From 0d386a51e067e5a1097131ee2aea025135f8489d Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Thu, 7 Jan 2016 13:40:18 +0100
Subject: [PATCH] Add realloc fixes

---
 ...ing-dereferencing-in-must_strcat_pid.patch | 29 ++++++++++++++
 ...k-in-realloc-loop-in-must_strcat_pid.patch | 34 +++++++++++++++++
 ...gfs-fix-dorealloc-s-batch-allocation.patch | 38 +++++++++++++++++++
 debian/patches/series                         |  3 ++
 4 files changed, 104 insertions(+)
 create mode 100644 debian/patches/0001-fix-missing-dereferencing-in-must_strcat_pid.patch
 create mode 100644 debian/patches/0003-fix-leak-in-realloc-loop-in-must_strcat_pid.patch
 create mode 100644 debian/patches/0004-cgfs-fix-dorealloc-s-batch-allocation.patch

diff --git a/debian/patches/0001-fix-missing-dereferencing-in-must_strcat_pid.patch b/debian/patches/0001-fix-missing-dereferencing-in-must_strcat_pid.patch
new file mode 100644
index 0000000..06fe5ce
--- /dev/null
+++ b/debian/patches/0001-fix-missing-dereferencing-in-must_strcat_pid.patch
@@ -0,0 +1,29 @@
+From ab9a41700a2b9d422ab0fda1fe3873b4ae70b47b Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Thu, 7 Jan 2016 11:23:24 +0100
+Subject: [PATCH lxcfs 1/5] fix missing dereferencing in must_strcat_pid
+
+Fixes a segfault when reading a /tasks file of a cgroup
+containing a large number of pids.
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ lxcfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lxcfs.c b/lxcfs.c
+index fe5ac3e..767a344 100644
+--- a/lxcfs.c
++++ b/lxcfs.c
+@@ -85,7 +85,7 @@ static void must_strcat_pid(char **src, size_t *sz, size_t *asz, pid_t pid)
+ 		} while (!d);
+ 		*src = d;
+ 		*asz = BUF_RESERVE_SIZE;
+-	} else if (strlen(tmp) + sz + 1 >= asz) {
++	} else if (strlen(tmp) + *sz + 1 >= *asz) {
+ 		do {
+ 			d = realloc(d, *asz + BUF_RESERVE_SIZE);
+ 		} while (!d);
+-- 
+2.1.4
+
diff --git a/debian/patches/0003-fix-leak-in-realloc-loop-in-must_strcat_pid.patch b/debian/patches/0003-fix-leak-in-realloc-loop-in-must_strcat_pid.patch
new file mode 100644
index 0000000..bfe6239
--- /dev/null
+++ b/debian/patches/0003-fix-leak-in-realloc-loop-in-must_strcat_pid.patch
@@ -0,0 +1,34 @@
+From cc1d9baadd760a3e6fc757d31569fbf46ad37dbd Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Thu, 7 Jan 2016 11:32:59 +0100
+Subject: [PATCH lxcfs 3/5] fix leak in realloc loop in must_strcat_pid
+
+If the first realloc() call fails then 'd' becomes NULL,
+subsequent realloc() retries will behave like malloc() and
+the the original src pointer is never freed. Further more
+the newly allocated data then contains uninitialized data
+where the previous pids had been stored.
+Avoid this by passing the the original pointer from '*src'
+to realloc().
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ lxcfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lxcfs.c b/lxcfs.c
+index 8605000..d738e79 100644
+--- a/lxcfs.c
++++ b/lxcfs.c
+@@ -87,7 +87,7 @@ static void must_strcat_pid(char **src, size_t *sz, size_t *asz, pid_t pid)
+ 		*asz = BUF_RESERVE_SIZE;
+ 	} else if (tmplen + *sz + 1 >= *asz) {
+ 		do {
+-			d = realloc(d, *asz + BUF_RESERVE_SIZE);
++			d = realloc(*src, *asz + BUF_RESERVE_SIZE);
+ 		} while (!d);
+ 		*src = d;
+ 		*asz += BUF_RESERVE_SIZE;
+-- 
+2.1.4
+
diff --git a/debian/patches/0004-cgfs-fix-dorealloc-s-batch-allocation.patch b/debian/patches/0004-cgfs-fix-dorealloc-s-batch-allocation.patch
new file mode 100644
index 0000000..d4db54b
--- /dev/null
+++ b/debian/patches/0004-cgfs-fix-dorealloc-s-batch-allocation.patch
@@ -0,0 +1,38 @@
+From 4d373ffcfee6853662421370fad3df3701573712 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Thu, 7 Jan 2016 12:49:51 +0100
+Subject: [PATCH lxcfs 4/5] cgfs: fix dorealloc's batch allocation
+
+The initial check should use real lengths as with modulo a
+new required length of eg. 52 would be considered smaller
+than an old length of 48 (2 < 48).
+
+To get the 'batches' count 'newlen' must be divided and not
+taken modulo BATCH_SIZE. Otherwise '101', which would need a
+3rd batch to reach 150, would end up with two (2*50 = 100
+bytes) and thereby be truncated instead.
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ cgfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/cgfs.c b/cgfs.c
+index 0659e9e..681a478 100644
+--- a/cgfs.c
++++ b/cgfs.c
+@@ -75,9 +75,9 @@ static inline void drop_trailing_newlines(char *s)
+ static void dorealloc(char **mem, size_t oldlen, size_t newlen)
+ {
+ 	int batches;
+-	if (newlen % BATCH_SIZE <= oldlen % BATCH_SIZE)
++	if (newlen <= oldlen)
+ 		return;
+-	batches = (newlen % BATCH_SIZE) + 1;
++	batches = (newlen / BATCH_SIZE) + 1;
+ 	if (!*mem) {
+ 		do {
+ 			*mem = malloc(batches * BATCH_SIZE);
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 593580f..345ea63 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,5 @@
 do-not-start-without-lxcfs.patch
 0001-uptime-fix-pid1-and-reaper_busy-times.patch
+0001-fix-missing-dereferencing-in-must_strcat_pid.patch
+0003-fix-leak-in-realloc-loop-in-must_strcat_pid.patch
+0004-cgfs-fix-dorealloc-s-batch-allocation.patch
-- 
2.39.2