace_malloc.c:366)
   by 0x442277: _free_vginfo (lvmcache.c:963)
   by 0x44235E: _drop_vginfo (lvmcache.c:992)
   by 0x442B23: _lvmcache_update_vgname (lvmcache.c:1165)
   by 0x443449: lvmcache_update_vgname_and_id (lvmcache.c:1358)
   by 0x443C07: lvmcache_add (lvmcache.c:1492)
   by 0x46588C: _text_read (text_label.c:271)
   by 0x466A65: label_read (label.c:289)
   by 0x4413FC: lvmcache_label_scan (lvmcache.c:635)
   by 0x4605AD: _create_vg_text_instance (format-text.c:1881)
   by 0x46140D: _text_create_text_instance (format-text.c:2243)
   by 0x47EB49: _vg_read (metadata.c:2887)

Add testing script

WHATS_NEW

@@ -1,5 +1,6 @@
 Version 2.02.85 - 
 ===================================
+  Fix use of released memory when duplicate PV is found.
   Add "devices/issue_discards" to lvm.conf.
   Issue discards on lvremove, lvreduce, etc if enabled and supported.
   Fix incorrect tests for dm_snprintf() failure.

lib/format_text/format-text.c

@@ -1395,11 +1395,23 @@ static int _add_raw(struct dm_list *raw_list, struct device_area *dev_area)
 static int _get_pv_if_in_vg(struct lvmcache_info *info,
 			    struct physical_volume *pv)
 {
+	char vgname[NAME_LEN + 1];
+	char vgid[ID_LEN + 1];
+
 	if (info->vginfo && info->vginfo->vgname &&
-	    !is_orphan_vg(info->vginfo->vgname) &&
+	    !is_orphan_vg(info->vginfo->vgname)) {
-	    get_pv_from_vg_by_id(info->fmt, info->vginfo->vgname,
+		/*
-				 info->vginfo->vgid, info->dev->pvid, pv))
+		 * get_pv_from_vg_by_id() may call
-		return 1;
+		 * lvmcache_label_scan() and drop cached
+		 * vginfo so make a local copy of string.
+		 */
+		strcpy(vgname, info->vginfo->vgname);
+		memcpy(vgid, info->vginfo->vgid, sizeof(vgid));
+
+		if (get_pv_from_vg_by_id(info->fmt, vgname, vgid,
+					 info->dev->pvid, pv))
+			return 1;
+	}
 
 	return 0;
 }

lib/metadata/metadata.c

@@ -2771,6 +2771,9 @@ static void check_reappeared_pv(struct volume_group *correct_vg,
  * If precommitted is set, use precommitted metadata if present.
  *
  * Either of vgname or vgid may be NULL.
+ *
+ * Note: vginfo structs must not be held or used as parameters
+ *       across the call to this function.
  */
 static struct volume_group *_vg_read(struct cmd_context *cmd,
 				     const char *vgname,

test/t-pv-duplicate.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+# Copyright (C) 2011 Red Hat, Inc. All rights reserved.
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions
+# of the GNU General Public License v.2.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+# 'Exercise duplicate metadata diagnostics'
+
+. lib/test
+
+aux prepare_devs 3
+
+vgcreate -c n --metadatasize 128k $vg1 $dev1
+
+# copy mda
+dd if=$dev1 of=$dev2 bs=256K count=1
+dd if=$dev1 of=$dev3 bs=256K count=1
+
+pvs $dev1
+vgs $vg1