Re: [Qemu-block] [Qemu-devel] [PATCH 4/4] migration: fix use-after-free of to_dst_file

[Dr. David Alan Gilbert]

* Vladimir Sementsov-Ogievskiy (address@hidden) wrote:
> hmp_savevm calls qemu_savevm_state(f), which sets to_dst_file=f in
> global migration state. Then hmp_savevm closes f (g_free called).
> 
> Next access to to_dst_file in migration state (for example,
> qmp_migrate_set_speed) will use it after it was freed.
> 
> Signed-off-by: Vladimir Sementsov-Ogievskiy <address@hidden>

Queued just this one.

> ---
>  migration/savevm.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/migration/savevm.c b/migration/savevm.c
> index 75e56d2d07..fcb8fd8acd 100644
> --- a/migration/savevm.c
> +++ b/migration/savevm.c
> @@ -1276,6 +1276,11 @@ done:
>          status = MIGRATION_STATUS_COMPLETED;
>      }
>      migrate_set_state(&ms->state, MIGRATION_STATUS_SETUP, status);
> +
> +    /* f is outer parameter, it should not stay in global migration state 
> after
> +     * this function finished */
> +    ms->to_dst_file = NULL;
> +
>      return ret;
>  }
>  
> -- 
> 2.11.1
> 
> 
--
Dr. David Alan Gilbert / address@hidden / Manchester, UK