On Thu, Jun 09, 2022 at 05:00:46PM +0100, Daniel P. Berrangé wrote:
> Well it isn't use-after-free, because we've cleared the
> pointer we freed.
Yes, indeed that's what I meant to say!
> > It seems a bit of an odd function however. Wouldn't it be better to
> > changes the Bytes function so that it tests if the pointer is NULL and
> > panics?
>
> In theory I guess both should be equivalent in terms of
> semantics for the caller.
>
> Also I feel like 'Free' ought to set 'b.Size = 0' after
> it set 'b.P = nul'. That should solve the problem for
> the Bytes & Slice method tests at least, but probably not
> the Get method test.
Making this change has very unexpected effects (although I think I
partially understand what's going on). Note this is replicable on
x86-64.
=== RUN TestAioBufferBytesAfterFree
libnbd_020_aio_buffer_test.go:108: Did not recover from panic calling
Bytes() after Free()
--- FAIL: TestAioBufferBytesAfterFree (0.00s)
This is failing because C.GoBytes does _not_ segfault, since it is
being asked to memcpy a zero length buffer.
=== RUN TestAioBufferSliceAfterFree
--- PASS: TestAioBufferSliceAfterFree (0.00s)
I think I understand why this test now passes, because of the way that
slices are created using b.Size which is now 0.
=== RUN TestAioBufferGetAfterFree
--- PASS: TestAioBufferGetAfterFree (0.00s)
Why does this test now pass?! It's still dereferencing a NULL
pointer.
I wonder why Get doesn't do bounds checking? That seems like a
general bug.
> > NB: this _does not_ address the other problem where GODEBUG=cgocheck=2
> > complains about "fatal error: Go pointer stored into non-Go memory".
>
> Maybe that message across comes from the Go signal handler that's
> trying to cope with the SEGV from the NULL reference, causing it
> to trip over itself & thus not turn the problem into a pnaic.
We're rebuilding the latest Fedora packages, so my plan here is to try
with the newest golang when it becomes available and hope it's been
fixed upstream (if it's a golang problem).
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
_______________________________________________
Libguestfs mailing list
Libguestfs@redhat.com
https://listman.redhat.com/mailman/listinfo/libguestfs
