10:46 a.m.
This code has had problems historically. As originally
written, in commit 6bcf2501 (Jun 08), it could call unlink
on a random string, nuking an unrelated file.
Then commit 182a80b9 (Sep 09), the code was rewritten to
allocate tmp, with both a use-after-free bug and a chance to
call unlink(NULL).
Commit e206946 (Mar 11) fixed the use-after-free, but not the
NULL dereference. Thanks to clang for catching this!
* src/qemu/qemu_driver.c (qemudDomainMemoryPeek): Don't call
unlink on NULL.
---
src/qemu/qemu_driver.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 16d869d..3ee4720 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -5355,7 +5355,8 @@ endjob:
cleanup:
VIR_FORCE_CLOSE(fd);
- unlink (tmp);
+ if (tmp)
+ unlink (tmp);
VIR_FREE(tmp);
if (vm)
virDomainObjUnlock(vm);
--
1.7.4.4
11:47 a.m.
On Tue, May 03, 2011 at 09:46:15AM -0600, Eric Blake wrote:
This code has had problems historically. As originally
written, in commit 6bcf2501 (Jun 08), it could call unlink
on a random string, nuking an unrelated file.
Then commit 182a80b9 (Sep 09), the code was rewritten to
allocate tmp, with both a use-after-free bug and a chance to
call unlink(NULL).
Commit e206946 (Mar 11) fixed the use-after-free, but not the
NULL dereference. Thanks to clang for catching this!
* src/qemu/qemu_driver.c (qemudDomainMemoryPeek): Don't call
unlink on NULL.
---
src/qemu/qemu_driver.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 16d869d..3ee4720 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -5355,7 +5355,8 @@ endjob:
cleanup:
VIR_FORCE_CLOSE(fd);
- unlink (tmp);
+ if (tmp)
+ unlink (tmp);
Could loose the extra space there after function name too
VIR_FREE(tmp);
if (vm)
virDomainObjUnlock(vm);
ACK
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
12:01 p.m.
On 05/03/2011 10:47 AM, Daniel P. Berrange wrote:
On Tue, May 03, 2011 at 09:46:15AM -0600, Eric Blake wrote:
> This code has had problems historically. As originally
> written, in commit 6bcf2501 (Jun 08), it could call unlink
> on a random string, nuking an unrelated file.
>
> Then commit 182a80b9 (Sep 09), the code was rewritten to
> allocate tmp, with both a use-after-free bug and a chance to
> call unlink(NULL).
>
> Commit e206946 (Mar 11) fixed the use-after-free, but not the
> NULL dereference. Thanks to clang for catching this!
>
> * src/qemu/qemu_driver.c (qemudDomainMemoryPeek): Don't call
> unlink on NULL.
> cleanup:
> VIR_FORCE_CLOSE(fd);
> - unlink (tmp);
> + if (tmp)
> + unlink (tmp);
Could loose the extra space there after function name too
[The editor in me pauses for an English lesson: s/loose/lose/.
Admittedly, English is stupid, but if you remember that 'loose' always
rhymes with 'goose', then you know when to 'use' 'lose'.]
Done
> VIR_FREE(tmp);
> if (vm)
> virDomainObjUnlock(vm);
ACK
and pushed.
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
4953
days inactive
4953
days old
2 comments
2 participants
participants (2)
-
Daniel P. Berrange -
Eric Blake