* [Qemu-devel] [PATCH] hw/pci: use-after-free in pci_nic_init_nofail when nic device fails to initialize @ 2017-01-06 23:48 Alex Kompel 2017-01-08 4:00 ` Michael S. Tsirkin 2017-01-09 4:06 ` Jason Wang 0 siblings, 2 replies; 6+ messages in thread From: Alex Kompel @ 2017-01-06 23:48 UTC (permalink / raw) To: qemu-devel; +Cc: Marcel Apfelbaum, Michael S. Tsirkin object_property_set_bool(OBJECT(dev), true, "realized", &err) in pci_nic_init_nofail may release the object if device fails to initialize which leads to use-after-free in error handling block. qdev_init_nofail does the same thing while holding the reference. (gdb) run -net nic qemu-system-x86_64: failed to find romfile "efi-e1000.rom" Program received signal SIGSEGV, Segmentation fault. object_unparent (obj=0x7fffe96a0010) at qom/object.c:440 440 in qom/object.c (gdb) bt #0 object_unparent (obj=0x7fffe96a0010) at qom/object.c:440 #1 0x000055555598c30d in pci_nic_init_nofail (nd=0x55555616b460 <nd_table>, rootbus=0x5555567ed990, default_model=<optimized out>, default_devaddr=<optimized out>) at hw/pci/pci.c:1812 #2 0x00005555557ff52c in pc_nic_init (isa_bus=0x55555733c610, pci_bus=0x5555567ed990) at hw/i386/pc.c:1634 #3 0x00005555558021ad in pc_init1 (machine=0x55555661ee10, pci_type=0x555555c1a523 "i440FX", host_type=0x555555ba564e "i440FX-pcihost") at hw/i386/pc_piix.c:241 #4 0x00005555557519cb in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4481 Signed-off-by: Alex Kompel <barbos@gmail.com> --- hw/pci/pci.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/hw/pci/pci.c b/hw/pci/pci.c index 24fae16..2fd1b9e 100644 --- a/hw/pci/pci.c +++ b/hw/pci/pci.c @@ -1805,13 +1805,7 @@ PCIDevice *pci_nic_init_nofail(NICInfo *nd, PCIBus *rootbus, pci_dev = pci_create(bus, devfn, pci_nic_names[i]); dev = &pci_dev->qdev; qdev_set_nic_properties(dev, nd); - - object_property_set_bool(OBJECT(dev), true, "realized", &err); - if (err) { - error_report_err(err); - object_unparent(OBJECT(dev)); - exit(1); - } + qdev_init_nofail(dev); return pci_dev; } -- 2.8.3 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/pci: use-after-free in pci_nic_init_nofail when nic device fails to initialize 2017-01-06 23:48 [Qemu-devel] [PATCH] hw/pci: use-after-free in pci_nic_init_nofail when nic device fails to initialize Alex Kompel @ 2017-01-08 4:00 ` Michael S. Tsirkin 2017-01-09 4:04 ` Jason Wang 2017-01-09 4:06 ` Jason Wang 1 sibling, 1 reply; 6+ messages in thread From: Michael S. Tsirkin @ 2017-01-08 4:00 UTC (permalink / raw) To: Alex Kompel; +Cc: qemu-devel, Marcel Apfelbaum, Jason Wang On Fri, Jan 06, 2017 at 03:48:27PM -0800, Alex Kompel wrote: > object_property_set_bool(OBJECT(dev), true, "realized", &err) in > pci_nic_init_nofail may release the object if device fails to > initialize which leads to use-after-free in error handling block. > qdev_init_nofail does the same thing while holding the reference. > > (gdb) run -net nic > qemu-system-x86_64: failed to find romfile "efi-e1000.rom" > > Program received signal SIGSEGV, Segmentation fault. > object_unparent (obj=0x7fffe96a0010) at qom/object.c:440 > 440 in qom/object.c > (gdb) bt > #0 object_unparent (obj=0x7fffe96a0010) at