[Qemu-block] [PATCH 4/4] migration: fix use-after-free of to_dst

qemu-block

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-block] [PATCH 4/4] migration: fix use-after-free of to_dst_file

From:	Vladimir Sementsov-Ogievskiy
Subject:	[Qemu-block] [PATCH 4/4] migration: fix use-after-free of to_dst_file
Date:	Sat, 25 Feb 2017 22:31:55 +0300

hmp_savevm calls qemu_savevm_state(f), which sets to_dst_file=f in
global migration state. Then hmp_savevm closes f (g_free called).

Next access to to_dst_file in migration state (for example,
qmp_migrate_set_speed) will use it after it was freed.

Signed-off-by: Vladimir Sementsov-Ogievskiy <address@hidden>
---
 migration/savevm.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/migration/savevm.c b/migration/savevm.c
index 75e56d2d07..fcb8fd8acd 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -1276,6 +1276,11 @@ done:
         status = MIGRATION_STATUS_COMPLETED;
     }
     migrate_set_state(&ms->state, MIGRATION_STATUS_SETUP, status);
+
+    /* f is outer parameter, it should not stay in global migration state after
+     * this function finished */
+    ms->to_dst_file = NULL;
+
     return ret;
 }
 
-- 
2.11.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-block] [PATCH 0/4] some migration bugs, Vladimir Sementsov-Ogievskiy, 2017/02/25
- [Qemu-block] [PATCH 2/4] qmp-cont: invalidate on RUN_STATE_PRELAUNCH, Vladimir Sementsov-Ogievskiy, 2017/02/25
- [Qemu-block] [PATCH 3/4] savevm: fix savevm after migration, Vladimir Sementsov-Ogievskiy, 2017/02/25
  - Re: [Qemu-block] [PATCH 3/4] savevm: fix savevm after migration, Denis V. Lunev, 2017/02/27
- [Qemu-block] [PATCH 1/4] iotests: add migration corner cases test, Vladimir Sementsov-Ogievskiy, 2017/02/25
- [Qemu-block] [PATCH 4/4] migration: fix use-after-free of to_dst_file, Vladimir Sementsov-Ogievskiy <=
  - Re: [Qemu-block] [PATCH 4/4] migration: fix use-after-free of to_dst_file, Dr. David Alan Gilbert, 2017/02/27
  - Re: [Qemu-block] [Qemu-devel] [PATCH 4/4] migration: fix use-after-free of to_dst_file, Dr. David Alan Gilbert, 2017/02/28

Prev by Date: [Qemu-block] [PATCH 1/4] iotests: add migration corner cases test
Next by Date: [Qemu-block] [PATCH 0/4] some migration bugs
Previous by thread: [Qemu-block] [PATCH 1/4] iotests: add migration corner cases test
Next by thread: Re: [Qemu-block] [PATCH 4/4] migration: fix use-after-free of to_dst_file
Index(es):
- Date
- Thread