[Qemu-devel] [PATCH] qxl: check release info object

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH] qxl: check release info object

From:	P J P
Subject:	[Qemu-devel] [PATCH] qxl: check release info object
Date:	Thu, 25 Apr 2019 12:05:34 +0530

From: Prasad J Pandit <address@hidden>

When releasing spice resources in release_resource() routine,
if release info object 'ext.info' is null, it leads to null
pointer dereference. Add check to avoid it.

Reported-by: Bugs SysSec <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 hw/display/qxl.c | 3 +++
 1 file changed, 3 insertions(+)

===
(process:30785): Spice-WARNING **: 11:43:59.284: 
memslot.c:68:memslot_validate_virt: virtual address out of range
    virt=0x555556d247e0+0xbf slot_id=0 group_id=0
    slot=0x0-0x0 delta=0x0

Thread 5 "SPICE Worker" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdb7ff700 (LWP 30792)]
interface_release_resource (sin=0x555556d12738, ext=...) at hw/display/qxl.c:785
785             QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id);
(gdb) bt
#0  0x0000555555adca68 in interface_release_resource (sin=0x555556d12738, 
ext=...) at hw/display/qxl.c:785
#1  0x00007ffff74991d5 in red_drawable_unref (red_drawable=0x7fffd402a520) at 
red-worker.c:100
#2  0x00007ffff749941c in red_drawable_unref (red_drawable=<optimized out>) at 
red-worker.c:229
#3  0x00007ffff749941c in red_process_display (address@hidden, address@hidden) 
at red-worker.c:229
#4  0x00007ffff74995f2 in worker_source_dispatch (source=<optimized out>, 
callback=<optimized out>, user_data=<optimized out>) at red-worker.c:1265
#5  0x00007ffff7ec906d in g_main_dispatch (context=0x555556e38fc0) at 
gmain.c:3182
#6  0x00007ffff7ec906d in g_main_context_dispatch (address@hidden) at 
gmain.c:3847
#7  0x00007ffff7ec9438 in g_main_context_iterate (context=0x555556e38fc0, 
address@hidden, address@hidden, self=<optimized out>) at gmain.c:3920
#8  0x00007ffff7ec9762 in g_main_loop_run (loop=0x7fffd4002100) at gmain.c:4116
#9  0x00007ffff7498dde in red_worker_main (arg=0x555556e2f050) at 
red-worker.c:1369
#10 0x00007ffff70e458e in start_thread () at /lib64/libpthread.so.0
#11 0x00007ffff7013683 in clone () at /lib64/libc.so.6
(gdb)
===

diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index c8ce5781e0..632923add2 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -777,6 +777,9 @@ static void interface_release_resource(QXLInstance *sin,
     QXLReleaseRing *ring;
     uint64_t *item, id;
 
+    if (!ext.info) {
+        return;
+    }
     if (ext.group_id == MEMSLOT_GROUP_HOST) {
         /* host group -> vga mode update request */
         QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id);
-- 
2.20.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] qxl: check release info object, P J P <=

Prev by Date: Re: [Qemu-devel] [PATCH 4/6] cirrus / travis: Add gnu-sed and bash for macOS and FreeBSD
Next by Date: Re: [Qemu-devel] [PATCH v3 01/13] tests: acpi: make RSDT test routine handle XSDT
Previous by thread: [Qemu-devel] [PATCH v3 00/13] tests: acpi: add UEFI (ARM) testing support
Next by thread: Re: [Qemu-devel] [PATCH v7 1/2] qemu-io: Use error_[gs]et_progname()
Index(es):
- Date
- Thread