qom/object.c:440 > #1 0x000055555598c30d in pci_nic_init_nofail (nd=0x55555616b460 > <nd_table>, rootbus=0x5555567ed990, default_model=<optimized out>, > default_devaddr=<optimized out>) at hw/pci/pci.c:1812 > #2 0x00005555557ff52c in pc_nic_init (isa_bus=0x55555733c610, > pci_bus=0x5555567ed990) at hw/i386/pc.c:1634 > #3 0x00005555558021ad in pc_init1 (machine=0x55555661ee10, > pci_type=0x555555c1a523 "i440FX", host_type=0x555555ba564e > "i440FX-pcihost") at hw/i386/pc_piix.c:241 > #4 0x00005555557519cb in main (argc=<optimized out>, argv=<optimized > out>, envp=<optimized out>) at vl.c:4481 > > Signed-off-by: Alex Kompel <barbos@gmail.com> More a nic thing than pci really ... Jason, could you pls merge this? Acked-by: Michael S. Tsirkin <mst@redhat.com> > --- > hw/pci/pci.c | 8 +------- > 1 file changed, 1 insertion(+), 7 deletions(-) > > diff --git a/hw/pci/pci.c b/hw/pci/pci.c > index 24fae16..2fd1b9e 100644 > --- a/hw/pci/pci.c > +++ b/hw/pci/pci.c > @@ -1805,13 +1805,7 @@ PCIDevice *pci_nic_init_nofail(NICInfo *nd, > PCIBus *rootbus, > pci_dev = pci_create(bus, devfn, pci_nic_names[i]); > dev = &pci_dev->qdev; > qdev_set_nic_properties(dev, nd); > - > - object_property_set_bool(OBJECT(dev), true, "realized", &err); > - if (err) { > - error_report_err(err); > - object_unparent(OBJECT(dev)); > - exit(1); > - } > + qdev_init_nofail(dev); > > return pci_dev; > } > -- > 2.8.3 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/pci: use-after-free in pci_nic_init_nofail when nic device fails to initialize 2017-01-08 4:00 ` Michael S. Tsirkin @ 2017-01-09 4:04 ` Jason Wang 0 siblings, 0 replies; 6+ messages in thread From: Jason Wang @ 2017-01-09 4:04 UTC (permalink / raw) To: Michael S. Tsirkin, Alex Kompel; +Cc: qemu-devel, Marcel Apfelbaum On 2017年01月08日 12:00, Michael S. Tsirkin wrote: > On Fri, Jan 06, 2017 at 03:48:27PM -0800, Alex Kompel wrote: >> object_property_set_bool(OBJECT(dev), true, "realized", &err) in >> pci_nic_init_nofail may release the object if device fails to >> initialize which leads to use-after-free in error handling block. >> qdev_init_nofail does the same thing while holding the reference. >> >> (gdb) run -net nic >> qemu-system-x86_64: failed to find romfile "efi-e1000.rom" >> >> Program received signal SIGSEGV, Segmentation fault. >> object_unparent (obj=0x7fffe96a0010) at qom/object.c:440 >> 440 in qom/object.c >> (gdb) bt >> #0 object_unparent (obj=0x7fffe96a0010) at qom/object.c:440 >> #1 0x000055555598c30d in pci_nic_init_nofail (nd=0x55555616b460 >> <nd_table>, rootbus=0x5555567ed990, default_model=<optimized out>, >> default_devaddr=<optimized out>) at hw/pci/pci.c:1812 >> #2 0x00005555557ff52c in pc_nic_init (isa_bus=0x55555733c610, >> pci_bus=0x5555567ed990) at hw/i386/pc.c:1634 >> #3 0x00005555558021ad in pc_init1 (machine=0x55555661ee10, >> pci_type=0x555555c1a523 "i440FX", host_type=0x555555ba564e >> "i440FX-pcihost") at hw/i386/pc_piix.c:241 >> #4 0x00005555557519cb in main (argc=<optimized out>, argv=<optimized >> out>, envp=<optimized out>) at vl.c:4481 >> >> Signed-off-by: Alex Kompel <barbos@gmail.com> > More a nic thing than pci really ... > > Jason, could you pls merge