|
From: | Paolo Bonzini |
Subject: | Re: [Qemu-devel] [PATCH 1.0] qiov: prevent double free or use-after-free |
Date: | Fri, 25 Nov 2011 12:55:21 +0100 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20110930 Thunderbird/7.0.1 |
On 11/25/2011 12:56 PM, Kevin Wolf wrote:
qemu_iovec_destroy does not clear the QEMUIOVector fully, and the data > could thus be used after free or freed again. While I do not know any > example in the tree, I observed this using virtio-scsi (and SCSI > scatter/gather) when canceling DMA requests. > > Signed-off-by: Paolo Bonzini<address@hidden>This isn't a bug fix for itself, it just makes bugs in other code more visible, right? It probably makes sense to do this change, but I'm not sure about doing it for 1.0.
It is a fix. NULLing the pointer prevents double-free bugs, and setting niov/nalloc to 0 should prevent use-after-free.
Paolo
[Prev in Thread] | Current Thread | [Next in Thread] |