[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL v2 27/59] aio-win32: avoid out-of-bounds access to th
From: |
Stefan Hajnoczi |
Subject: |
[Qemu-devel] [PULL v2 27/59] aio-win32: avoid out-of-bounds access to the events array |
Date: |
Mon, 22 Sep 2014 12:41:58 +0100 |
From: Paolo Bonzini <address@hidden>
If ret is WAIT_TIMEOUT and there was an event returned by select(),
we can write to a location after the end of the array. But in
that case we can retry the WaitForMultipleObjects call with the
same set of events, so just move the event[ret - WAIT_OBJECT_0]
assignment inside the existin conditional.
Reported-by: TeLeMan <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Reviewed-by: TeLeMan <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
aio-win32.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/aio-win32.c b/aio-win32.c
index 7daeae1..d81313b 100644
--- a/aio-win32.c
+++ b/aio-win32.c
@@ -335,6 +335,7 @@ bool aio_poll(AioContext *ctx, bool blocking)
event = NULL;
if ((DWORD) (ret - WAIT_OBJECT_0) < count) {
event = events[ret - WAIT_OBJECT_0];
+ events[ret - WAIT_OBJECT_0] = events[--count];
} else if (!have_select_revents) {
break;
}
@@ -343,9 +344,6 @@ bool aio_poll(AioContext *ctx, bool blocking)
blocking = false;
progress |= aio_dispatch_handlers(ctx, event);
-
- /* Try again, but only call each handler once. */
- events[ret - WAIT_OBJECT_0] = events[--count];
}
progress |= timerlistgroup_run_timers(&ctx->tlg);
--
1.9.3
- [Qemu-devel] [PULL v2 15/59] blkverify: Drop blkverify_aiocb_info.cancel, (continued)
- [Qemu-devel] [PULL v2 15/59] blkverify: Drop blkverify_aiocb_info.cancel, Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 17/59] qed: Drop qed_aiocb_info.cancel, Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 19/59] quorum: Convert quorum_aiocb_info.cancel to .cancel_async, Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 21/59] sheepdog: Convert sd_aiocb_info.cancel to .cancel_async, Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 20/59] rbd: Drop rbd_aiocb_info.cancel, Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 22/59] win32-aio: Drop win32_aiocb_info.cancel, Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 23/59] ide: Convert trim_aiocb_info.cancel to .cancel_async, Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 18/59] quorum: fix quorum_aio_cancel(), Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 24/59] block: Drop AIOCBInfo.cancel, Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 25/59] block: Rename qemu_aio_release -> qemu_aio_unref, Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 27/59] aio-win32: avoid out-of-bounds access to the events array,
Stefan Hajnoczi <=
- [Qemu-devel] [PULL v2 28/59] block: Introduce "null" drivers, Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 29/59] qapi: Sort BlockdevDriver enum data list, Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 26/59] qdev-monitor: fix segmentation fault on qdev_device_help(), Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 30/59] qapi: Sort items in BlockdevOptions definition, Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 31/59] qapi/block: Add "fatal" to BLOCK_IMAGE_CORRUPTED, Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 35/59] iotests: Add more tests for qcow2 corruption, Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 36/59] image-fuzzer: Trivial readability and formatting improvements, Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 38/59] qcow2: Fix leak of QemuOpts in qcow2_open(), Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 39/59] qapi: Allow enums in anonymous unions, Stefan Hajnoczi, 2014/09/22
- [Qemu-devel] [PULL v2 40/59] qcow2: Add overlap-check.template option, Stefan Hajnoczi, 2014/09/22