[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v2 04/23] QemuOpts: Fix qemu_opts_foreach() dangling
From: |
Stefan Hajnoczi |
Subject: |
[Qemu-devel] [PATCH v2 04/23] QemuOpts: Fix qemu_opts_foreach() dangling location regression |
Date: |
Mon, 9 May 2016 13:07:48 +0100 |
From: Markus Armbruster <address@hidden>
qemu_opts_foreach() pushes and pops a Location with automatic storage
duration. Except it fails to pop when @func() returns non-zero.
cur_loc then points to unused stack space, and will most likely get
clobbered in short order.
Clobbered cur_loc can make loc_pop() and error_print_loc() crash or
report bogus locations.
Affects several qemu command line options as well as qemu-img,
qemu-io, qemu-nbd -object, and blkdebug's configuration file.
Broken in commit a4c7367, v2.4.0.
Reproducer:
$ qemu-system-x86_64 -nodefaults -display none -object secret,id=foo,foo=bar
main() reports "Property '.foo' not found" like this:
if (qemu_opts_foreach(qemu_find_opts("object"),
user_creatable_add_opts_foreach,
object_create_delayed, &err)) {
error_report_err(err);
exit(1);
}
cur_loc then points to where qemu_opts_foreach()'s Location used to
be, i.e. unused stack space. With optimization, this Location doesn't
get clobbered for me, and also happens to be the correct location.
Without optimization, it does get clobbered in a way that makes
error_report_err() report no location.
Signed-off-by: Markus Armbruster <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
---
util/qemu-option.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/util/qemu-option.c b/util/qemu-option.c
index dd9e73d..3467dc2 100644
--- a/util/qemu-option.c
+++ b/util/qemu-option.c
@@ -1108,19 +1108,19 @@ int qemu_opts_foreach(QemuOptsList *list,
qemu_opts_loopfunc func,
{
Location loc;
QemuOpts *opts;
- int rc;
+ int rc = 0;
loc_push_none(&loc);
QTAILQ_FOREACH(opts, &list->head, next) {
loc_restore(&opts->loc);
rc = func(opaque, opts, errp);
if (rc) {
- return rc;
+ break;
}
assert(!errp || !*errp);
}
loc_pop(&loc);
- return 0;
+ return rc;
}
static size_t count_opts_list(QemuOptsList *list)
--
2.5.5
- [Qemu-devel] [PATCH v2 00/23] libqos: use standard virtio headers, Stefan Hajnoczi, 2016/05/09
- [Qemu-devel] [PATCH v2 01/23] hw/ppc/spapr: Fix crash when specifying bad parameters to spapr-pci-host-bridge, Stefan Hajnoczi, 2016/05/09
- [Qemu-devel] [PATCH v2 02/23] usb/uhci: move pid check, Stefan Hajnoczi, 2016/05/09
- [Qemu-devel] [PATCH v2 03/23] spapr_drc: fix aborts during DRC-count based hotplug, Stefan Hajnoczi, 2016/05/09
- [Qemu-devel] [PATCH v2 04/23] QemuOpts: Fix qemu_opts_foreach() dangling location regression,
Stefan Hajnoczi <=
- [Qemu-devel] [PATCH v2 10/23] vvfat: Fix volume name assertion, Stefan Hajnoczi, 2016/05/09
- [Qemu-devel] [PATCH v2 07/23] target-mips: Fix RDHWR exception host PC, Stefan Hajnoczi, 2016/05/09
- [Qemu-devel] [PATCH v2 11/23] vvfat: Fix default volume label, Stefan Hajnoczi, 2016/05/09
- [Qemu-devel] [PATCH v2 12/23] acpi: fix bios linker loadder COMMAND_ALLOCATE on bigendian host, Stefan Hajnoczi, 2016/05/09
- [Qemu-devel] [PATCH v2 09/23] qapi: Don't pass NULL to printf in string input visitor, Stefan Hajnoczi, 2016/05/09
- [Qemu-devel] [PATCH v2 13/23] configure: Check if struct fsxattr is available from linux header, Stefan Hajnoczi, 2016/05/09
- [Qemu-devel] [PATCH v2 15/23] Update version for v2.6.0-rc4 release, Stefan Hajnoczi, 2016/05/09
- [Qemu-devel] [PATCH v2 14/23] Revert "acpi: mark PMTIMER as unlocked", Stefan Hajnoczi, 2016/05/09
- [Qemu-devel] [PATCH v2 18/23] libqos: drop duplicated virtio_config.h definitions, Stefan Hajnoczi, 2016/05/09
- [Qemu-devel] [PATCH v2 17/23] libqos: drop duplicated PCI vendor ID definition, Stefan Hajnoczi, 2016/05/09