From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1IKfFV-0005RU-En for qemu-devel@nongnu.org; Mon, 13 Aug 2007 15:06:45 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1IKfFU-0005RE-4F for qemu-devel@nongnu.org; Mon, 13 Aug 2007 15:06:45 -0400 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1IKfFU-0005RB-1A for qemu-devel@nongnu.org; Mon, 13 Aug 2007 15:06:44 -0400 Received: from mx1.redhat.com ([66.187.233.31]) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1IKfFT-0001WC-H9 for qemu-devel@nongnu.org; Mon, 13 Aug 2007 15:06:43 -0400 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l7DJ6gvv018637 for ; Mon, 13 Aug 2007 15:06:42 -0400 Received: from file.surrey.redhat.com (file.fab.redhat.com [10.33.63.6]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l7DJ6fSn026122 for ; Mon, 13 Aug 2007 15:06:42 -0400 Received: (from berrange@localhost) by file.surrey.redhat.com (8.13.1/8.13.1/Submit) id l7DJ6fZm016990 for qemu-devel@nongnu.org; Mon, 13 Aug 2007 20:06:41 +0100 Date: Mon, 13 Aug 2007 20:06:41 +0100 From: "Daniel P. Berrange" Message-ID: <20070813190641.GA30789@redhat.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Nq2Wo0NMKNjxTN9z" Content-Disposition: inline Subject: [Qemu-devel] PATCH: Avoid SEGV in IOHandler dispatch Reply-To: "Daniel P. Berrange" , qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel --Nq2Wo0NMKNjxTN9z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline The code in main_loop_wait() which handles dispatching of IOHandlers only checks the 'deleted' flag once per iteration. If a handler was registered for both read & write events initially, and the read callback removes the handler, then the write callback will be set to NULL. If select() reported that there was a write event pending as well, then this will lead to QEMU crashing when trying to invoke the NULL write callback. A similar problem occurs if the handler was registered for read+write, and the read handler updates it to only select for read in the future - the write callback will be set to NULL. The attached patch adds neccessary checks to protect against this problem. Signed-off-by: Daniel P. Berrange Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=| --Nq2Wo0NMKNjxTN9z Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="iohandler-delete.patch" diff -r 25b9628b6900 vl.c --- a/vl.c Wed Aug 08 15:02:59 2007 -0400 +++ b/vl.c Mon Aug 13 15:02:22 2007 -0400 @@ -6453,12 +6453,10 @@ void main_loop_wait(int timeout) IOHandlerRecord **pioh; for(ioh = first_io_handler; ioh != NULL; ioh = ioh->next) { - if (ioh->deleted) - continue; - if (FD_ISSET(ioh->fd, &rfds)) { + if (!ioh->deleted && ioh->fd_read && FD_ISSET(ioh->fd, &rfds)) { ioh->fd_read(ioh->opaque); } - if (FD_ISSET(ioh->fd, &wfds)) { + if (!ioh->deleted && ioh->fd_write && FD_ISSET(ioh->fd, &wfds)) { ioh->fd_write(ioh->opaque); } } --Nq2Wo0NMKNjxTN9z--