From: Peter Krempa <pkrempa@redhat.com>
Date: Thu, 25 Aug 2016 18:53:06 +0000 (-0400)
Subject: qemu: driver: Fix qemuDomainHelperGetVcpus for sparse vcpu topologies
X-Git-Tag: v2.2.0-rc1~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9b6e947b015026bc7bca9acc4283808459c4efd2;p=thirdparty%2Flibvirt.git

qemu: driver: Fix qemuDomainHelperGetVcpus for sparse vcpu topologies

ce43cca0e refactored the helper to prepare it for sparse topologies but
forgot to fix the iterator used to fill the structures. This would
result into a weirdly sparse populated array and possible out of bounds
access and crash once sparse vcpu topologies were allowed.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1369988
---

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 97e2ffc404..671d1ffc2a 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -1477,15 +1477,17 @@ qemuDomainHelperGetVcpus(virDomainObjPtr vm,
     for (i = 0; i < virDomainDefGetVcpusMax(vm->def) && ncpuinfo < maxinfo; i++) {
         virDomainVcpuDefPtr vcpu = virDomainDefGetVcpu(vm->def, i);
         pid_t vcpupid = qemuDomainGetVcpuPid(vm, i);
+        virVcpuInfoPtr vcpuinfo = info + ncpuinfo;
 
         if (!vcpu->online)
             continue;
 
         if (info) {
-            info[i].number = i;
-            info[i].state = VIR_VCPU_RUNNING;
+            vcpuinfo->number = i;
+            vcpuinfo->state = VIR_VCPU_RUNNING;
 
-            if (qemuGetProcessInfo(&(info[i].cpuTime), &(info[i].cpu), NULL,
+            if (qemuGetProcessInfo(&vcpuinfo->cpuTime,
+                                   &vcpuinfo->cpu, NULL,
                                    vm->pid, vcpupid) < 0) {
                 virReportSystemError(errno, "%s",
                                      _("cannot get vCPU placement & pCPU time"));
@@ -1494,7 +1496,7 @@ qemuDomainHelperGetVcpus(virDomainObjPtr vm,
         }
 
         if (cpumaps) {
-            unsigned char *cpumap = VIR_GET_CPUMAP(cpumaps, maplen, i);
+            unsigned char *cpumap = VIR_GET_CPUMAP(cpumaps, maplen, ncpuinfo);
             virBitmapPtr map = NULL;
 
             if (!(map = virProcessGetAffinity(vcpupid)))
@@ -1505,7 +1507,7 @@ qemuDomainHelperGetVcpus(virDomainObjPtr vm,
         }
 
         if (cpuwait) {
-            if (qemuGetSchedInfo(&(cpuwait[i]), vm->pid, vcpupid) < 0)
+            if (qemuGetSchedInfo(&(cpuwait[ncpuinfo]), vm->pid, vcpupid) < 0)
                 return -1;
         }