Block patches for 5.0-rc1

[PULL 01/10] block/mirror: fix use after free of local_err

Max Reitz posted 10 patches 5 years, 7 months ago

Download mbox

Maintainers: Jeff Cody <codyprime@gmail.com>, Paolo Bonzini <pbonzini@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>, "Denis V. Lunev" <den@openvz.org>, Stefan Weil <sw@weilnetz.de>, Fam Zheng <fam@euphon.net>, Eric Blake <eblake@redhat.com>, Max Reitz <mreitz@redhat.com>, "Richard W.M. Jones" <rjones@redhat.com>, Liu Yuan <namei.unix@gmail.com>, Kevin Wolf <kwolf@redhat.com>, Jason Dillaman <dillaman@redhat.com>, Peter Lieven <pl@kamp.de>, John Snow <jsnow@redhat.com>, Ronnie Sahlberg <ronniesahlberg@gmail.com>

Expand all Fold all

[PULL 01/10] block/mirror: fix use after free of local_err

Posted by Max Reitz 5 years, 7 months ago

From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>

local_err is used again in mirror_exit_common() after
bdrv_set_backing_hd(), so we must zero it. Otherwise try to set
non-NULL local_err will crash.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-Id: <20200324153630.11882-3-vsementsov@virtuozzo.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
---
 block/mirror.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/block/mirror.c b/block/mirror.c
index 447051dbc6..6203e5946e 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -678,6 +678,7 @@ static int mirror_exit_common(Job *job)
             bdrv_set_backing_hd(target_bs, backing, &local_err);
             if (local_err) {
                 error_report_err(local_err);
+                local_err = NULL;
                 ret = -EPERM;
             }
         }
-- 
2.25.1