Re: [Qemu-devel] [PATCH 7/8] dump: Fix use-after-free in create_kdump_vmcore()

[Laszlo Ersek]

On 05/27/14 03:40, address@hidden wrote:
> From: Gonglei <address@hidden>
> 
> Spotted by Coverity:
> 
> (7) Event closed_arg:  "write_dump_pages(DumpState *)" closes "s->fd". 
> [details]
> Also see events:  [pass_closed_arg]
> 
> 1490        ret = write_dump_pages(s);
> (8) Event cond_false:  Condition "ret < 0", taking false branch
> 
> 1491        if (ret < 0) {
> 1492            return -1;
> (9) Event if_end:  End of if statement
> 
> 1493        }
> 1494
> (10) Event pass_closed_arg:  Passing closed handle "s->fd" as an argument to 
> function "write_end_flat_header(int)".
> Also see events:  [closed_arg]
> 
> 1495        ret = write_end_flat_header(s->fd);
> 1496        if (ret < 0) {
> 1497            dump_error(s, "dump: failed to write end flat header.\n");
> 1498            return -1;
> 1499        }
> 1500
> 1501        dump_completed(s);
> 1502
> 1503        return 0;
> 1504    }
> 
> Signed-off-by: Gonglei <address@hidden>
> ---
>  dump.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/dump.c b/dump.c
> index e56b7cf..3a704e9 100644
> --- a/dump.c
> +++ b/dump.c
> @@ -1296,6 +1296,7 @@ static int write_dump_pages(DumpState *s)
>      /* prepare buffer to store compressed data */
>      len_buf_out = get_len_buf_out(s->page_size, s->flag_compress);
>      if (len_buf_out == 0) {
> +        ret = -1;
>          dump_error(s, "dump: failed to get length of output buffer.\n");
>          goto out;
>      }
> 

This patch conflicts with my pending set (which has one R-b from Paolo).
Patch 7/7 of the series in question reworks get_len_buf_out(), and then
write_dump_pages() asserts that the retval is zero.

http://lists.nongnu.org/archive/html/qemu-devel/2014-05/msg03966.html

Gonglei (Arei), can you please rebase this series on mine? And Luiz, can
you please pick up my series?

Thanks,
Laszlo