Re: [libvirt] [PATCH] snapshot: Fix use-after-free during snapshot delete
On 4/8/19 1:35 PM, Roman Bogorodskiy wrote:
Eric Blake wrote:
> Commit b647d2195 introduced a use-after-free situation when the caller
> is trying to delete a snapshot and its children: if the callback
>
> Fixes: b647d2195
> Reported-by: Roman Bogorodskiy <bogorodskiy(a)gmail.com>
> Signed-off-by: Eric Blake <eblake(a)redhat.com>
> ---
> src/conf/virdomainmomentobjlist.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/src/conf/virdomainmomentobjlist.c b/src/conf/virdomainmomentobjlist.c
> index 65e82f632c..66eb66017b 100644
> --- a/src/conf/virdomainmomentobjlist.c
> +++ b/src/conf/virdomainmomentobjlist.c
> @@ -80,9 +80,11 @@ virDomainMomentActOnDescendant(void *payload,
> {
> virDomainMomentObjPtr obj = payload;
> struct moment_act_on_descendant *curr = data;
> + virDomainMomentObj tmp = *obj;
>
> + /* Careful: curr->iter can delete obj, hence the need for tmp */
> (curr->iter)(payload, name, curr->data);
> - curr->number += 1 + virDomainMomentForEachDescendant(obj,
> + curr->number += 1 + virDomainMomentForEachDescendant(&tmp,
> curr->iter,
> curr->data);
> return 0;
This fixes the problem for me, thanks.
The change itself looks reasonable to me, but I'm not familiar with the code
enough to go with Reviewed-by I guess.
Well, Tested-by is better than nothing; so I've gone ahead and pushed
it. Thanks for checking that it works :)
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 488 bytes)