From: "Dr. David Alan Gilbert (git)" <dgilbert@redhat.com>
To: qemu-devel@nongnu.org
Cc: quintela@redhat.com, lvivier@redhat.com,
marcandre.lureau@redhat.com, vsementsov@virtuozzo.com,
danielhb@linux.vnet.ibm.com, pasic@linux.vnet.ibm.com,
ashijeetacharya@gmail.com
Subject: [Qemu-devel] [PULL 11/27] migration: fix use-after-free of to_dst_file
Date: Tue, 28 Feb 2017 12:40:40 +0000 [thread overview]
Message-ID: <20170228124056.5074-12-dgilbert@redhat.com> (raw)
In-Reply-To: <20170228124056.5074-1-dgilbert@redhat.com>
From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
hmp_savevm calls qemu_savevm_state(f), which sets to_dst_file=f in
global migration state. Then hmp_savevm closes f (g_free called).
Next access to to_dst_file in migration state (for example,
qmp_migrate_set_speed) will use it after it was freed.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20170225193155.447462-5-vsementsov@virtuozzo.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
---
migration/savevm.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/migration/savevm.c b/migration/savevm.c
index 87c7a00..26d2c44 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -1277,6 +1277,11 @@ done:
status = MIGRATION_STATUS_COMPLETED;
}
migrate_set_state(&ms->state, MIGRATION_STATUS_SETUP, status);
+
+ /* f is outer parameter, it should not stay in global migration state after
+ * this function finished */
+ ms->to_dst_file = NULL;
+
return ret;
}
--
2.9.3
next prev parent reply other threads:[~2017-02-28 12:41 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-28 12:40 [Qemu-devel] [PULL 00/27] migration queue Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 01/27] Changing error message of QMP 'migrate_set_downtime' to seconds Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 02/27] migration/vmstate: renames in (load|save)_state Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 03/27] migration/vmstate: split up vmstate_base_addr Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 04/27] migration/vmstate: fix array of ptr with nullptrs Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 05/27] tests/test-vmstate.c: test array of ptr with null Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 06/27] tests/test-vmstate.c: test array of ptr to primitive Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 07/27] vmstate-static-checker: update white list with spapr_pci Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 08/27] migrate: Introduce a 'dc->vmsd' check to avoid segfault for --only-migratable Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 09/27] migration: fix id leak regression Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 10/27] migration: Update docs to discourage version bumps Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` Dr. David Alan Gilbert (git) [this message]
2017-02-28 12:40 ` [Qemu-devel] [PULL 12/27] postcopy: Transmit ram size summary word Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 13/27] postcopy: Transmit and compare individual page sizes Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 14/27] postcopy: Chunk discards for hugepages Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 15/27] exec: ram_block_discard_range Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 16/27] postcopy: enhance ram_block_discard_range for hugepages Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 17/27] postcopy: Record largest page size Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 18/27] postcopy: Plumb pagesize down into place helpers Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 19/27] postcopy: Use temporary for placing zero huge pages Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 20/27] postcopy: Load huge pages in one go Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 21/27] postcopy: Mask fault addresses to huge page boundary Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 22/27] postcopy: Send whole huge pages Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 23/27] postcopy: Allow hugepages Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 24/27] postcopy: Update userfaultfd.h header Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 25/27] postcopy: Check for userfault+hugepage feature Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 26/27] postcopy: Add doc about hugepages and postcopy Dr. David Alan Gilbert (git)
2017-02-28 12:40 ` [Qemu-devel] [PULL 27/27] postcopy: Add extra check for COPY function Dr. David Alan Gilbert (git)
2017-03-01 13:06 ` [Qemu-devel] [PULL 00/27] migration queue Peter Maydell
2017-03-01 13:13 ` Dr. David Alan Gilbert
2017-03-02 19:27 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170228124056.5074-12-dgilbert@redhat.com \
--to=dgilbert@redhat.com \
--cc=ashijeetacharya@gmail.com \
--cc=danielhb@linux.vnet.ibm.com \
--cc=lvivier@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=pasic@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
--cc=vsementsov@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).