packages/libvirt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
libvirt/libvirt-nodedev-fix-potential-heap-use-after-free.patch
overweight 29372b3f10 Package init
2019-09-30 10:58:53 -04:00

61 lines
2.0 KiB
Diff
Raw Blame History

From c53f20683ef66939d94e690e875500628a5b4f3f Mon Sep 17 00:00:00 2001
From: Xu Yandong <xuyandong2@huawei.com>
Date: Thu, 29 Aug 2019 16:31:30 +0800
Subject: [PATCH] nodedev: fix potential heap use after free
After move device enumumeration into a thread(commit 9f0ae0b18e3),
flag driversInitialized no longer represent stateInitialized finished
complete, so reference driver->devs before use it to prevent devs freed
by virStateCleanup.
Signed-off-by: Xu Yandong <xuyandong2@huawei.com>
---
src/node_device/node_device_udev.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/node_device/node_device_udev.c b/src/node_device/node_device_udev.c
index 276bf3d..cac9447 100644
--- a/src/node_device/node_device_udev.c
+++ b/src/node_device/node_device_udev.c
@@ -1321,9 +1321,12 @@ udevAddOneDevice(struct udev_device *device)
virNodeDeviceObjPtr obj = NULL;
virNodeDeviceDefPtr objdef;
virObjectEventPtr event = NULL;
+ virNodeDeviceObjListPtr devs = driver->devs;
bool new_device = true;
int ret = -1;
+ virObjectRef(devs);
+
if (VIR_ALLOC(def) != 0)
goto cleanup;
@@ -1348,14 +1351,14 @@ udevAddOneDevice(struct udev_device *device)
if (udevSetParent(device, def) != 0)
goto cleanup;
- if ((obj = virNodeDeviceObjListFindByName(driver->devs, def->name))) {
+ if ((obj = virNodeDeviceObjListFindByName(devs, def->name))) {
virNodeDeviceObjEndAPI(&obj);
new_device = false;
}
/* If this is a device change, the old definition will be freed
* and the current definition will take its place. */
- if (!(obj = virNodeDeviceObjListAssignDef(driver->devs, def)))
+ if (!(obj = virNodeDeviceObjListAssignDef(devs, def)))
goto cleanup;
objdef = virNodeDeviceObjGetDef(obj);
@@ -1371,6 +1374,7 @@ udevAddOneDevice(struct udev_device *device)
ret = 0;
cleanup:
+ virObjectUnref(devs);
virObjectEventStateQueue(driver->nodeDeviceEventState, event);
if (ret != 0) {
--
2.19.1
Reference in New Issue View Git Blame Copy Permalink