Re: [Qemu-devel] [PATCH 7/8] dump: Fix use-after-free in create_kdump_vmcore()

[qiaonuohan]

On 05/27/2014 09:40 AM, address@hidden wrote:
> From: Gonglei<address@hidden>
>
> Spotted by Coverity:
>
> (7) Event closed_arg:  "write_dump_pages(DumpState *)" closes "s->fd". [details]
> Also see events:  [pass_closed_arg]
>
> 1490        ret = write_dump_pages(s);
> (8) Event cond_false:  Condition "ret<  0", taking false branch
>
> 1491        if (ret<  0) {
> 1492            return -1;
> (9) Event if_end:  End of if statement
>
> 1493        }
> 1494
> (10) Event pass_closed_arg:  Passing closed handle "s->fd" as an argument to function 
> "write_end_flat_header(int)".
> Also see events:  [closed_arg]
>
> 1495        ret = write_end_flat_header(s->fd);
> 1496        if (ret<  0) {
> 1497            dump_error(s, "dump: failed to write end flat header.\n");
> 1498            return -1;
> 1499        }
> 1500
> 1501        dump_completed(s);
> 1502
> 1503        return 0;
> 1504    }
>
> Signed-off-by: Gonglei<address@hidden>

Reviewed-by: Qiao Nuohan <address@hidden>

> ---
>   dump.c | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/dump.c b/dump.c
> index e56b7cf..3a704e9 100644
> --- a/dump.c
> +++ b/dump.c
> @@ -1296,6 +1296,7 @@ static int write_dump_pages(DumpState *s)
>       /* prepare buffer to store compressed data */
>       len_buf_out = get_len_buf_out(s->page_size, s->flag_compress);
>       if (len_buf_out == 0) {
> +        ret = -1;
>           dump_error(s, "dump: failed to get length of output buffer.\n");
>           goto out;
>       }


--
Regards
Qiao Nuohan