|
From: | Eric Blake |
Subject: | Re: [PATCH 2/6] block/mirror: fix use after free of local_err |
Date: | Wed, 25 Mar 2020 08:01:47 -0500 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 |
On 3/25/20 6:11 AM, Max Reitz wrote:
On 24.03.20 16:36, Vladimir Sementsov-Ogievskiy wrote:local_err is used again in mirror_exit_common() after bdrv_set_backing_hd(), so we must zero it. Otherwise try to set non-NULL local_err will crash.OK, but wouldn’t it be better hygiene to set it to NULL every time it is freed?
If we change the signature to error_report_err(&local_err), where error_report_err both reports the error (if any) AND sets local_err to NULL, then we fix the problem for all callers. It's a global search-and-replace job (Coccinelle is great for that) to update all callers to the new signature.
(There is a second instance of error_report_err() in this function. I’m a bit worried we might introduce another local_err use after that one at some point in the future, and forget to run the cocci script then.) Are the cocci scripts run regularly by someone? E.g. as part of a pull to master?
I'm not aware of any automated procedure for it at the moment; rather, it is still ad hoc as someone notices something needs to be re-run. But there was another thread about someone considering automating Cocci scripts as part of the Euler robot...
-- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org
[Prev in Thread] | Current Thread | [Next in Thread] |