[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] tmem: fix double-free bug



Tmem double-frees a high-level data structure
causing memory corruption under certain
circumstances.

Signed-off-by: Dan Magenheimer <dan.magenheimer@xxxxxxxxxx>

diff -r bec27eb6f72c xen/common/tmem.c
--- a/xen/common/tmem.c Sat Nov 14 10:32:59 2009 +0000
+++ b/xen/common/tmem.c Mon Nov 16 09:25:14 2009 -0700
@@ -943,7 +943,7 @@ static void client_free(client_t *client
 {
     list_del(&client->client_list);
     tmh_client_destroy(client->tmh);
-    tmem_free(client,sizeof(client_t),NULL);
+    tmh_free_infra(client);
 }
 
 /* flush all data from a client and, optionally, free it */
diff -r bec27eb6f72c xen/common/tmem_xen.c
--- a/xen/common/tmem_xen.c     Sat Nov 14 10:32:59 2009 +0000
+++ b/xen/common/tmem_xen.c     Mon Nov 16 09:25:14 2009 -0700
@@ -294,7 +294,7 @@ EXPORT tmh_client_t *tmh_client_init(voi
     if ( (tmh = xmalloc(tmh_client_t)) == NULL )
         return NULL;
     for (i = 0, shift = 12; i < 4; shift -=4, i++)
-        name[i] = ((unsigned short)domid >> shift) & 0xf;
+        name[i] = (((unsigned short)domid >> shift) & 0xf) + '0';
     name[4] = '\0';
 #ifndef __i386__
     tmh->persistent_pool = xmem_pool_create(name, tmh_persistent_pool_page_get,
@@ -315,7 +315,6 @@ EXPORT void tmh_client_destroy(tmh_clien
     xmem_pool_destroy(tmh->persistent_pool);
 #endif
     put_domain(tmh->domain);
-    xfree(tmh);
 }
 
 /******************  XEN-SPECIFIC HOST INITIALIZATION ********************/

Attachment: tmem-doublefree.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.