pool/qemu
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4d7bbe2c05
qemu/util-fix-use-after-free-in-module_load_o.patch

59 lines
2.3 KiB
Diff
Raw Normal View History

Accepting request 885459 from home:bfrogers:branches:Virtualization - Include upstream patches designated as stable material and reviewed for applicability to include here. NOTE that the PIIX4 patch has migration implications: the change will also be applied to the SLE-15-SP2 qemu, and a live migration from that version to this SLE-15-SP3 qemu would require this patch to be applied for a successful migration if PIIX4 southbridge is used in the machine emulation (x86 i440fx) block-rbd-fix-memory-leak-in-qemu_rbd_co.patch block-rbd-Fix-memory-leak-in-qemu_rbd_co.patch cpu-core-Fix-help-of-CPU-core-device-typ.patch hw-arm-virt-acpi-build-Fix-GSIV-values-o.patch hw-block-fdc-Fix-fallback-property-on-sy.patch hw-isa-Kconfig-Add-missing-dependency-VI.patch hw-isa-piix4-Migrate-Reset-Control-Regis.patch hw-virtio-pci-Added-AER-capability.patch hw-virtio-pci-Added-counter-for-pcie-cap.patch s390x-css-report-errors-from-ccw_dstream.patch target-xtensa-fix-meson.build-rule-for-x.patch util-fix-use-after-free-in-module_load_o.patch virtio-pci-compat-page-aligned-ATS.patch OBS-URL: https://build.opensuse.org/request/show/885459 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=634
2021-04-14 20:51:51 +02:00
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Tue, 16 Mar 2021 17:44:56 +0400
Subject: util: fix use-after-free in module_load_one
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 64e16fbbf49ce81b37841480d14b0caf5753c98e
g_hash_table_add always retains ownership of the pointer passed in as
the key. Its return status merely indicates whether the added entry was
new, or replaced an existing entry. Thus key must never be freed after
this method returns.
Spotted by ASAN:
==2407186==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020003ac4f0 at pc 0x7ffff766659c bp 0x7fffffffd1d0 sp 0x7fffffffc980
READ of size 1 at 0x6020003ac4f0 thread T0
#0 0x7ffff766659b (/lib64/libasan.so.6+0x8a59b)
#1 0x7ffff6bfa843 in g_str_equal ../glib/ghash.c:2303
#2 0x7ffff6bf8167 in g_hash_table_lookup_node ../glib/ghash.c:493
#3 0x7ffff6bf9b78 in g_hash_table_insert_internal ../glib/ghash.c:1598
#4 0x7ffff6bf9c32 in g_hash_table_add ../glib/ghash.c:1689
#5 0x5555596caad4 in module_load_one ../util/module.c:233
#6 0x5555596ca949 in module_load_one ../util/module.c:225
#7 0x5555596ca949 in module_load_one ../util/module.c:225
#8 0x5555596cbdf4 in module_load_qom_all ../util/module.c:349
Typical C bug...
Fixes: 90629122d2e ("module: use g_hash_table_add()")
Cc: qemu-stable@nongnu.org
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20210316134456.3243102-1-marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
util/module.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/util/module.c b/util/module.c
index cbe89fede628c3674e49194ee688..7661d0f6234d952f375ad09f67d7 100644
--- a/util/module.c
+++ b/util/module.c
@@ -230,10 +230,11 @@ bool module_load_one(const char *prefix, const char *lib_name, bool mayfail)
}
}
- if (!g_hash_table_add(loaded_modules, module_name)) {
+ if (g_hash_table_contains(loaded_modules, module_name)) {
g_free(module_name);
return true;
}
+ g_hash_table_add(loaded_modules, module_name);
search_dir = getenv("QEMU_MODULE_DIR");
if (search_dir != NULL) {
Reference in New Issue Copy Permalink