From: Luiz Capitulino <lcapitulino@redhat.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>,
famz@redhat.com, zhanghailiang <zhang.zhanghailiang@huawei.com>,
coreyb@linux.vnet.ibm.com, qemu-devel@nongnu.org,
Igor Mammedov <imammedo@redhat.com>
Subject: Re: [Qemu-devel] [PATCH] monitor: fix use after free
Date: Tue, 19 Aug 2014 08:55:31 -0400 [thread overview]
Message-ID: <20140819085531.0fff5690@redhat.com> (raw)
In-Reply-To: <20140818200331.GA31062@redhat.com>
On Mon, 18 Aug 2014 22:03:31 +0200
"Michael S. Tsirkin" <mst@redhat.com> wrote:
> On Mon, Aug 18, 2014 at 02:05:46PM -0400, Luiz Capitulino wrote:
> > On Sun, 17 Aug 2014 11:45:17 +0200
> > "Michael S. Tsirkin" <mst@redhat.com> wrote:
> >
> > > The function monitor_fdset_dup_fd_find_remove() references member of
> > > 'mon_fdset' which - when remove flag is set - may be freed in function
> > > monitor_fdset_cleanup().
> > > remove is set by monitor_fdset_dup_fd_remove which in practice
> > > does not need the returned value, so make it void,
> > > and return -1 from monitor_fdset_dup_fd_find_remove.
> > >
> > > Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> > > Reported-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
> >
> > I've applied this one to the qmp tree, but I have one comment below.
> >
> > > ---
> > > include/monitor/monitor.h | 2 +-
> > > monitor.c | 8 +++++---
> > > stubs/fdset-remove-fd.c | 3 +--
> > > 3 files changed, 7 insertions(+), 6 deletions(-)
> > >
> > > diff --git a/include/monitor/monitor.h b/include/monitor/monitor.h
> > > index 3d6929d..78a5fc8 100644
> > > --- a/include/monitor/monitor.h
> > > +++ b/include/monitor/monitor.h
> > > @@ -64,7 +64,7 @@ AddfdInfo *monitor_fdset_add_fd(int fd, bool has_fdset_id, int64_t fdset_id,
> > > Error **errp);
> > > int monitor_fdset_get_fd(int64_t fdset_id, int flags);
> > > int monitor_fdset_dup_fd_add(int64_t fdset_id, int dup_fd);
> > > -int monitor_fdset_dup_fd_remove(int dup_fd);
> > > +void monitor_fdset_dup_fd_remove(int dup_fd);
> > > int monitor_fdset_dup_fd_find(int dup_fd);
> > >
> > > #endif /* !MONITOR_H */
> > > diff --git a/monitor.c b/monitor.c
> > > index cdbaa60..ba1908f 100644
> > > --- a/monitor.c
> > > +++ b/monitor.c
> > > @@ -2542,8 +2542,10 @@ static int monitor_fdset_dup_fd_find_remove(int dup_fd, bool remove)
> > > if (QLIST_EMPTY(&mon_fdset->dup_fds)) {
> > > monitor_fdset_cleanup(mon_fdset);
> > > }
> > > + return -1;
> >
> > Returning -1 here looks wrong. A better fix is probably to split this
> > function into two functions as it's doing two unrelated things currently.
> >
> > I've applied the fix anyway because the only user of remove=true doesn't
> > care about the return value and also because the bad semantic is less worse
> > than the use after free...
>
>
> I agree generally, it's just that I don't understand this function.
> For example, doesn't it leak memory? When
> monitor_fdset_dup_fd_find_remove drops a MonFdsetFd entry from list, it does
> not seem to free it.
It seems so. Corey, are you still around? Can you take a look at this?
>
>
>
> > > + } else {
> > > + return mon_fdset->id;
> > > }
> > > - return mon_fdset->id;
> > > }
> > > }
> > > }
> > > @@ -2555,9 +2557,9 @@ int monitor_fdset_dup_fd_find(int dup_fd)
> > > return monitor_fdset_dup_fd_find_remove(dup_fd, false);
> > > }
> > >
> > > -int monitor_fdset_dup_fd_remove(int dup_fd)
> > > +void monitor_fdset_dup_fd_remove(int dup_fd)
> > > {
> > > - return monitor_fdset_dup_fd_find_remove(dup_fd, true);
> > > + monitor_fdset_dup_fd_find_remove(dup_fd, true);
> > > }
> > >
> > > int monitor_handle_fd_param(Monitor *mon, const char *fdname)
> > > diff --git a/stubs/fdset-remove-fd.c b/stubs/fdset-remove-fd.c
> > > index b3886d9..7f6d61e 100644
> > > --- a/stubs/fdset-remove-fd.c
> > > +++ b/stubs/fdset-remove-fd.c
> > > @@ -1,7 +1,6 @@
> > > #include "qemu-common.h"
> > > #include "monitor/monitor.h"
> > >
> > > -int monitor_fdset_dup_fd_remove(int dupfd)
> > > +void monitor_fdset_dup_fd_remove(int dupfd)
> > > {
> > > - return -1;
> > > }
>
prev parent reply other threads:[~2014-08-19 12:56 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-17 9:45 [Qemu-devel] [PATCH] monitor: fix use after free Michael S. Tsirkin
2014-08-18 18:05 ` Luiz Capitulino
2014-08-18 20:03 ` Michael S. Tsirkin
2014-08-19 12:55 ` Luiz Capitulino [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140819085531.0fff5690@redhat.com \
--to=lcapitulino@redhat.com \
--cc=coreyb@linux.vnet.ibm.com \
--cc=famz@redhat.com \
--cc=imammedo@redhat.com \
--cc=kwolf@redhat.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=zhang.zhanghailiang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.