From: Markus Armbruster <armbru@redhat.com>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PATCH for-2.6 1/3] QemuOpts: Fix qemu_opts_foreach() dangling location regression
Date: Wed, 27 Apr 2016 16:29:07 +0200 [thread overview]
Message-ID: <1461767349-15329-2-git-send-email-armbru@redhat.com> (raw)
In-Reply-To: <1461767349-15329-1-git-send-email-armbru@redhat.com>
qemu_opts_foreach() pushes and pops a Location with automatic storage
duration. Except it fails to pop when @func() returns non-zero.
cur_loc then points to unused stack space, and will most likely get
clobbered in short order.
Clobbered cur_loc can make loc_pop() and error_print_loc() crash or
report bogus locations.
Affects several qemu command line options as well as qemu-img,
qemu-io, qemu-nbd -object, and blkdebug's configuration file.
Broken in commit a4c7367, v2.4.0.
Reproducer:
$ qemu-system-x86_64 -nodefaults -display none -object secret,id=foo,foo=bar
main() reports "Property '.foo' not found" like this:
if (qemu_opts_foreach(qemu_find_opts("object"),
user_creatable_add_opts_foreach,
object_create_delayed, &err)) {
error_report_err(err);
exit(1);
}
cur_loc then points to where qemu_opts_foreach()'s Location used to
be, i.e. unused stack space. With optimization, this Location doesn't
get clobbered for me, and also happens to be the correct location.
Without optimization, it does get clobbered in a way that makes
error_report_err() report no location.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
---
util/qemu-option.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/util/qemu-option.c b/util/qemu-option.c
index dd9e73d..3467dc2 100644
--- a/util/qemu-option.c
+++ b/util/qemu-option.c
@@ -1108,19 +1108,19 @@ int qemu_opts_foreach(QemuOptsList *list, qemu_opts_loopfunc func,
{
Location loc;
QemuOpts *opts;
- int rc;
+ int rc = 0;
loc_push_none(&loc);
QTAILQ_FOREACH(opts, &list->head, next) {
loc_restore(&opts->loc);
rc = func(opaque, opts, errp);
if (rc) {
- return rc;
+ break;
}
assert(!errp || !*errp);
}
loc_pop(&loc);
- return 0;
+ return rc;
}
static size_t count_opts_list(QemuOptsList *list)
--
2.5.5
next prev parent reply other threads:[~2016-04-27 14:29 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-27 14:29 [Qemu-devel] [PATCH for-2.6 0/3] Fix dangling pointers and error message regressions Markus Armbruster
2016-04-27 14:29 ` Markus Armbruster [this message]
2016-04-27 14:42 ` [Qemu-devel] [PATCH for-2.6 1/3] QemuOpts: Fix qemu_opts_foreach() dangling location regression Eric Blake
2016-04-27 14:29 ` [Qemu-devel] [PATCH for-2.6 2/3] replay: Fix dangling location bug in replay_configure() Markus Armbruster
2016-04-27 14:57 ` Eric Blake
2016-04-27 16:39 ` Eduardo Habkost
2016-04-27 14:29 ` [Qemu-devel] [PATCH for-2.6 3/3] qom: -object error messages lost location, restore it Markus Armbruster
2016-04-27 14:49 ` Daniel P. Berrange
2016-04-27 15:36 ` Markus Armbruster
2016-04-27 15:25 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1461767349-15329-2-git-send-email-armbru@redhat.com \
--to=armbru@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).