Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting durin

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting durin

From:	Changlong Xie
Subject:	Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse
Date:	Tue, 5 Jul 2016 15:16:18 +0800
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0

On 07/05/2016 02:56 PM, Fam Zheng wrote:

On Mon, 07/04 14:40, Paolo Bonzini wrote:

Now that json-streamer tries not to leak tokens on incomplete parse,
the tokens can be freed twice if QEMU destroys the json-streamer
object during the parser->emit call.  To fix this, create the new
empty GQueue earlier, so that it is already in place when the old
one is passed to parser->emit.

Reported-by: Changlong Xie <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>


Two meta questions:

Is there a reproducer and/or test case coverage?


tests/qemu-iotests/071


Does qemu-stable need this?


http://lists.nongnu.org/archive/html/qemu-devel/2016-07/msg00465.html

Thanks
        -Xie

Fam

---
  qobject/json-streamer.c | 8 ++++++--
  1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
index 7164390..c51c202 100644
--- a/qobject/json-streamer.c
+++ b/qobject/json-streamer.c
@@ -39,6 +39,7 @@ static void json_message_process_token(JSONLexer *lexer, 
GString *input,
  {
      JSONMessageParser *parser = container_of(lexer, JSONMessageParser, lexer);
      JSONToken *token;
+    GQueue *tokens;

      switch (type) {
      case JSON_LCURLY:
@@ -96,9 +97,12 @@ out_emit:
      /* send current list of tokens to parser and reset tokenizer */
      parser->brace_count = 0;
      parser->bracket_count = 0;
-    /* parser->emit takes ownership of parser->tokens.  */
-    parser->emit(parser, parser->tokens);
+    /* parser->emit takes ownership of parser->tokens.  Remove our own
+     * reference to parser->tokens before handing it out to parser->emit.
+     */
+    tokens = parser->tokens;
      parser->tokens = g_queue_new();
+    parser->emit(parser, tokens);
      parser->token_size = 0;
  }

--
1.8.3.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse, Paolo Bonzini, 2016/07/04
- Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse, Fam Zheng, 2016/07/05
  - Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse, Changlong Xie <=
    - Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse, Fam Zheng, 2016/07/05
- Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse, Eric Blake, 2016/07/05
- Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse, Markus Armbruster, 2016/07/06
  - Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse, Paolo Bonzini, 2016/07/06
    - Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse, Markus Armbruster, 2016/07/06

Prev by Date: Re: [Qemu-devel] [RFC PATCH v0 0/5] sPAPR: Fix migration when CPUs are removed in random order
Next by Date: Re: [Qemu-devel] [RFC PATCH v0 2/5] cpu: Optionally use arch_id instead of cpu_index in cpu vmstate_register()
Previous by thread: Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse
Next by thread: Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse
Index(es):
- Date
- Thread