From patchwork Mon Jul  4 12:40:59 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paolo Bonzini <pbonzini@redhat.com>
X-Patchwork-Id: 644181
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3rjpG71XtMz9sCY
	for <incoming@patchwork.ozlabs.org>;
	Mon,  4 Jul 2016 23:46:39 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com header.b=dhM795cu;
	dkim-atps=neutral
Received: from localhost ([::1]:47681 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1bK4Cq-0001Hn-SN
	for incoming@patchwork.ozlabs.org; Mon, 04 Jul 2016 09:46:36 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47488)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1bK3BV-0000kz-47
	for qemu-devel@nongnu.org; Mon, 04 Jul 2016 08:41:13 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1bK3BQ-0008J8-Uy
	for qemu-devel@nongnu.org; Mon, 04 Jul 2016 08:41:08 -0400
Received: from mail-wm0-x244.google.com ([2a00:1450:400c:c09::244]:35153)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1bK3BQ-0008Iv-Of
	for qemu-devel@nongnu.org; Mon, 04 Jul 2016 08:41:04 -0400
Received: by mail-wm0-x244.google.com with SMTP id a66so21397398wme.2
	for <qemu-devel@nongnu.org>; Mon, 04 Jul 2016 05:41:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=sender:from:to:cc:subject:date:message-id;
	bh=YXk49iPwopkVINVmJsXTdSQ1Fx3BzVtkEMYbSr8ioIA=;
	b=dhM795cu7uQtQHAWg1Ku/RVLOVBEEmy1HHBs3f3MmysxMdLR5CRw928f7JvQhXzxEw
	bZizgF/vMLS5eNH+2byC3idzJp0dHnhoDFDHfmVlKrN5YZ6EiKYJxM8MjU2jQ/DL29nt
	PQkRbZm/ApqWXpK1Z6igIcf4o4uftIQa2w7GKUshXn7pvucZTfo3xrNPm1lHzt+laVOh
	0cDWOKiyziQWgwKS+ZqAzicUYHTSt3JxfSAZDz0GyDSdmTu+//6VykuWeD1zBm4NDanz
	JZPcAebeMtfhfe4QG2JB1NHp62QDEj2YWuZIR8qu7yrKHAooN4Ek4m41DorOhiO1qUWX
	A4cQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id;
	bh=YXk49iPwopkVINVmJsXTdSQ1Fx3BzVtkEMYbSr8ioIA=;
	b=VaGFUcsSzBWEEvCku6FYA+PWCV4+UHMjD5tAoNJZKqvushOGOWOb3VtUS/U0n26Bq6
	iaNZ2B/1nSQixRoM4feknol97U+nKJMV0N/ZO9x8T+iOWXoqVY3Qn4Ass0Q17OfNF0au
	zFSWgwmxKv5HIXWB6/gFswYJBiXIzvv8SsbmRYq2JY47xL2TAIqzvVB1gfSqSor3pt7G
	kIKFnTyYhOAW9hjUcFzt+90iT90QbsEmT8eIIZIa9vDbNwu+gggDHlTpuZ12odCl13CB
	emTBq8pzCh4yUWYkkku6pPQ4U1b1oZ9+vGw5PQsmh/AsVN3Ur17Wz/ZPfVCq9F4N5yd5
	FhwQ==
X-Gm-Message-State: 
 ALyK8tJ6QZ5g7S02tV/ymxITyRCXWXyStDFZBq1C+abW5KU72Z/DiygjdE5tIMtnbUgHxQ==
X-Received: by 10.194.95.74 with SMTP id di10mr10479447wjb.52.1467636063857;
	Mon, 04 Jul 2016 05:41:03 -0700 (PDT)
Received: from 640k.lan (94-39-188-118.adsl-ull.clienti.tiscali.it.
	[94.39.188.118]) by smtp.gmail.com with ESMTPSA id
	jf3sm6450365wjb.41.2016.07.04.05.41.01
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 04 Jul 2016 05:41:02 -0700 (PDT)
From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Date: Mon,  4 Jul 2016 14:40:59 +0200
Message-Id: <1467636059-12557-1-git-send-email-pbonzini@redhat.com>
X-Mailer: git-send-email 1.8.3.1
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2a00:1450:400c:c09::244
Subject: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting
	during a parse
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: xiecl.fnst@cn.fujitsu.com, armbru@redhat.com
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

Now that json-streamer tries not to leak tokens on incomplete parse,
the tokens can be freed twice if QEMU destroys the json-streamer
object during the parser->emit call.  To fix this, create the new
empty GQueue earlier, so that it is already in place when the old
one is passed to parser->emit.

Reported-by: Changlong Xie <xiecl.fnst@cn.fujitsu.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
---
 qobject/json-streamer.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
index 7164390..c51c202 100644
--- a/qobject/json-streamer.c
+++ b/qobject/json-streamer.c
@@ -39,6 +39,7 @@ static void json_message_process_token(JSONLexer *lexer, GString *input,
 {
     JSONMessageParser *parser = container_of(lexer, JSONMessageParser, lexer);
     JSONToken *token;
+    GQueue *tokens;
 
     switch (type) {
     case JSON_LCURLY:
@@ -96,9 +97,12 @@ out_emit:
     /* send current list of tokens to parser and reset tokenizer */
     parser->brace_count = 0;
     parser->bracket_count = 0;
-    /* parser->emit takes ownership of parser->tokens.  */
-    parser->emit(parser, parser->tokens);
+    /* parser->emit takes ownership of parser->tokens.  Remove our own
+     * reference to parser->tokens before handing it out to parser->emit.
+     */
+    tokens = parser->tokens;
     parser->tokens = g_queue_new();
+    parser->emit(parser, tokens);
     parser->token_size = 0;
 }