| Message ID | 1322219182-18502-1-git-send-email-pbonzini@redhat.com |
|---|---|
| State | New |
| Headers | show |
On 11/25/2011 12:56 PM, Kevin Wolf wrote: >> qemu_iovec_destroy does not clear the QEMUIOVector fully, and the data >> > could thus be used after free or freed again. While I do not know any >> > example in the tree, I observed this using virtio-scsi (and SCSI >> > scatter/gather) when canceling DMA requests. >> > >> > Signed-off-by: Paolo Bonzini<pbonzini@redhat.com> > This isn't a bug fix for itself, it just makes bugs in other code more > visible, right? It probably makes sense to do this change, but I'm not > sure about doing it for 1.0. It is a fix. NULLing the pointer prevents double-free bugs, and setting niov/nalloc to 0 should prevent use-after-free. Paolo
Am 25.11.2011 12:06, schrieb Paolo Bonzini: > qemu_iovec_destroy does not clear the QEMUIOVector fully, and the data > could thus be used after free or freed again. While I do not know any > example in the tree, I observed this using virtio-scsi (and SCSI > scatter/gather) when canceling DMA requests. > > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> This isn't a bug fix for itself, it just makes bugs in other code more visible, right? It probably makes sense to do this change, but I'm not sure about doing it for 1.0. Kevin > --- > cutils.c | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/cutils.c b/cutils.c > index 5d995bc..731a27e 100644 > --- a/cutils.c > +++ b/cutils.c > @@ -217,7 +217,10 @@ void qemu_iovec_destroy(QEMUIOVector *qiov) > { > assert(qiov->nalloc != -1); > > + qemu_iovec_reset(qiov); > g_free(qiov->iov); > + qiov->nalloc = 0; > + qiov->iov = NULL; > } > > void qemu_iovec_reset(QEMUIOVector *qiov)
diff --git a/cutils.c b/cutils.c index 5d995bc..731a27e 100644 --- a/cutils.c +++ b/cutils.c @@ -217,7 +217,10 @@ void qemu_iovec_destroy(QEMUIOVector *qiov) { assert(qiov->nalloc != -1); + qemu_iovec_reset(qiov); g_free(qiov->iov); + qiov->nalloc = 0; + qiov->iov = NULL; } void qemu_iovec_reset(QEMUIOVector *qiov)
qemu_iovec_destroy does not clear the QEMUIOVector fully, and the data could thus be used after free or freed again. While I do not know any example in the tree, I observed this using virtio-scsi (and SCSI scatter/gather) when canceling DMA requests. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> --- cutils.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-)