From nobody Mon Apr 29 09:24:59 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail(p=none dis=none)  header.from=virtuozzo.com
ARC-Seal: i=1; a=rsa-sha256; t=1584339606; cv=none;
	d=zohomail.com; s=zohoarc;
	b=H70NxhkDdis3gMUGWfVbMKQpn9k0JMIC7lo5+TnY1JsmrT8bDVm03G5fERqfWljo1F0k6w5DeCwdpB8iYcRQgf8wzoL1OfKUPD8ri70qYLozcCyBqXGXg1arwP3PKBl6CUdG/TgldJDM6fULdPCu5qtm4ROcR4QultwWxqdZYwE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1584339606;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=drWP9so8DkH+i3tEbEZvzVOdooVGvBrboSasSgSf544=;
	b=IjVBDzQX8vu7zmgrzZqScR2puFMgcqAcn+LR5GvHqyzCzMYbkPxUdt2O/4M4sD1UFLRqg7P2+areAlKd+Ns17DCL0jM8u+Sebq02FmKs8XcecGAoV5Vt4VMwAd4HMoiEaDGOaBaTWlTa3ECly8r/BgMPSmgrteFumUls4M9rAo0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail header.from=<vsementsov@virtuozzo.com> (p=none dis=none)
 header.from=<vsementsov@virtuozzo.com>
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1584339606140825.9046317588515;
 Sun, 15 Mar 2020 23:20:06 -0700 (PDT)
Received: from localhost ([::1]:34742 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1jDj6a-0002xG-9y
	for importer@patchew.org; Mon, 16 Mar 2020 02:20:04 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:51190)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <vsementsov@virtuozzo.com>) id 1jDitm-0007h2-GB
 for qemu-devel@nongnu.org; Mon, 16 Mar 2020 02:06:51 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <vsementsov@virtuozzo.com>) id 1jDitl-00006p-8p
 for qemu-devel@nongnu.org; Mon, 16 Mar 2020 02:06:50 -0400
Received: from relay.sw.ru ([185.231.240.75]:49920)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <vsementsov@virtuozzo.com>)
 id 1jDiti-0007MK-6w; Mon, 16 Mar 2020 02:06:46 -0400
Received: from vovaso.qa.sw.ru ([10.94.3.0] helo=kvm.qa.sw.ru)
 by relay.sw.ru with esmtp (Exim 4.92.3)
 (envelope-from <vsementsov@virtuozzo.com>)
 id 1jDitY-0004fQ-7t; Mon, 16 Mar 2020 09:06:36 +0300
From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
To: qemu-block@nongnu.org
Subject: [PATCH 1/2] block: bdrv_set_backing_bs: fix use-after-free
Date: Mon, 16 Mar 2020 09:06:30 +0300
Message-Id: <20200316060631.30052-2-vsementsov@virtuozzo.com>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20200316060631.30052-1-vsementsov@virtuozzo.com>
References: <20200316060631.30052-1-vsementsov@virtuozzo.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy]
X-Received-From: 185.231.240.75
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: kwolf@redhat.com, den@openvz.org, vsementsov@virtuozzo.com,
 qemu-devel@nongnu.org, mreitz@redhat.com
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Content-Type: text/plain; charset="utf-8"

There is a use-after-free possible: bdrv_unref_child() leaves
bs->backing freed but not NULL. bdrv_attach_child may produce nested
polling loop due to drain, than access of freed pointer is possible.

I've produced the following crash on 30 iotest with modified code. It
does not reproduce on master, but still seems possible:

