[Qemu-devel] block-vmdk.c:vmdk_close() use-after-free

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] block-vmdk.c:vmdk_close() use-after-free

From:	Ed Maste
Subject:	[Qemu-devel] block-vmdk.c:vmdk_close() use-after-free
Date:	Wed, 21 May 2008 15:41:58 -0400
User-agent:	Mutt/1.4.2.1i

I ran into a segfault running qemu-img on FreeBSD (with malloc debugging
on by default).  It's reproducible by running

  qemu-img convert -O vmdk /dev/null x.vmdk

It turns out to be a use-after-free in block-vmdk.c:vmdk_close().  I
think the following patch should fix it:

Index: block-vmdk.c
===================================================================
--- block-vmdk.c        (revision 4519)
+++ block-vmdk.c        (working copy)
@@ -808,9 +808,9 @@

     qemu_free(s->l1_table);
     qemu_free(s->l2_cache);
-    bdrv_delete(s->hd);
     // try to close parent image, if exist
     vmdk_parent_close(s->hd);
+    bdrv_delete(s->hd);
 }

 static void vmdk_flush(BlockDriverState *bs)

Regards,
Ed

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] block-vmdk.c:vmdk_close() use-after-free, Ed Maste <=

Prev by Date: Re: [Qemu-devel] Re: [PATCH][v2] Align file accesses with cache=off (O_DIRECT)
Next by Date: Re: [Qemu-devel] Re: [PATCH][v2] Align file accesses with cache=off (O_DIRECT)
Previous by thread: [Qemu-devel] [PATCH 0/2] use halted attribute for x86
Next by thread: [Qemu-devel] Mouse click queue patch
Index(es):
- Date
- Thread