From nobody Mon Apr 29 09:36:21 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 216.205.24.124 as permitted sender) client-ip=216.205.24.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1606210863; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Ybs8Owma5/0p2gBG0+qrrApz9BCBxzGRPNF9rz5VzCHnGMJgXzkyqp8vjAi7mSax0F/igwFOG7XU6BjROKSDJ+Q2GsDkZR/pVo518jEWdaRv+Y7qyLnuDLjf5jyXpo0iI9FDm9FSyfJFyy6OjaU/ZoPe6iZHXalEyEdASRPhwIU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1606210863;
 h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=8yJOtfEIFWTCKT32XZX8FWx6ngIQNG7QqROrp8LpUD0=;
	b=lLjRSTo2WClhkD2mdEC1b7fuvF0yXG8gXywEXltxCfbnLCbUVUvB8pDjeKZOJFxl2BNjy1qQb8vChI5gdoP92c5kQ4qtpReDpBCa6xEOF70b5bp3vEkunWgrI3+P6h/8ZaJRCOlCkrxJqeFtNEmBA+6xHKCDFfGTxgGYsylSfbg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com
	with SMTPS id 1606210863153735.4476926413822;
 Tue, 24 Nov 2020 01:41:03 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-507-6si1BVeMNPSN43DjvhnL0Q-1; Tue, 24 Nov 2020 04:40:59 -0500
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E24B985C734;
	Tue, 24 Nov 2020 09:40:53 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 370F15D9CD;
	Tue, 24 Nov 2020 09:40:53 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 5BE874BB7B;
	Tue, 24 Nov 2020 09:40:50 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com
	[10.11.54.3])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 0AO4Otxm013753 for <libvir-list@listman.util.phx.redhat.com>;
	Mon, 23 Nov 2020 23:24:57 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 974901004033; Tue, 24 Nov 2020 04:24:55 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 913EC112D19B
	for <libvir-list@redhat.com>; Tue, 24 Nov 2020 04:24:51 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
	[205.139.110.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4A27F85828A
	for <libvir-list@redhat.com>; Tue, 24 Nov 2020 04:24:51 +0000 (UTC)
Received: from h3cspam02-ex.h3c.com (smtp.h3c.com [60.191.123.50]) (Using
	TLS) by relay.mimecast.com with ESMTP id
	us-mta-414-UgRnaQEqPDy4dbmeoAul-g-1; Mon, 23 Nov 2020 23:24:48 -0500
Received: from h3cspam02-ex.h3c.com (localhost [127.0.0.2] (may be forged))
	by h3cspam02-ex.h3c.com with ESMTP id 0AO3CNY9057613
	for <libvir-list@redhat.com>; Tue, 24 Nov 2020 11:12:23 +0800 (GMT-8)
	(envelope-from tu.guoyi@h3c.com)
Received: from DAG2EX09-IDC.srv.huawei-3com.com ([10.8.0.72])
	by h3cspam02-ex.h3c.com with ESMTP id 0AO3BxGe056478
	for <libvir-list@redhat.com>; Tue, 24 Nov 2020 11:11:59 +0800 (GMT-8)
	(envelope-from tu.guoyi@h3c.com)
Received: from DAG2EX03-BASE.srv.huawei-3com.com (10.8.0.66) by
	DAG2EX09-IDC.srv.huawei-3com.com (10.8.0.72) with Microsoft SMTP Server
	(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
	15.1.2106.2; Tue, 24 Nov 2020 11:12:00 +0800
Received: from DAG2EX03-BASE.srv.huawei-3com.com ([fe80::5d18:e01c:bbbd:c074])
	by DAG2EX03-BASE.srv.huawei-3com.com ([fe80::5d18:e01c:bbbd:c074%7])
	with mapi id 15.01.2106.002; Tue, 24 Nov 2020 11:12:00 +0800
X-MC-Unique: 6si1BVeMNPSN43DjvhnL0Q-1
X-MC-Unique: UgRnaQEqPDy4dbmeoAul-g-1
From: Tuguoyi <tu.guoyi@h3c.com>
To: "libvir-list@redhat.com" <libvir-list@redhat.com>
Subject: [PATCH] qemu_conf: Fix double free problem for cfg->firmwares
Thread-Topic: [PATCH] qemu_conf: Fix double free problem for cfg->firmwares
Thread-Index: AdbCD3afH2EkZe4vQUm9fyBoEEJu4w==
Date: Tue, 24 Nov 2020 03:12:00 +0000
Message-ID: <cbef30a8ad624c7f9023cf60270f3ffe@h3c.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.125.108.131]
x-sender-location: DAG2
MIME-Version: 1.0
X-DNSRBL: 
X-MAIL: h3cspam02-ex.h3c.com 0AO3BxGe056478
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
	Definition; Similar Internal Domain=false;
	Similar Monitored External Domain=false;
	Custom External Domain=false; Mimecast External Domain=false;
	Newly Observed Domain=false; Internal User Name=false;
	Custom Display Name List=false; Reply-to Address Mismatch=false;
	Targeted Threat Dictionary=false;
	Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
X-MIME-Autoconverted: from base64 to 8bit by
	lists01.pubmisc.prod.ext.phx2.redhat.com id 0AO4Otxm013753
X-loop: libvir-list@redhat.com
X-Mailman-Approved-At: Tue, 24 Nov 2020 04:40:48 -0500
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: zh-CN
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

cfg->firmwares still points to the original memory address after being
freed by virFirmwareFreeList(). As cfg get freed, it will be freed again
even if cfg->nfirmwares=3D0 which eventually lead to crash.

The patch fix it by setting cfg->firmwares to NULL explicitly after
virFirmwareFreeList() returns

Signed-off-by: Tuguoyi <tu.guoyi@h3c.com>
Reviewed-by: J=C3=A1n Tomko <jtomko@redhat.com>
---
 src/qemu/qemu_conf.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 83de26a..98593b5 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -832,6 +832,7 @@ virQEMUDriverConfigLoadNVRAMEntry(virQEMUDriverConfigPt=
r cfg,
         VIR_AUTOSTRINGLIST fwList =3D NULL;
=20
         virFirmwareFreeList(cfg->firmwares, cfg->nfirmwares);
+        cfg->firmwares =3D NULL;
=20
         if (qemuFirmwareFetchConfigs(&fwList, privileged) < 0)
             return -1;
--=20
2.7.4

--
Best regards,
Guoyi