[libvirt] [PATCH] qemu: avoid null pointer dereference

This code has had problems historically. As originally written, in commit 6bcf2501 (Jun 08), it could call unlink on a random string, nuking an unrelated file. Then commit 182a80b9 (Sep 09), the code was rewritten to allocate tmp, with both a use-after-free bug and a chance to call unlink(NULL). Commit e206946 (Mar 11) fixed the use-after-free, but not the NULL dereference. Thanks to clang for catching this! * src/qemu/qemu_driver.c (qemudDomainMemoryPeek): Don't call unlink on NULL. --- src/qemu/qemu_driver.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 16d869d..3ee4720 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -5355,7 +5355,8 @@ endjob: cleanup: VIR_FORCE_CLOSE(fd); - unlink (tmp); + if (tmp) + unlink (tmp); VIR_FREE(tmp); if (vm) virDomainObjUnlock(vm); -- 1.7.4.4

On Tue, May 03, 2011 at 09:46:15AM -0600, Eric Blake wrote:
This code has had problems historically. As originally written, in commit 6bcf2501 (Jun 08), it could call unlink on a random string, nuking an unrelated file.
Then commit 182a80b9 (Sep 09), the code was rewritten to allocate tmp, with both a use-after-free bug and a chance to call unlink(NULL).
Commit e206946 (Mar 11) fixed the use-after-free, but not the NULL dereference. Thanks to clang for catching this!
* src/qemu/qemu_driver.c (qemudDomainMemoryPeek): Don't call unlink on NULL. --- src/qemu/qemu_driver.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 16d869d..3ee4720 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -5355,7 +5355,8 @@ endjob:
cleanup: VIR_FORCE_CLOSE(fd); - unlink (tmp); + if (tmp) + unlink (tmp);
Could loose the extra space there after function name too
VIR_FREE(tmp); if (vm) virDomainObjUnlock(vm);
ACK Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

On 05/03/2011 10:47 AM, Daniel P. Berrange wrote:
On Tue, May 03, 2011 at 09:46:15AM -0600, Eric Blake wrote:
This code has had problems historically. As originally written, in commit 6bcf2501 (Jun 08), it could call unlink on a random string, nuking an unrelated file.
Then commit 182a80b9 (Sep 09), the code was rewritten to allocate tmp, with both a use-after-free bug and a chance to call unlink(NULL).
Commit e206946 (Mar 11) fixed the use-after-free, but not the NULL dereference. Thanks to clang for catching this!
* src/qemu/qemu_driver.c (qemudDomainMemoryPeek): Don't call unlink on NULL.
cleanup: VIR_FORCE_CLOSE(fd); - unlink (tmp); + if (tmp) + unlink (tmp);
Could loose the extra space there after function name too
[The editor in me pauses for an English lesson: s/loose/lose/. Admittedly, English is stupid, but if you remember that 'loose' always rhymes with 'goose', then you know when to 'use' 'lose'.] Done
VIR_FREE(tmp); if (vm) virDomainObjUnlock(vm);
ACK
and pushed. -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
participants (2)
-
Daniel P. Berrange
-
Eric Blake