Fix a potential Use-after-free in test_blockjob_common_drain_node() (v6.2.0).

Fix a potential Use-after-free in test_blockjob_common_drain_node() (v6.2.0).

[wliang]

[-- Attachment #1.1: Type: text/plain, Size: 754 bytes --]

Hi all,

I find a potential Use-after-free in QEMU 6.2.0, which is in test_blockjob_common_drain_node() (./tests/unit/test-bdrv-drain.c).

Specifically, at line 880, the variable 'scr' is released by the bdrv_unref(). However, at line 881, it is subsequently used as the 1st parameter of the function bdrv_set_backing_hd(). As a result, an UAF bug may be triggered.





880    bdrv_unref(src);


881    bdrv_set_backing_hd(src, src_backing, &error_abort);





I believe that the problem can be fixed by invoking bdrv_unref() after the call of bdrv_set_backing_hd() rather than before it.


---    bdrv_unref(src);
881    bdrv_set_backing_hd(src, src_backing, &error_abort);
+++bdrv_unref(src);


I'm looking forward to your confirmation.

Best,
Wentao

[-- Attachment #1.2: Type: text/html, Size: 3074 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: test-bdrv-drain.patch --]
[-- Type: text/x-patch; name=test-bdrv-drain.patch, Size: 506 bytes --]

--- ./tests/unit/test-bdrv-drain.c	2022-02-23 15:06:32.384786070 +0800
+++ ./tests/unit/test-bdrv-drain-PATCH.c	2022-02-23 21:16:43.444928992 +0800
@@ -877,8 +877,8 @@
                                        BDRV_O_RDWR, &error_abort);
 
     bdrv_set_backing_hd(src_overlay, src, &error_abort);
-    bdrv_unref(src);
     bdrv_set_backing_hd(src, src_backing, &error_abort);
+    bdrv_unref(src);
     bdrv_unref(src_backing);
 
     blk_src = blk_new(qemu_get_aio_context(), BLK_PERM_ALL, BLK_PERM_ALL);

Fix a potential Use-after-free in test_blockjob_common_drain_node() (v6.2.0).

[wliang]

[-- Attachment #1.1: Type: text/plain, Size: 871 bytes --]


Hi all,

I find a potential Use-after-free in QEMU 6.2.0, which is in test_blockjob_common_drain_node() (./tests/unit/test-bdrv-drain.c).

Specifically, at line 880, the variable 'scr' is released by the bdrv_unref(). However, at line 881, it is subsequently used as the 1st parameter of the function bdrv_set_backing_hd(). As a result, an UAF bug may be triggered.





880    bdrv_unref(src);


881    bdrv_set_backing_hd(src, src_backing, &error_abort);





I believe that the problem can be fixed by invoking bdrv_unref() after the call of bdrv_set_backing_hd() rather than before it.


---    bdrv_unref(src);
881    bdrv_set_backing_hd(src, src_backing, &error_abort);
+++bdrv_unref(src);


It is a test program, so I could't get a mail-list to send. So I send it to you. Hope you can help me.
I'm looking forward to your confirmation.

Sincerely Thanks,
Wentao


[-- Attachment #1.2: Type: text/html, Size: 4392 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Fix-a-potential-Use-after-free-in-test_blockjob_comm.patch --]
[-- Type: text/x-patch;  name=0001-Fix-a-potential-Use-after-free-in-test_blockjob_comm.patch, Size: 1003 bytes --]

From 0d631c66441be73666f4ce959fa00754820cd4ea Mon Sep 17 00:00:00 2001
From: Wentao_Liang <Wentao_Liang_g@163.com>
Date: Fri, 25 Feb 2022 12:12:16 +0800
Subject: [PATCH] Fix a potential Use-after-free in
 test_blockjob_common_drain_node()

Signed-off-by: Wentao_Liang <Wentao_Liang_g@163.com>
---
 tests/unit/test-bdrv-drain.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/unit/test-bdrv-drain.c b/tests/unit/test-bdrv-drain.c
index 36be84ae55..0e988badc1 100644
--- a/tests/unit/test-bdrv-drain.c
+++ b/tests/unit/test-bdrv-drain.c
@@ -877,8 +877,8 @@ static void test_blockjob_common_drain_node(enum drain_type drain_type,
                                        BDRV_O_RDWR, &error_abort);
 
     bdrv_set_backing_hd(src_overlay, src, &error_abort);
-    bdrv_unref(src);
     bdrv_set_backing_hd(src, src_backing, &error_abort);
+    bdrv_unref(src);
     bdrv_unref(src_backing);
 
     blk_src = blk_new(qemu_get_aio_context(), BLK_PERM_ALL, BLK_PERM_ALL);
-- 
2.25.1