From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:36014)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1XUbDc-0004PA-OE
	for qemu-devel@nongnu.org; Thu, 18 Sep 2014 08:53:56 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1XUbDX-0007SH-QS
	for qemu-devel@nongnu.org; Thu, 18 Sep 2014 08:53:52 -0400
Message-ID: <541AD5B6.6080809@redhat.com>
Date: Thu, 18 Sep 2014 06:53:10 -0600
From: Eric Blake <eblake@redhat.com>
MIME-Version: 1.0
References: <1411011222-5116-1-git-send-email-zhang.zhanghailiang@huawei.com>
	<541ACD75.1040708@redhat.com> <541AD33A.1040309@huawei.com>
In-Reply-To: <541AD33A.1040309@huawei.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="fftl9t0USk2JNcxT2aIjTJWm2oUpa4PmA"
Subject: Re: [Qemu-devel] [PATCH] qga: Fix possible freed memory accessing
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: zhanghailiang <zhang.zhanghailiang@huawei.com>, qemu-devel@nongnu.org
Cc: mdroth@linux.vnet.ibm.com, armbru@redhat.com, luonengjun@huawei.com, peter.huangpeng@huawei.com, qemu-stable@nongnu.org, lcapitulino@redhat.com

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--fftl9t0USk2JNcxT2aIjTJWm2oUpa4PmA
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 09/18/2014 06:42 AM, zhanghailiang wrote:
> On 2014/9/18 20:17, Eric Blake wrote:
>> On 09/17/2014 09:33 PM, zhanghailiang wrote:
>>> If readdir_r fails, error_setg_errno will reference the freed
>>> pointer *dirpath*.
>>>
>>> Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
>>> ---
>>>   qga/commands-posix.c | 10 ++++++----
>>>   1 file changed, 6 insertions(+), 4 deletions(-)
>>
>>>       for (;;) {
>>>           if (readdir_r(dir, &entry, &result) !=3D 0) {
>>
>> Eww.  We're using readdir_r?  That's an inherently broken interface,
>> which can risk buffer overflow.  readdir should be preferred.
>>
>> http://austingroupbugs.net/view.php?id=3D696
>>
>=20
> Yes, it is! Should i fix it in this patch together?;)

Switching to readdir would be welcome, and would probably be enough of a
rewrite that it would also fix the use-after-free without trying to
break it into two patches.  You're welcome to try that as a v2.

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--fftl9t0USk2JNcxT2aIjTJWm2oUpa4PmA
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg

iQEcBAEBCAAGBQJUGtW2AAoJEKeha0olJ0NqYxMIAIYrBwi+HP82c+wJBX6rZl8f
Yd7SMRngtBh0RXvqM2TlCFlvBMatyunXmnA1PFRA33yqdE+qTmsn0Ty6Gz6O3KAf
GO2s7nvk1o6SBtGw48JIXXxT3ZeVl53GVQ+5BPdz2cZYyNGmgbmMO9NrlECrW2FR
pCsrQ1OBui4Z1k5LQc4UscrV6nQHOUIznsSRQuTGGkKUdYuNNTbQ0P7w2VIGRV9p
83moE1JphjYua41lQL1IGIV67rELrrcig2mue5bdTfOCyWjfM1rRhz7MjLqJOPpL
GiuJiP/pwqGAmu1wbiSphDmNBgW9YcpTgGKKLdiwhq0vxteomXG0EtMGoxdis/o=
=iUIo
-----END PGP SIGNATURE-----

--fftl9t0USk2JNcxT2aIjTJWm2oUpa4PmA--