[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] hw/pci: use-after-free in pci_nic_init_nofail w
|
From: |
Alex Kompel |
|
Subject: |
Re: [Qemu-devel] [PATCH] hw/pci: use-after-free in pci_nic_init_nofail when nic device fails to initialize |
|
Date: |
Sun, 8 Jan 2017 21:26:33 -0800 |
Looks like this line got wrapped: "@@ -1805,13 +1805,7 @@ PCIDevice
*pci_nic_init_nofail(NICInfo *nd, PCIBus *rootbus,"
Sorry about that. Could you unwrap it or use the attached text file?
Thanks,
-Alex
On Sun, Jan 8, 2017 at 8:06 PM, Jason Wang <address@hidden> wrote:
>
>
> On 2017年01月07日 07:48, Alex Kompel wrote:
>>
>> object_property_set_bool(OBJECT(dev), true, "realized", &err) in
>> pci_nic_init_nofail may release the object if device fails to
>> initialize which leads to use-after-free in error handling block.
>> qdev_init_nofail does the same thing while holding the reference.
>>
>> (gdb) run -net nic
>> qemu-system-x86_64: failed to find romfile "efi-e1000.rom"
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> object_unparent (obj=0x7fffe96a0010) at qom/object.c:440
>> 440 in qom/object.c
>> (gdb) bt
>> #0 object_unparent (obj=0x7fffe96a0010) at qom/object.c:440
>> #1 0x000055555598c30d in pci_nic_init_nofail (nd=0x55555616b460
>> <nd_table>, rootbus=0x5555567ed990, default_model=<optimized out>,
>> default_devaddr=<optimized out>) at hw/pci/pci.c:1812
>> #2 0x00005555557ff52c in pc_nic_init (isa_bus=0x55555733c610,
>> pci_bus=0x5555567ed990) at hw/i386/pc.c:1634
>> #3 0x00005555558021ad in pc_init1 (machine=0x55555661ee10,
>> pci_type=0x555555c1a523 "i440FX", host_type=0x555555ba564e
>> "i440FX-pcihost") at hw/i386/pc_piix.c:241
>> #4 0x00005555557519cb in main (argc=<optimized out>, argv=<optimized
>> out>, envp=<optimized out>) at vl.c:4481
>>
>> Signed-off-by: Alex Kompel <address@hidden>
>> ---
>> hw/pci/pci.c | 8 +-------
>> 1 file changed, 1 insertion(+), 7 deletions(-)
>>
>> diff --git a/hw/pci/pci.c b/hw/pci/pci.c
>> index 24fae16..2fd1b9e 100644
>> --- a/hw/pci/pci.c
>> +++ b/hw/pci/pci.c
>> @@ -1805,13 +1805,7 @@ PCIDevice *pci_nic_init_nofail(NICInfo *nd,
>> PCIBus *rootbus,
>
>
> Hello, looks like the patch were corrupted possibly by your email client.
> Please check, we usually send patch through git send-email.
>
> Thanks
>
>
>> pci_dev = pci_create(bus, devfn, pci_nic_names[i]);
>> dev = &pci_dev->qdev;
>> qdev_set_nic_properties(dev, nd);
>> -
>> - object_property_set_bool(OBJECT(dev), true, "realized", &err);
>> - if (err) {
>> - error_report_err(err);
>> - object_unparent(OBJECT(dev));
>> - exit(1);
>> - }
>> + qdev_init_nofail(dev);
>>
>> return pci_dev;
>> }
>> --
>> 2.8.3
>>
>
qemu_pci_nic_init_nofail.txt
Description: Text document