block/block-copy: fix use-after-free of task pointer

[PATCH] block/block-copy: fix use-after-free of task pointer

Vladimir Sementsov-Ogievskiy posted 1 patch 4 years ago

Download mbox

Test checkpatch passed

Test docker-quick@centos7 passed

Test FreeBSD passed

Test docker-mingw@fedora passed

Test asan passed

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20200507183800.22626-1-vsementsov@virtuozzo.com

Maintainers: Max Reitz <mreitz@redhat.com>, Kevin Wolf <kwolf@redhat.com>

block/block-copy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Expand all Fold all

[PATCH] block/block-copy: fix use-after-free of task pointer

Posted by Vladimir Sementsov-Ogievskiy 4 years ago

Obviously, we should g_free the task after trace point and offset
update.

Reported-by: Coverity
Fixes: 4ce5dd3e9b5ee0fac18625860eb3727399ee965e
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
---

Be free to add Coverity number to the commit message, I don't know it.

 block/block-copy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/block-copy.c b/block/block-copy.c
index 03500680f7..4713c8f2a3 100644
--- a/block/block-copy.c
+++ b/block/block-copy.c
@@ -591,13 +591,13 @@ static int coroutine_fn block_copy_dirty_clusters(BlockCopyState *s,
         }
         if (s->skip_unallocated && !(ret & BDRV_BLOCK_ALLOCATED)) {
             block_copy_task_end(task, 0);
-            g_free(task);
             progress_set_remaining(s->progress,
                                    bdrv_get_dirty_count(s->copy_bitmap) +
                                    s->in_flight_bytes);
             trace_block_copy_skip_range(s, task->offset, task->bytes);
             offset = task_end(task);
             bytes = end - offset;
+            g_free(task);
             continue;
         }
         task->zeroes = ret & BDRV_BLOCK_ZERO;
-- 
2.21.0

Re: [PATCH] block/block-copy: fix use-after-free of task pointer

Posted by Eric Blake 4 years ago

On 5/7/20 1:38 PM, Vladimir Sementsov-Ogievskiy wrote:
> Obviously, we should g_free the task after trace point and offset
> update.
> 
> Reported-by: Coverity
> Fixes: 4ce5dd3e9b5ee0fac18625860eb3727399ee965e
> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
> ---
> 
> Be free to add Coverity number to the commit message, I don't know it.
> 
>   block/block-copy.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Eric Blake <eblake@redhat.com>

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

Re: [PATCH] block/block-copy: fix use-after-free of task pointer

Posted by Max Reitz 4 years ago

On 07.05.20 20:38, Vladimir Sementsov-Ogievskiy wrote:
> Obviously, we should g_free the task after trace point and offset
> update.
> 
> Reported-by: Coverity
> Fixes: 4ce5dd3e9b5ee0fac18625860eb3727399ee965e
> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
> ---
> 
> Be free to add Coverity number to the commit message, I don't know it.

Thanks, done, and applied to my block branch:

https://git.xanclic.moe/XanClic/qemu/commits/branch/block

Max