    #0  __strcmp_avx2 () at /lib64/libc.so.6
    #1  bdrv_backing_overridden (bs=3D0x55c9d3cc2060) at block.c:6350
    #2  bdrv_refresh_filename (bs=3D0x55c9d3cc2060) at block.c:6404
    #3  bdrv_backing_attach (c=3D0x55c9d48e5520) at block.c:1063
    #4  bdrv_replace_child_noperm
        (child=3Dchild@entry=3D0x55c9d48e5520,
        new_bs=3Dnew_bs@entry=3D0x55c9d3cc2060) at block.c:2290
    #5  bdrv_replace_child
        (child=3Dchild@entry=3D0x55c9d48e5520,
        new_bs=3Dnew_bs@entry=3D0x55c9d3cc2060) at block.c:2320
    #6  bdrv_root_attach_child
        (child_bs=3Dchild_bs@entry=3D0x55c9d3cc2060,
        child_name=3Dchild_name@entry=3D0x55c9d241d478 "backing",
        child_role=3Dchild_role@entry=3D0x55c9d26ecee0 <child_backing>,
        ctx=3D<optimized out>, perm=3D<optimized out>, shared_perm=3D21,
        opaque=3D0x55c9d3c5a3d0, errp=3D0x7ffd117108e0) at block.c:2424
    #7  bdrv_attach_child
        (parent_bs=3Dparent_bs@entry=3D0x55c9d3c5a3d0,
        child_bs=3Dchild_bs@entry=3D0x55c9d3cc2060,
        child_name=3Dchild_name@entry=3D0x55c9d241d478 "backing",
        child_role=3Dchild_role@entry=3D0x55c9d26ecee0 <child_backing>,
        errp=3Derrp@entry=3D0x7ffd117108e0) at block.c:5876
    #8  in bdrv_set_backing_hd
        (bs=3Dbs@entry=3D0x55c9d3c5a3d0,
        backing_hd=3Dbacking_hd@entry=3D0x55c9d3cc2060,
        errp=3Derrp@entry=3D0x7ffd117108e0)
        at block.c:2576
    #9  stream_prepare (job=3D0x55c9d49d84a0) at block/stream.c:150
    #10 job_prepare (job=3D0x55c9d49d84a0) at job.c:761
    #11 job_txn_apply (txn=3D<optimized out>, fn=3D<optimized out>) at
        job.c:145
    #12 job_do_finalize (job=3D0x55c9d49d84a0) at job.c:778
    #13 job_completed_txn_success (job=3D0x55c9d49d84a0) at job.c:832
    #14 job_completed (job=3D0x55c9d49d84a0) at job.c:845
    #15 job_completed (job=3D0x55c9d49d84a0) at job.c:836
    #16 job_exit (opaque=3D0x55c9d49d84a0) at job.c:864
    #17 aio_bh_call (bh=3D0x55c9d471a160) at util/async.c:117
    #18 aio_bh_poll (ctx=3Dctx@entry=3D0x55c9d3c46720) at util/async.c:117
    #19 aio_poll (ctx=3Dctx@entry=3D0x55c9d3c46720,
        blocking=3Dblocking@entry=3Dtrue)
        at util/aio-posix.c:728
    #20 bdrv_parent_drained_begin_single (poll=3Dtrue, c=3D0x55c9d3d558f0)
        at block/io.c:121
    #21 bdrv_parent_drained_begin_single (c=3Dc@entry=3D0x55c9d3d558f0,
        poll=3Dpoll@entry=3Dtrue)
        at block/io.c:114
    #22 bdrv_replace_child_noperm
        (child=3Dchild@entry=3D0x55c9d3d558f0,
        new_bs=3Dnew_bs@entry=3D0x55c9d3d27300) at block.c:2258
    #23 bdrv_replace_child
        (child=3Dchild@entry=3D0x55c9d3d558f0,
        new_bs=3Dnew_bs@entry=3D0x55c9d3d27300) at block.c:2320
    #24 bdrv_root_attach_child
        (child_bs=3Dchild_bs@entry=3D0x55c9d3d27300,
        child_name=3Dchild_name@entry=3D0x55c9d241d478 "backing",
        child_role=3Dchild_role@entry=3D0x55c9d26ecee0 <child_backing>,
        ctx=3D<optimized out>, perm=3D<optimized out>, shared_perm=3D21,
        opaque=3D0x55c9d3cc2060, errp=3D0x7ffd11710c60) at block.c:2424
    #25 bdrv_attach_child
        (parent_bs=3Dparent_bs@entry=3D0x55c9d3cc2060,
        child_bs=3Dchild_bs@entry=3D0x55c9d3d27300,
        child_name=3Dchild_name@entry=3D0x55c9d241d478 "backing",
        child_role=3Dchild_role@entry=3D0x55c9d26ecee0 <child_backing>,
        errp=3Derrp@entry=3D0x7ffd11710c60) at block.c:5876
    #26 bdrv_set_backing_hd
        (bs=3Dbs@entry=3D0x55c9d3cc2060,
        backing_hd=3Dbacking_hd@entry=3D0x55c9d3d27300,
        errp=3Derrp@entry=3D0x7ffd11710c60)
        at block.c:2576
    #27 stream_prepare (job=3D0x55c9d495ead0) at block/stream.c:150
    ...

