Re: [Qemu-devel] [PATCH] slirp: fixed potential use-after-free of a sock

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] slirp: fixed potential use-after-free of a sock

From:	Jan Kiszka
Subject:	Re: [Qemu-devel] [PATCH] slirp: fixed potential use-after-free of a socket
Date:	Thu, 21 Feb 2013 15:33:39 +0100
User-agent:	Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666

On 2013-02-15 12:00, Vitaly Chipounov wrote:
> A socket may still have references to it in various queues
> at the time it is freed, causing memory corruptions.

Did you see it in practice? Or is this patch based on code review? What
will happen if those queued mbufs find their ifq_so NULL?

> 
> Signed-off-by: Vitaly Chipounov <address@hidden>
> ---
>  slirp/socket.c |   29 +++++++++++++++++++++++++++++
>  1 file changed, 29 insertions(+)
> 
> diff --git a/slirp/socket.c b/slirp/socket.c
> index 77b0c98..8a7adc8 100644
> --- a/slirp/socket.c
> +++ b/slirp/socket.c
> @@ -55,6 +55,33 @@ socreate(Slirp *slirp)
>    return(so);
>  }
>  
> +/**
> + * It may happen that a socket is still referenced in various
> + * mbufs at the time it is freed. Clear all references to the
> + * socket here.
> + */
> +static void soremovefromqueues(struct socket *so)
> +{
> +    if (!so->so_queued) {
> +        return;
> +    }
> +
> +    Slirp *slirp = so->slirp;
> +    struct mbuf *ifm;
> +
> +    for (ifm = slirp->if_fastq.ifq_next; ifm != &slirp->if_fastq; ifm = 
> ifm->ifq_next) {

This line and the one below smells like checkpatch.pl wasn't run against
it. Granted, slirp patches easy make checkpatch upset as the input is
not properly formatted, but please don't add more violations.

> +        if (ifm->ifq_so == so) {
> +            ifm->ifq_so = NULL;
> +        }
> +    }
> +
> +    for (ifm = slirp->if_batchq.ifq_next; ifm != &slirp->if_batchq; ifm = 
> ifm->ifq_next) {
> +        if (ifm->ifq_so == so) {
> +            ifm->ifq_so = NULL;
> +        }
> +    }
> +}
> +
>  /*
>   * remque and free a socket, clobber cache
>   */
> @@ -79,6 +106,8 @@ sofree(struct socket *so)
>    if(so->so_next && so->so_prev)
>      remque(so);  /* crashes if so is not in a queue */
>  
> +  soremovefromqueues(so);
> +
>    free(so);
>  }
>  
> 

Sorry for the late feedback,
Jan

-- 
Siemens AG, Corporate Technology, CT RTC ITP SDP-DE
Corporate Competence Center Embedded Linux

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] slirp: fixed potential use-after-free of a socket, Vitaly Chipounov, 2013/02/15
- Re: [Qemu-devel] [PATCH] slirp: fixed potential use-after-free of a socket, Jan Kiszka <=
  - Re: [Qemu-devel] [PATCH] slirp: fixed potential use-after-free of a socket, Vitaly Chipounov, 2013/02/22
    - Re: [Qemu-devel] [PATCH] slirp: fixed potential use-after-free of a socket, Jan Kiszka, 2013/02/22
- Re: [Qemu-devel] [PATCH] slirp: fixed potential use-after-free of a socket, mdroth, 2013/02/21
  - Re: [Qemu-devel] [PATCH] slirp: fixed potential use-after-free of a socket, mdroth, 2013/02/21

Prev by Date: Re: [Qemu-devel] [PATCH] move qemu-ga from bin to libexec dir, use $HELPERS
Next by Date: Re: [Qemu-devel] [edk2] [RFC PATCH] Distinguish between reset types
Previous by thread: [Qemu-devel] [PATCH] slirp: fixed potential use-after-free of a socket
Next by thread: Re: [Qemu-devel] [PATCH] slirp: fixed potential use-after-free of a socket
Index(es):
- Date
- Thread