From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:59225)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1RTuLC-0004y5-Ga
	for qemu-devel@nongnu.org; Fri, 25 Nov 2011 06:53:15 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1RTuLB-0002mi-DM
	for qemu-devel@nongnu.org; Fri, 25 Nov 2011 06:53:14 -0500
Received: from mx1.redhat.com ([209.132.183.28]:14962)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1RTuLB-0002mX-57
	for qemu-devel@nongnu.org; Fri, 25 Nov 2011 06:53:13 -0500
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
	(int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id pAPBrC5M030238
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <qemu-devel@nongnu.org>; Fri, 25 Nov 2011 06:53:12 -0500
Message-ID: <4ECF8264.7020606@redhat.com>
Date: Fri, 25 Nov 2011 12:56:20 +0100
From: Kevin Wolf <kwolf@redhat.com>
MIME-Version: 1.0
References: <1322219182-18502-1-git-send-email-pbonzini@redhat.com>
In-Reply-To: <1322219182-18502-1-git-send-email-pbonzini@redhat.com>
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH 1.0] qiov: prevent double free or
	use-after-free
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: qemu-devel@nongnu.org

Am 25.11.2011 12:06, schrieb Paolo Bonzini:
> qemu_iovec_destroy does not clear the QEMUIOVector fully, and the data
> could thus be used after free or freed again.  While I do not know any
> example in the tree, I observed this using virtio-scsi (and SCSI
> scatter/gather) when canceling DMA requests.
> 
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

This isn't a bug fix for itself, it just makes bugs in other code more
visible, right? It probably makes sense to do this change, but I'm not
sure about doing it for 1.0.

Kevin

> ---
>  cutils.c |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/cutils.c b/cutils.c
> index 5d995bc..731a27e 100644
> --- a/cutils.c
> +++ b/cutils.c
> @@ -217,7 +217,10 @@ void qemu_iovec_destroy(QEMUIOVector *qiov)
>  {
>      assert(qiov->nalloc != -1);
>  
> +    qemu_iovec_reset(qiov);
>      g_free(qiov->iov);
> +    qiov->nalloc = 0;
> +    qiov->iov = NULL;
>  }
>  
>  void qemu_iovec_reset(QEMUIOVector *qiov)