Fix a potential Use-after-free in test_blockjob_common_drain

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fix a potential Use-after-free in test_blockjob_common_drain_node() (v6.

From:	wliang
Subject:	Fix a potential Use-after-free in test_blockjob_common_drain_node() (v6.2.0).
Date:	Wed, 23 Feb 2022 22:37:24 +0800 (GMT+08:00)

Hi all,

I find a potential Use-after-free in QEMU 6.2.0, which is in test_blockjob_common_drain_node() (./tests/unit/test-bdrv-drain.c).

Specifically, at line 880, the variable 'scr' is released by the bdrv_unref(). However, at line 881, it is subsequently used as the 1st parameter of the function bdrv_set_backing_hd(). As a result, an UAF bug may be triggered.

880 bdrv_unref(src);

881 bdrv_set_backing_hd(src, src_backing, &error_abort);

I believe that the problem can be fixed by invoking bdrv_unref() after the call of bdrv_set_backing_hd() rather than before it.

--- bdrv_unref(src);
881 bdrv_set_backing_hd(src, src_backing, &error_abort);
+++ bdrv_unref(src);

I'm looking forward to your confirmation.

Best,
Wentao

test-bdrv-drain.patch
Description: Text Data

[Prev in Thread]

Current Thread

[Next in Thread]

Fix a potential Use-after-free in test_blockjob_common_drain_node() (v6.2.0)., wliang <=
- Fix a potential Use-after-free in test_blockjob_common_drain_node() (v6.2.0)., wliang, 2022/02/24

Prev by Date: Fix a potential memory leak bug in write_boot_rom() (v6.2.0).
Next by Date: Fix a potential Use-after-free bug in handle_simd_shift_fpint_conv() (v6.2.0).
Previous by thread: Fix a potential memory leak bug in write_boot_rom() (v6.2.0).
Next by thread: Fix a potential Use-after-free in test_blockjob_common_drain_node() (v6.2.0).
Index(es):
- Date
- Thread