From c53f20683ef66939d94e690e875500628a5b4f3f Mon Sep 17 00:00:00 2001 From: Xu Yandong Date: Thu, 29 Aug 2019 16:31:30 +0800 Subject: [PATCH] nodedev: fix potential heap use after free After move device enumumeration into a thread(commit 9f0ae0b18e3), flag driversInitialized no longer represent stateInitialized finished complete, so reference driver->devs before use it to prevent devs freed by virStateCleanup. Signed-off-by: Xu Yandong --- src/node_device/node_device_udev.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/node_device/node_device_udev.c b/src/node_device/node_device_udev.c index 276bf3d..cac9447 100644 --- a/src/node_device/node_device_udev.c +++ b/src/node_device/node_device_udev.c @@ -1321,9 +1321,12 @@ udevAddOneDevice(struct udev_device *device) virNodeDeviceObjPtr obj = NULL; virNodeDeviceDefPtr objdef; virObjectEventPtr event = NULL; + virNodeDeviceObjListPtr devs = driver->devs; bool new_device = true; int ret = -1; + virObjectRef(devs); + if (VIR_ALLOC(def) != 0) goto cleanup; @@ -1348,14 +1351,14 @@ udevAddOneDevice(struct udev_device *device) if (udevSetParent(device, def) != 0) goto cleanup; - if ((obj = virNodeDeviceObjListFindByName(driver->devs, def->name))) { + if ((obj = virNodeDeviceObjListFindByName(devs, def->name))) { virNodeDeviceObjEndAPI(&obj); new_device = false; } /* If this is a device change, the old definition will be freed * and the current definition will take its place. */ - if (!(obj = virNodeDeviceObjListAssignDef(driver->devs, def))) + if (!(obj = virNodeDeviceObjListAssignDef(devs, def))) goto cleanup; objdef = virNodeDeviceObjGetDef(obj); @@ -1371,6 +1374,7 @@ udevAddOneDevice(struct udev_device *device) ret = 0; cleanup: + virObjectUnref(devs); virObjectEventStateQueue(driver->nodeDeviceEventState, event); if (ret != 0) { -- 2.19.1