Re: Segfault in hw/scsi/scsi-disk.c caused by null pointer

From: Paolo Bonzini
Subject: Re: Segfault in hw/scsi/scsi-disk.c caused by null pointer
Date: Fri, 12 Aug 2022 17:11:52 +0200
On 8/12/22 16:50, Peter Maydell wrote:
As I said previously, this is still absolutely wrong.
If we ever get to this function with either of these
fields being NULL then there has been a serious problem,
probably a memory corruption or use-after-free, or
possibly an attempt to use a partially constructed object.

Yeah, this would still be a use-after-free.  s->version is never
written (see for example release_string in hw/core/qdev-properties.c)
so it means that the storage for "s" has been reused.

The bug has been fixed in version 5.2 of QEMU with the following commit:

7a8202c521 scsi/scsi_bus: switch search direction in scsi_device_find
7bed89958b device_core: use drain_call_rcu in in qmp_device_add
2d24a64661 device-core: use RCU for list of children of a bus
42a90a899e scsi: switch to bus->check_address
a23151e8cc device-core: use atomic_set on .realized property
8ddf958e8d scsi/scsi-bus: scsi_device_find: don't return unrealized devices
8ff3449560 scsi/scsi_bus: Add scsi_device_get
07a47d4a18 virtio-scsi: use scsi_device_get
8cfe8013ba scsi/scsi_bus: fix races in REPORT LUNS

Feel free to pass this information to Canonical so that they can fix
their old version of QEMU.


