Fix a potential Use-after-free in test_blockjob_common_drain

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fix a potential Use-after-free in test_blockjob_common_drain_node() (v6.

From:	wliang
Subject:	Fix a potential Use-after-free in test_blockjob_common_drain_node() (v6.2.0).
Date:	Fri, 25 Feb 2022 12:21:24 +0800 (GMT+08:00)

Hi all,

I find a potential Use-after-free in QEMU 6.2.0, which is in test_blockjob_common_drain_node() (./tests/unit/test-bdrv-drain.c).

Specifically, at line 880, the variable 'scr' is released by the bdrv_unref(). However, at line 881, it is subsequently used as the 1st parameter of the function bdrv_set_backing_hd(). As a result, an UAF bug may be triggered.

880 bdrv_unref(src);

881 bdrv_set_backing_hd(src, src_backing, &error_abort);

I believe that the problem can be fixed by invoking bdrv_unref() after the call of bdrv_set_backing_hd() rather than before it.

--- bdrv_unref(src);
881 bdrv_set_backing_hd(src, src_backing, &error_abort);
+++ bdrv_unref(src);

It is a test program, so I could't get a mail-list to send. So I send it to you. Hope you can help me.

I'm looking forward to your confirmation.

Sincerely Thanks,
Wentao

0001-Fix-a-potential-Use-after-free-in-test_blockjob_comm.patch
Description: Text Data

[Prev in Thread]

Current Thread

[Next in Thread]

Fix a potential Use-after-free in test_blockjob_common_drain_node() (v6.2.0)., wliang, 2022/02/23
- Fix a potential Use-after-free in test_blockjob_common_drain_node() (v6.2.0)., wliang <=

Prev by Date: Re: [PATCH] aio-posix: fix spurious ->poll_ready() callbacks in main loop
Next by Date: Re: [PATCH v3 4/6] i386/pc: relocate 4g start to 1T where applicable
Previous by thread: Fix a potential Use-after-free in test_blockjob_common_drain_node() (v6.2.0).
Next by thread: Fix a potential Use-after-free bug in handle_simd_shift_fpint_conv() (v6.2.0).
Index(es):
- Date
- Thread