this? > > Acked-by: Michael S. Tsirkin <mst@redhat.com> > Ok, will pick. Thanks ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/pci: use-after-free in pci_nic_init_nofail when nic device fails to initialize 2017-01-06 23:48 [Qemu-devel] [PATCH] hw/pci: use-after-free in pci_nic_init_nofail when nic device fails to initialize Alex Kompel 2017-01-08 4:00 ` Michael S. Tsirkin @ 2017-01-09 4:06 ` Jason Wang 2017-01-09 5:26 ` Alex Kompel 1 sibling, 1 reply; 6+ messages in thread From: Jason Wang @ 2017-01-09 4:06 UTC (permalink / raw) To: Alex Kompel, qemu-devel; +Cc: Marcel Apfelbaum, Michael S. Tsirkin On 2017年01月07日 07:48, Alex Kompel wrote: > object_property_set_bool(OBJECT(dev), true, "realized", &err) in > pci_nic_init_nofail may release the object if device fails to > initialize which leads to use-after-free in error handling block. > qdev_init_nofail does the same thing while holding the reference. > > (gdb) run -net nic > qemu-system-x86_64: failed to find romfile "efi-e1000.rom" > > Program received signal SIGSEGV, Segmentation fault. > object_unparent (obj=0x7fffe96a0010) at qom/object.c:440 > 440 in qom/object.c > (gdb) bt > #0 object_unparent (obj=0x7fffe96a0010) at qom/object.c:440 > #1 0x000055555598c30d in pci_nic_init_nofail (nd=0x55555616b460 > <nd_table>, rootbus=0x5555567ed990, default_model=<optimized out>, > default_devaddr=<optimized out>) at hw/pci/pci.c:1812 > #2 0x00005555557ff52c in pc_nic_init (isa_bus=0x55555733c610, > pci_bus=0x5555567ed990) at hw/i386/pc.c:1634 > #3 0x00005555558021ad in pc_init1 (machine=0x55555661ee10, > pci_type=0x555555c1a523 "i440FX", host_type=0x555555ba564e > "i440FX-pcihost") at hw/i386/pc_piix.c:241 > #4 0x00005555557519cb in main (argc=<optimized out>, argv=<optimized > out>, envp=<optimized out>) at vl.c:4481 > > Signed-off-by: Alex Kompel <barbos@gmail.com> > --- > hw/pci/pci.c | 8 +------- > 1 file changed, 1 insertion(+), 7 deletions(-) > > diff --git a/hw/pci/pci.c b/hw/pci/pci.c > index 24fae16..2fd1b9e 100644 > --- a/hw/pci/pci.c > +++ b/hw/pci/pci.c > @@ -1805,13 +1805,7 @@ PCIDevice *pci_nic_init_nofail(NICInfo *nd, > PCIBus *rootbus, Hello, looks like the patch were corrupted possibly by your email client. Please check, we usually send patch through git send-email. Thanks > pci_dev = pci_create(bus, devfn, pci_nic_names[i]); > dev = &pci_dev->qdev; > qdev_set_nic_properties(dev, nd); > - > - object_property_set_bool(OBJECT(dev), true, "realized", &err); > - if (err) { > - error_report_err(err); > - object_unparent(OBJECT(dev)); > - exit(1); > - } > + qdev_init_nofail(dev); > > return pci_dev; > } > -- > 2.8.3 > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/pci: use-after-free in pci_nic_init_nofail when nic device fails to initialize 2017-01-09 4:06 ` Jason Wang @ 2017-01-09 5:26 ` Alex Kompel 2017-01-09 5:32 ` Jason Wang 0 siblings, 1 reply; 6+ messages in thread From: Alex Kompel @ 2017-01-09 5:26 UTC (permalink / raw) To: Jason Wang; +Cc: qemu-devel, Marcel Apfelbaum, Michael S. Tsirkin [-- Attachment #1: Type: text/plain, Size: 2520 bytes --] Looks like this line got wrapped: "@@ -1805,13 +1805,7 @@ PCIDevice *pci_nic_init_nofail(NICInfo *nd, PCIBus *rootbus," Sorry about that. Could you unwrap it or use the attached text file? Thanks, -Alex On Sun, Jan 8, 2017 at 8:06 PM, Jason Wang <jasowang@redhat.com> wrote: > > > On 2017年01月07日 07:48, Alex Kompel wrote: >> >> object_property_set_bool(OBJECT(dev), true, "realized", &err) in >> pci_nic_init_nofail may release the object if device fails to >> initialize which leads to use-after-free in error handling block. >> qdev_init_nofail does the same thing while holding the reference. >> >> (gdb) run -net nic >> qemu-system-x86_64: failed to find romfile "efi-e1000.rom" >> >> Program received signal SIGSEGV, Segmentation fault. >> object_unparent (obj=0x7fffe96a0010) at qom/object.c:440 >> 440 in qom/object.c >> (gdb) bt >> #0 object_unparent (obj=0x7fffe96a0010) at qom/object.c:440 >> #1 0x000055555598c30d in pci_nic_init_nofail (nd=0x55555616b460 >> <nd_table>, rootbus=0x5555567ed990, default_model=<optimized out>, >> default_devaddr=<optimized out>) at hw/pci/pci.c:1812 >> #2 0x00005555557ff52c in pc_nic_init (isa_bus=0x55555733c610, >> pci_bus=0x5555567ed990) at hw/i386/pc.c:1634 >> #3 0x00005555558021ad in pc_init1 (machine=0x55555661ee10, >> pci_type=0x555555c1a523 "i440FX", host_type=0x555555ba564e >> "i440FX-pcihost") at hw/i386/pc_piix.c:241 >> #4 0x00005555557519cb in main (argc=<optimized out>, argv=<optimized >> out>, envp=<optimized out>) at vl.c:4481 >> >> Signed-off-by: Alex Kompel <barbos@gmail.com> >> --- >> hw/pci/pci.c | 8 +------- >> 1 file changed, 1 insertion(+), 7 deletions(-) >> >> diff --git a/hw/pci/pci.c b/hw/pci/pci.c >> index 24fae16..2fd1b9e 100644 >> --- a/hw/pci/pci.c >> +++ b/hw/pci/pci.c >> @@ -1805,13 +1805,7 @@ PCIDevice *pci_nic_init_nofail(NICInfo *nd, >> PCIBus *rootbus, > > > Hello, looks like the patch were corrupted possibly by your email client. > Please check, we usually send patch through git send-email. > > Thanks > > >> pci_dev = pci_create(bus, devfn, pci_nic_names[i]); >> dev = &pci_dev->qdev; >> qdev_set_nic_properties(dev, nd); >> - >> - object_property_set_bool(OBJECT(dev), true, "realized", &err); >> - if (err) { >> - error_report_err(err); >> - object_unparent(OBJECT(dev)); >> - exit(1); >> - } >> + qdev_init_nofail(dev); >> >> return pci_dev; >> } >> -- >> 2.8.3 >> > [-- Attachment #2: qemu_pci_nic_init_nofail.txt --] [-- Type: text/plain, Size: 689 bytes --] Signed-off-by: Alex Kompel <barbos@gmail.com> --- hw/pci/pci.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/hw/pci/pci.c b/hw/pci/pci.c index 24fae16..2fd1b9e 100644 --- a/hw/pci/pci.c +++ b/hw/pci/pci.c @@ -1805,13 +1805,7 @@ PCIDevice *pci_nic_init_nofail(NICInfo *nd, PCIBus *rootbus, pci_dev = pci_create(bus, devfn, pci_nic_names[i]); dev = &pci_dev->qdev; qdev_set_nic_properties(dev, nd); - - object_property_set_bool(OBJECT(dev), true, "realized", &err); - if (err) { - error_report_err(err); - object_unparent(OBJECT(dev)); - exit(1); - } + qdev_init_nofail(dev); return pci_dev; } -- 2.8.3 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/pci: use-after-free in pci_nic_init_nofail when nic device fails to initialize 2017-01-09 5:26 ` Alex Kompel @ 2017-01-09 5:32 ` Jason Wang 0 siblings, 0 replies; 6+ messages in thread From: Jason Wang @ 2017-01-09 5:32 UTC (permalink / raw) To: Alex Kompel; +Cc: qemu-devel, Marcel Apfelbaum, Michael S. Tsirkin On 2017年01月09日 13:26, Alex Kompel wrote: > Looks like this line got wrapped: "@@ -1805,13 +1805,7 @@ PCIDevice > *pci_nic_init_nofail(NICInfo *nd, PCIBus *rootbus," > Sorry about that. Could you unwrap it or use the attached text file? > > Thanks, > -Alex Ok, applied. But please use git format-patch and git send-email for future submission of patches. Thanks > > On Sun, Jan 8, 2017 at 8:06 PM, Jason Wang <jasowang@redhat.com> wrote: >> >> On 2017年01月07日 07:48, Alex Kompel wrote: >>> object_property_set_bool(OBJECT(dev), true, "realized", &err) in >>> pci_nic_init_nofail may release the object if device fails to >>> initialize which leads to use-after-free in error handling block. >>> qdev_init_nofail does the same thing while holding the reference. >>> >>> (gdb) run -net nic >>> qemu-system-x86_64: failed to find romfile "efi-e1000.rom" >>> >>> Program received signal SIGSEGV, Segmentation fault. >>> object_unparent (obj=0x7fffe96a0010) at qom/object.c:440 >>> 440 in qom/object.c >>> (gdb) bt >>> #0 object_unparent (obj=0x7fffe96a0010) at qom/object.c:440 >>> #1 0x000055555598c30d in pci_nic_init_nofail (nd=0x55555616b460 >>> <nd_table>, rootbus=0x5555567ed990, default_model=<optimized out>, >>> default_devaddr=<optimized out>) at hw/pci/pci.c:1812 >>> #2 0x00005555557ff52c in pc_nic_init (isa_bus=0x55555733c610, >>> pci_bus=0x5555567ed990) at hw/i386/pc.c:1634 >>> #3 0x00005555558021ad in pc_init1 (machine=0x55555661ee10, >>> pci_type=0x555555c1a523 "i440FX", host_type=0x555555ba564e >>> "i440FX-pcihost") at hw/i386/pc_piix.c:241 >>> #4 0x00005555557519cb in main (argc=<optimized out>, argv=<optimized >>> out>, envp=<optimized out>) at vl.c:4481 >>> >>> Signed-off-by: Alex Kompel <barbos@gmail.com> >>> --- >>> hw/pci/pci.c | 8 +------- >>> 1 file changed, 1 insertion(+), 7 deletions(-) >>> >>> diff --git a/hw/pci/pci.c b/hw/pci/pci.c >>> index 24fae16..2fd1b9e 100644 >>> --- a/hw/pci/pci.c >>> +++ b/hw/pci/pci.c >>> @@ -1805,13 +1805,7 @@ PCIDevice *pci_nic_init_nofail(NICInfo *nd, >>> PCIBus *rootbus, >> >> Hello, looks like the patch were corrupted possibly by your email client. >> Please check, we usually send patch through git send-email. >> >> Thanks >> >> >>> pci_dev = pci_create(bus, devfn, pci_nic_names[i]); >>> dev = &pci_dev->qdev; >>> qdev_set_nic_properties(dev, nd); >>> - >>> - object_property_set_bool(OBJECT(dev), true, "realized", &err); >>> - if (err) { >>> - error_report_err(err); >>> - object_unparent(OBJECT(dev)); >>> - exit(1); >>> - } >>> + qdev_init_nofail(dev); >>> >>> return pci_dev; >>> } >>> -- >>> 2.8.3 >>> ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-01-09 5:33 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-01-06 23:48 [Qemu-devel] [PATCH] hw/pci: use-after-free in pci_nic_init_nofail when nic device fails to initialize Alex Kompel 2017-01-08 4:00 ` Michael S. Tsirkin 2017-01-09 4:04 ` Jason Wang 2017-01-09 4:06 ` Jason Wang 2017-01-09 5:26 ` Alex Kompel 2017-01-09 5:32 ` Jason Wang
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).