[Qemu-devel] [PATCH] make check-unit: use after free in test-opts-visito

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH] make check-unit: use after free in test-opts-visito

From:	Andrey Shinkevich
Subject:	[Qemu-devel] [PATCH] make check-unit: use after free in test-opts-visitor
Date:	Wed, 17 Jul 2019 22:06:56 +0300

In struct OptsVisitor, repeated_opts member points to a list in the
unprocessed_opts hash table after the list has been destroyed. A
subsequent call to visit_type_int() references the deleted list. It
results in use-after-free issue. Also, the Visitor object call back
functions are supposed to set the Error parameter in case of failure.

Signed-off-by: Andrey Shinkevich <address@hidden>
---

The issue was detected after running tests/test-opts-visitor under the Valgrind 
tool:

 Invalid read of size 8
   at 0x55ADB95: g_queue_peek_head (in /usr/lib64/libglib-2.0.so.0.5600.1)
   by 0x12FD97: lookup_scalar (opts-visitor.c:310)
   by 0x13008A: opts_type_int64 (opts-visitor.c:395)
   by 0x1299C8: visit_type_int (qapi-visit-core.c:149)
   by 0x119389: test_opts_range_beyond (test-opts-visitor.c:240)

after
 Address 0x9563b30 is 0 bytes inside a block of size 24 free'd
   at 0x4C2ACBD: free (vg_replace_malloc.c:530)
   by 0x55A179D: g_free (in /usr/lib64/libglib-2.0.so.0.5600.1)
   by 0x55B92BF: g_slice_free1 (in /usr/lib64/libglib-2.0.so.0.5600.1)
   by 0x12F615: destroy_list (opts-visitor.c:102)
   by 0x558A859: ??? (in /usr/lib64/libglib-2.0.so.0.5600.1)
   by 0x12FC37: opts_next_list (opts-visitor.c:260)
   by 0x1296B1: visit_next_list (qapi-visit-core.c:88)
   by 0x119341: test_opts_range_beyond (test-opts-visitor.c:238)

 qapi/opts-visitor.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/qapi/opts-visitor.c b/qapi/opts-visitor.c
index 324b197..e95f766 100644
--- a/qapi/opts-visitor.c
+++ b/qapi/opts-visitor.c
@@ -228,6 +228,7 @@ opts_start_list(Visitor *v, const char *name, GenericList 
**list, size_t size,
         *list = g_malloc0(size);
     } else {
         *list = NULL;
+        error_setg(errp, QERR_MISSING_PARAMETER, name);
     }
 }
 
@@ -255,9 +256,14 @@ opts_next_list(Visitor *v, GenericList *tail, size_t size)
     case LM_IN_PROGRESS: {
         const QemuOpt *opt;
 
+        if (!ov->repeated_opts) {
+            return NULL;
+        }
+
         opt = g_queue_pop_head(ov->repeated_opts);
         if (g_queue_is_empty(ov->repeated_opts)) {
             g_hash_table_remove(ov->unprocessed_opts, opt->name);
+            ov->repeated_opts = NULL;
             return NULL;
         }
         break;
@@ -307,6 +313,10 @@ lookup_scalar(const OptsVisitor *ov, const char *name, 
Error **errp)
         return list ? g_queue_peek_tail(list) : NULL;
     }
     assert(ov->list_mode == LM_IN_PROGRESS);
+    if (!ov->repeated_opts) {
+        error_setg(errp, QERR_INVALID_PARAMETER, name);
+        return NULL;
+    }
     return g_queue_peek_head(ov->repeated_opts);
 }
 
-- 
1.8.3.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] make check-unit: use after free in test-opts-visitor, Andrey Shinkevich <=

Prev by Date: Re: [Qemu-devel] [QEMU] [PATCH v5 0/8] Add Qemu to SeaBIOS LCHS interface
Next by Date: Re: [Qemu-devel] [PATCH v3] qapi: add dirty-bitmaps to query-named-block-nodes result
Previous by thread: [Qemu-devel] [PATCH v3] qapi: add dirty-bitmaps to query-named-block-nodes result
Next by thread: [Qemu-devel] [PATCH for-4.2 v2 0/2] spapr: Implement H_TPM_COMM for accessing host TPM device
Index(es):
- Date
- Thread