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@redhat.com>
---
 block.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block.c b/block.c
index 957630b1c5..a862ce4df9 100644
--- a/block.c
+++ b/block.c
@@ -2735,10 +2735,10 @@ void bdrv_set_backing_hd(BlockDriverState *bs, Bloc=
kDriverState *backing_hd,
=20
     if (bs->backing) {
         bdrv_unref_child(bs, bs->backing);
+        bs->backing =3D NULL;
     }
=20
     if (!backing_hd) {
-        bs->backing =3D NULL;
         goto out;
     }
=20
--=20
2.21.0


From nobody Mon Apr 29 09:24:59 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail(p=none dis=none)  header.from=virtuozzo.com
ARC-Seal: i=1; a=rsa-sha256; t=1584339232; cv=none;
	d=zohomail.com; s=zohoarc;
	b=hCELsoFcjjfGvk7J8q/b+HMtUFIBPMIYtsBpTwEpnE2b6obWO/G/Hhod+cSt6yTnV1hw6aL5xoi6TfSjp0tPVRWDr4L+uv3eFjw9GbrQ47g4NFDN4sFPlwIu9GR10HJC4cZSGwMNWohJDBGjBzF23SGJf6itqDPk9YC+ZwKS3bU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1584339232;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=tpIHaKLTKzM1hoTUoVEXUfde8Vt45f+H2i3soyGjBaU=;
	b=BYFYxyGP9ZM90UV0MOfN3UPo7gXyHbOVfzXqvl/Rz4mnt42sritN/YjLf0VHf85iD3i+xSrcyrfPOR+F1hD7yRMrNdhG9WFaUV2CamOSb564Ac2RBRaW1YDQkLbCwln5UhwUrzm2tFNVmoD21mnvsR8Ti2J3mHqd9rFHd7DYGCk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail header.from=<vsementsov@virtuozzo.com> (p=none dis=none)
 header.from=<vsementsov@virtuozzo.com>
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1584339232414151.68274787074392;
 Sun, 15 Mar 2020 23:13:52 -0700 (PDT)
Received: from localhost ([::1]:34702 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1jDj0Z-00012J-1U
	for importer@patchew.org; Mon, 16 Mar 2020 02:13:51 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:51064)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <vsementsov@virtuozzo.com>) id 1jDitk-0007ex-Qy
 for qemu-devel@nongnu.org; Mon, 16 Mar 2020 02:06:50 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <vsementsov@virtuozzo.com>) id 1jDitj-0008Io-TX
 for qemu-devel@nongnu.org; Mon, 16 Mar 2020 02:06:48 -0400
Received: from relay.sw.ru ([185.231.240.75]:49924)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <vsementsov@virtuozzo.com>)
 id 1jDitg-0007ML-JB; Mon, 16 Mar 2020 02:06:44 -0400
Received: from vovaso.qa.sw.ru ([10.94.3.0] helo=kvm.qa.sw.ru)
 by relay.sw.ru with esmtp (Exim 4.92.3)
 (envelope-from <vsementsov@virtuozzo.com>)
 id 1jDitY-0004fQ-DT; Mon, 16 Mar 2020 09:06:36 +0300
From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
To: qemu-block@nongnu.org
Subject: [PATCH 2/2] block/qcow2: zero data_file child after free
Date: Mon, 16 Mar 2020 09:06:31 +0300
Message-Id: <20200316060631.30052-3-vsementsov@virtuozzo.com>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20200316060631.30052-1-vsementsov@virtuozzo.com>
References: <20200316060631.30052-1-vsementsov@virtuozzo.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy]
X-Received-From: 185.231.240.75
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: kwolf@redhat.com, den@openvz.org, vsementsov@virtuozzo.com,
 qemu-devel@nongnu.org, mreitz@redhat.com
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Content-Type: text/plain; charset="utf-8"

data_file being NULL doesn't seem to be a correct state, but it's
better than dead pointer and simpler to debug.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Reviewed-by: John Snow <jsnow@redhat.com>
---
 block/qcow2.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/block/qcow2.c b/block/qcow2.c
index d44b45633d..6cdefe059f 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1758,6 +1758,7 @@ static int coroutine_fn qcow2_do_open(BlockDriverStat=
e *bs, QDict *options,
     g_free(s->image_data_file);
     if (has_data_file(bs)) {
         bdrv_unref_child(bs, s->data_file);
+        s->data_file =3D NULL;
     }
     g_free(s->unknown_header_fields);
     cleanup_unknown_header_ext(bs);
@@ -2621,6 +2622,7 @@ static void qcow2_close(BlockDriverState *bs)
=20
     if (has_data_file(bs)) {
         bdrv_unref_child(bs, s->data_file);
+        s->data_file =3D NULL;
     }
=20
     qcow2_refcount_close(bs);
--=20
2.21.0