From: Thomas Huth <thuth@redhat.com>
To: Michal Privoznik <mprivozn@redhat.com>, qemu-devel@nongnu.org
Cc: kraxel@redhat.com, qemu-stable@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] console: Avoid segfault in screendump
Date: Thu, 17 May 2018 17:38:08 +0200 [thread overview]
Message-ID: <3cea4f6b-e50d-b40f-3852-215f10af35f5@redhat.com> (raw)
In-Reply-To: <cb05bb1909daa6ba62145c0194aafa05a14ed3d1.1526569138.git.mprivozn@redhat.com>
On 17.05.2018 17:00, Michal Privoznik wrote:
> After f771c5440e04626f1 it is possible to select device and
> head which to take screendump from. And even though we check if
> provided head number falls within range, it may still happen that
> the console has no surface yet leading to SIGSEGV:
>
> qemu.git $ ./x86_64-softmmu/qemu-system-x86_64 \
> -qmp stdio \
> -device virtio-vga,id=video0,max_outputs=4
>
> {"execute":"qmp_capabilities"}
> {"execute":"screendump", "arguments":{"filename":"/tmp/screen.ppm", "device":"video0", "head":1}}
> Segmentation fault
>
> #0 0x00005628249dda88 in ppm_save (filename=0x56282826cbc0 "/tmp/screen.ppm", ds=0x0, errp=0x7fff52a6fae0) at ui/console.c:304
> #1 0x00005628249ddd9b in qmp_screendump (filename=0x56282826cbc0 "/tmp/screen.ppm", has_device=true, device=0x5628276902d0 "video0", has_head=true, head=1, errp=0x7fff52a6fae0) at ui/console.c:375
> #2 0x00005628247740df in qmp_marshal_screendump (args=0x562828265e00, ret=0x7fff52a6fb68, errp=0x7fff52a6fb60) at qapi/qapi-commands-ui.c:110
>
> Here, @ds from frame #0 (or @surface from frame #1) is
> dereferenced at the very beginning of ppm_save(). And because
> it's NULL crash happens.
>
> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
> ---
>
> I'm not entirely sure if this is the right approach, but crasher is bad
> for sure.
>
> ui/console.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/ui/console.c b/ui/console.c
> index 945f05d728..ef1247f872 100644
> --- a/ui/console.c
> +++ b/ui/console.c
> @@ -372,6 +372,11 @@ void qmp_screendump(const char *filename, bool has_device, const char *device,
>
> graphic_hw_update(con);
> surface = qemu_console_surface(con);
> + if (!surface) {
> + error_setg(errp, "no surface");
> + return;
> + }
> +
> ppm_save(filename, surface, errp);
> }
Looks reasonable to me!
Reviewed-by: Thomas Huth <thuth@redhat.com>
(and added CC: to qemu-stable)
next prev parent reply other threads:[~2018-05-17 15:38 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-17 15:00 [Qemu-devel] [PATCH] console: Avoid segfault in screendump Michal Privoznik
2018-05-17 15:38 ` Thomas Huth [this message]
2018-05-18 7:02 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3cea4f6b-e50d-b40f-3852-215f10af35f5@redhat.com \
--to=thuth@redhat.com \
--cc=kraxel@redhat.com \
--cc=mprivozn@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).