From 04d2a7f2533b4d87c1435b5ea589dc1ab10efd36 Mon Sep 17 00:00:00 2001
From: Eric Blake <eblake@redhat.com>
Date: Thu, 3 Nov 2011 17:24:32 -0600
Subject: [PATCH] lxc: avoid use-after-free

I got this weird failure:

error: Failed to start domain simple
error: internal error cannot mix caller fds with blocking execution

and tracked it down to a use-after-free - virCommandSetOutputFD
was storing the address of a stack-local variable, which then
went out of scope before the virCommandRun that dereferenced it.

Bug introduced in commit 451cfd05 (0.9.2).

* src/lxc/lxc_driver.c (lxcBuildControllerCmd): Move log fd
registration...
(lxcVmStart): ...to caller.
---
 src/lxc/lxc_driver.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index d6e5e20453..37092bc976 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -1449,7 +1449,6 @@ lxcBuildControllerCmd(lxc_driver_t *driver,
                       char **veths,
                       int *ttyFDs,
                       size_t nttyFDs,
-                      int logfile,
                       int handshakefd)
 {
     size_t i;
@@ -1524,8 +1523,6 @@ lxcBuildControllerCmd(lxc_driver_t *driver,
     }
 
     virCommandPreserveFD(cmd, handshakefd);
-    virCommandSetOutputFD(cmd, &logfile);
-    virCommandSetErrorFD(cmd, &logfile);
 
     return cmd;
 cleanup:
@@ -1747,8 +1744,10 @@ static int lxcVmStart(virConnectPtr conn,
                                       vm,
                                       nveths, veths,
                                       ttyFDs, nttyFDs,
-                                      logfd, handshakefds[1])))
+                                      handshakefds[1])))
         goto cleanup;
+    virCommandSetOutputFD(cmd, &logfd);
+    virCommandSetErrorFD(cmd, &logfd);
 
     /* Log timestamp */
     if ((timestamp = virTimestamp()) == NULL) {