From: Juan Quintela <quintela@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-devel@nongnu.org, "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Subject: Re: [Qemu-devel] [PATCH for-4.0] migration/ram.c: Fix use-after-free in multifd_recv_unfill_packet()
Date: Tue, 09 Apr 2019 17:46:42 +0200 [thread overview]
Message-ID: <87ef6byye5.fsf@trasno.org> (raw)
In-Reply-To: <20190409151830.6024-1-peter.maydell@linaro.org> (Peter Maydell's message of "Tue, 9 Apr 2019 16:18:30 +0100")
Peter Maydell <peter.maydell@linaro.org> wrote:
> Coverity points out (CID 1400442) that in this code:
>
> if (packet->pages_alloc > p->pages->allocated) {
> multifd_pages_clear(p->pages);
> multifd_pages_init(packet->pages_alloc);
> }
>
> we free p->pages in multifd_pages_clear() but continue to
> use it in the following code. We also leak memory, because
> multifd_pages_init() returns the pointer to a new MultiFDPages_t
> struct but we are ignoring its return value.
>
> Fix both of these bugs by adding the missing assignment of
> the newly created struct to p->pages.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
ouch,
good catch.
Reviewed-by: Juan Quintela <quintela@redhat.com>
> I don't know anything about the multifd code, but this seems like
> the obvious fix based on looking at what the clear and init
> functions are doing. I have only run 'make check' on this,
> so review and testing definitely in order. I think we should
> really put this into 4.0, which means ideally I'd like to
> commit it to master today or tomorrow, though...
> ---
> migration/ram.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/migration/ram.c b/migration/ram.c
> index f68beeeeffc..1ca9ba77b6a 100644
> --- a/migration/ram.c
> +++ b/migration/ram.c
> @@ -851,7 +851,7 @@ static int multifd_recv_unfill_packet(MultiFDRecvParams *p, Error **errp)
> */
> if (packet->pages_alloc > p->pages->allocated) {
> multifd_pages_clear(p->pages);
> - multifd_pages_init(packet->pages_alloc);
> + p->pages = multifd_pages_init(packet->pages_alloc);
> }
>
> p->pages->used = be32_to_cpu(packet->pages_used);
next prev parent reply other threads:[~2019-04-09 15:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-09 15:18 [Qemu-devel] [PATCH for-4.0] migration/ram.c: Fix use-after-free in multifd_recv_unfill_packet() Peter Maydell
2019-04-09 15:18 ` Peter Maydell
2019-04-09 15:46 ` Juan Quintela [this message]
2019-04-09 19:47 ` Peter Maydell
2019-04-09 18:49 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ef6byye5.fsf@trasno.org \
--to=quintela@redhat.com \
--cc=dgilbert@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.