* [Qemu-devel] [PATCH 1.0] qiov: prevent double free or use-after-free
@ 2011-11-25 11:06 Paolo Bonzini
2011-11-25 11:56 ` Kevin Wolf
0 siblings, 1 reply; 3+ messages in thread
From: Paolo Bonzini @ 2011-11-25 11:06 UTC (permalink / raw)
To: qemu-devel; +Cc: kwolf
qemu_iovec_destroy does not clear the QEMUIOVector fully, and the data
could thus be used after free or freed again. While I do not know any
example in the tree, I observed this using virtio-scsi (and SCSI
scatter/gather) when canceling DMA requests.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
cutils.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/cutils.c b/cutils.c
index 5d995bc..731a27e 100644
--- a/cutils.c
+++ b/cutils.c
@@ -217,7 +217,10 @@ void qemu_iovec_destroy(QEMUIOVector *qiov)
{
assert(qiov->nalloc != -1);
+ qemu_iovec_reset(qiov);
g_free(qiov->iov);
+ qiov->nalloc = 0;
+ qiov->iov = NULL;
}
void qemu_iovec_reset(QEMUIOVector *qiov)
--
1.7.7.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Qemu-devel] [PATCH 1.0] qiov: prevent double free or use-after-free
2011-11-25 11:56 ` Kevin Wolf
@ 2011-11-25 11:55 ` Paolo Bonzini
0 siblings, 0 replies; 3+ messages in thread
From: Paolo Bonzini @ 2011-11-25 11:55 UTC (permalink / raw)
To: Kevin Wolf; +Cc: qemu-devel
On 11/25/2011 12:56 PM, Kevin Wolf wrote:
>> qemu_iovec_destroy does not clear the QEMUIOVector fully, and the data
>> > could thus be used after free or freed again. While I do not know any
>> > example in the tree, I observed this using virtio-scsi (and SCSI
>> > scatter/gather) when canceling DMA requests.
>> >
>> > Signed-off-by: Paolo Bonzini<pbonzini@redhat.com>
> This isn't a bug fix for itself, it just makes bugs in other code more
> visible, right? It probably makes sense to do this change, but I'm not
> sure about doing it for 1.0.
It is a fix. NULLing the pointer prevents double-free bugs, and setting
niov/nalloc to 0 should prevent use-after-free.
Paolo
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Qemu-devel] [PATCH 1.0] qiov: prevent double free or use-after-free
2011-11-25 11:06 [Qemu-devel] [PATCH 1.0] qiov: prevent double free or use-after-free Paolo Bonzini
@ 2011-11-25 11:56 ` Kevin Wolf
2011-11-25 11:55 ` Paolo Bonzini
0 siblings, 1 reply; 3+ messages in thread
From: Kevin Wolf @ 2011-11-25 11:56 UTC (permalink / raw)
To: Paolo Bonzini; +Cc: qemu-devel
Am 25.11.2011 12:06, schrieb Paolo Bonzini:
> qemu_iovec_destroy does not clear the QEMUIOVector fully, and the data
> could thus be used after free or freed again. While I do not know any
> example in the tree, I observed this using virtio-scsi (and SCSI
> scatter/gather) when canceling DMA requests.
>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This isn't a bug fix for itself, it just makes bugs in other code more
visible, right? It probably makes sense to do this change, but I'm not
sure about doing it for 1.0.
Kevin
> ---
> cutils.c | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/cutils.c b/cutils.c
> index 5d995bc..731a27e 100644
> --- a/cutils.c
> +++ b/cutils.c
> @@ -217,7 +217,10 @@ void qemu_iovec_destroy(QEMUIOVector *qiov)
> {
> assert(qiov->nalloc != -1);
>
> + qemu_iovec_reset(qiov);
> g_free(qiov->iov);
> + qiov->nalloc = 0;
> + qiov->iov = NULL;
> }
>
> void qemu_iovec_reset(QEMUIOVector *qiov)
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-11-25 11:55 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-25 11:06 [Qemu-devel] [PATCH 1.0] qiov: prevent double free or use-after-free Paolo Bonzini
2011-11-25 11:56 ` Kevin Wolf
2011-11-25 11:55 ` Paolo Bonzini
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).