From nobody Fri Mar 29 06:09:53 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1615902412; cv=none; d=zohomail.com; s=zohoarc; b=YkwiTQYQo+umShHhbS3Urp4ApKZ1nkpMMJ8dQHmmeRnsyFz1+F9xChP26vJwIOXDH89oztNyCps22bqEn8Wkal6YMEFXHqFY88MJ5uN4285bWtpf4dMHvf/fLTvGH4Yp3TCFIAAwiUGQKcz+Yd+fHaDvnZhPgmkrJX45Q+nq6wU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1615902412; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=XmrJR1dbpW4ikAmC1sweS4Wvl0VfJaS1dCi0Au95l5Q=; b=kQcVwWbW+Se79ouda/f4Yet4bvQ0FyHXMFLKhssqy/2mKLN7j91iiOtny/PSqUbazVM6sz0EzMPBYdJd+wFU/207zDDPEeurZIh9UPTakDZQ0UXkAYeyNAcQxU5uUliswAxmgvFIRqv90lAw9sx4nfB7piBBeMVDcif5yz6PgsI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1615902412860450.66549126997154; Tue, 16 Mar 2021 06:46:52 -0700 (PDT) Received: from localhost ([::1]:48066 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMA27-0002c4-8G for importer@patchew.org; Tue, 16 Mar 2021 09:46:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:32882) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMA0e-0001nJ-RR for qemu-devel@nongnu.org; Tue, 16 Mar 2021 09:45:21 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:34029) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1lMA0X-0003zz-VP for qemu-devel@nongnu.org; Tue, 16 Mar 2021 09:45:19 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-379-XTadwlzGMj2Mtqqeg0MGuw-1; Tue, 16 Mar 2021 09:45:10 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 786B380006E; Tue, 16 Mar 2021 13:45:09 +0000 (UTC) Received: from localhost (unknown [10.36.110.50]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5F10D19D61; Tue, 16 Mar 2021 13:45:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1615902312; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XmrJR1dbpW4ikAmC1sweS4Wvl0VfJaS1dCi0Au95l5Q=; b=MiWE0gkf148YXta+R7huVua2R2NTVT1pa69rD2fQNxWugJMpqay77Jf1gYEyFSa5KmFydO r4h6tV87uIDaht07dbEa83TKNWSgUPaYkrRXYTw6yV9RAKbFo5nR61aJdmv1pTudhbBo7M sxF3hHBVFPouaqLCWQA2ryqm0f79W8o= X-MC-Unique: XTadwlzGMj2Mtqqeg0MGuw-1 From: marcandre.lureau@redhat.com To: qemu-devel@nongnu.org Subject: [PATCH v2] util: fix use-after-free in module_load_one Date: Tue, 16 Mar 2021 17:44:56 +0400 Message-Id: <20210316134456.3243102-1-marcandre.lureau@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=marcandre.lureau@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=216.205.24.124; envelope-from=marcandre.lureau@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -29 X-Spam_score: -3.0 X-Spam_bar: --- X-Spam_report: (-3.0 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: pbonzini@redhat.com, qemu-stable@nongnu.org, =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) From: Marc-Andr=C3=A9 Lureau g_hash_table_add always retains ownership of the pointer passed in as the key. Its return status merely indicates whether the added entry was new, or replaced an existing entry. Thus key must never be freed after this method returns. Spotted by ASAN: =3D=3D2407186=3D=3DERROR: AddressSanitizer: heap-use-after-free on address = 0x6020003ac4f0 at pc 0x7ffff766659c bp 0x7fffffffd1d0 sp 0x7fffffffc980 READ of size 1 at 0x6020003ac4f0 thread T0 #0 0x7ffff766659b (/lib64/libasan.so.6+0x8a59b) #1 0x7ffff6bfa843 in g_str_equal ../glib/ghash.c:2303 #2 0x7ffff6bf8167 in g_hash_table_lookup_node ../glib/ghash.c:493 #3 0x7ffff6bf9b78 in g_hash_table_insert_internal ../glib/ghash.c:1598 #4 0x7ffff6bf9c32 in g_hash_table_add ../glib/ghash.c:1689 #5 0x5555596caad4 in module_load_one ../util/module.c:233 #6 0x5555596ca949 in module_load_one ../util/module.c:225 #7 0x5555596ca949 in module_load_one ../util/module.c:225 #8 0x5555596cbdf4 in module_load_qom_all ../util/module.c:349 Typical C bug... Fixes: 90629122d2e ("module: use g_hash_table_add()") Cc: qemu-stable@nongnu.org Signed-off-by: Marc-Andr=C3=A9 Lureau Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- util/module.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/util/module.c b/util/module.c index c65060c167..a2ab0bcdbc 100644 --- a/util/module.c +++ b/util/module.c @@ -230,10 +230,11 @@ bool module_load_one(const char *prefix, const char *= lib_name, bool mayfail) } } =20 - if (!g_hash_table_add(loaded_modules, module_name)) { + if (g_hash_table_contains(loaded_modules, module_name)) { g_free(module_name); return true; } + g_hash_table_add(loaded_modules, module_name); =20 search_dir =3D getenv("QEMU_MODULE_DIR"); if (search_dir !=3D NULL) { --=20 2.29.0