Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting durin

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting durin

From:	Fam Zheng
Subject:	Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse
Date:	Tue, 5 Jul 2016 14:56:35 +0800
User-agent:	Mutt/1.6.1 (2016-04-27)

On Mon, 07/04 14:40, Paolo Bonzini wrote:
> Now that json-streamer tries not to leak tokens on incomplete parse,
> the tokens can be freed twice if QEMU destroys the json-streamer
> object during the parser->emit call.  To fix this, create the new
> empty GQueue earlier, so that it is already in place when the old
> one is passed to parser->emit.
> 
> Reported-by: Changlong Xie <address@hidden>
> Signed-off-by: Paolo Bonzini <address@hidden>

Two meta questions:

Is there a reproducer and/or test case coverage?

Does qemu-stable need this?

Fam

> ---
>  qobject/json-streamer.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
> index 7164390..c51c202 100644
> --- a/qobject/json-streamer.c
> +++ b/qobject/json-streamer.c
> @@ -39,6 +39,7 @@ static void json_message_process_token(JSONLexer *lexer, 
> GString *input,
>  {
>      JSONMessageParser *parser = container_of(lexer, JSONMessageParser, 
> lexer);
>      JSONToken *token;
> +    GQueue *tokens;
>  
>      switch (type) {
>      case JSON_LCURLY:
> @@ -96,9 +97,12 @@ out_emit:
>      /* send current list of tokens to parser and reset tokenizer */
>      parser->brace_count = 0;
>      parser->bracket_count = 0;
> -    /* parser->emit takes ownership of parser->tokens.  */
> -    parser->emit(parser, parser->tokens);
> +    /* parser->emit takes ownership of parser->tokens.  Remove our own
> +     * reference to parser->tokens before handing it out to parser->emit.
> +     */
> +    tokens = parser->tokens;
>      parser->tokens = g_queue_new();
> +    parser->emit(parser, tokens);
>      parser->token_size = 0;
>  }
>  
> -- 
> 1.8.3.1
> 
>

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse, Paolo Bonzini, 2016/07/04
- Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse, Fam Zheng <=
  - Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse, Changlong Xie, 2016/07/05
    - Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse, Fam Zheng, 2016/07/05
- Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse, Eric Blake, 2016/07/05
- Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse, Markus Armbruster, 2016/07/06
  - Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse, Paolo Bonzini, 2016/07/06
    - Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse, Markus Armbruster, 2016/07/06

Prev by Date: Re: [Qemu-devel] [PATCH 3/3] spapr: Set ibm, pa-features HTM from KVM_CAP_PPC_HTM
Next by Date: Re: [Qemu-devel] [RFC PATCH v0 2/5] cpu: Optionally use arch_id instead of cpu_index in cpu vmstate_register()
Previous by thread: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse
Next by thread: Re: [Qemu-devel] [PATCH] json-streamer: fix double-free on exiting during a parse
Index(es):
- Date
- Thread