Re: [Qemu-devel] [PATCH 0/2] Fix use after free with mux

Mon, 03 Oct 2016 03:10:27 -0700 

Hi

On Mon, Oct 3, 2016 at 1:57 PM Paolo Bonzini <pbonz...@redhat.com> wrote:

>
>
> On 03/10/2016 11:47, Marc-André Lureau wrote:
> > Hi,
> >
> > When qemu with muxed monitor quits, it leads to invalid use after free:
> >
> > valgrind qemu -chardev stdio,mux=on,id=char0 -mon
> chardev=char0,mode=control,default
> >
> >     ==4306== Invalid read of size 8
> >     ==4306==    at 0x8061D3: json_lexer_destroy (json-lexer.c:385)
> >     ==4306==    by 0x7E39F8: json_message_parser_destroy
> (json-streamer.c:134)
> >     ==4306==    by 0x3447F6: monitor_qmp_event (monitor.c:3908)
> >     ==4306==    by 0x480153: mux_chr_send_event (qemu-char.c:630)
> >     ==4306==    by 0x480694: mux_chr_event (qemu-char.c:734)
> >     ==4306==    by 0x47F1E9: qemu_chr_be_event (qemu-char.c:205)
> >     ==4306==    by 0x481207: fd_chr_close (qemu-char.c:1114)
> >     ==4306==    by 0x481659: qemu_chr_close_stdio (qemu-char.c:1221)
> >     ==4306==    by 0x486F07: qemu_chr_free (qemu-char.c:4146)
> >     ==4306==    by 0x486F97: qemu_chr_delete (qemu-char.c:4154)
> >     ==4306==    by 0x487E66: qemu_chr_cleanup (qemu-char.c:4678)
> >     ==4306==    by 0x495A98: main (vl.c:4675)
> >     ==4306==  Address 0x28439e90 is 112 bytes inside a block of size 240
> free'd
> >     ==4306==    at 0x4C2CD5A: free (vg_replace_malloc.c:530)
> >     ==4306==    by 0x1E4CBF2D: g_free (in
> /usr/lib64/libglib-2.0.so.0.4800.2)
> >     ==4306==    by 0x344DE9: monitor_cleanup (monitor.c:4058)
> >     ==4306==    by 0x495A93: main (vl.c:4674)
> >     ==4306==  Block was alloc'd at
> >     ==4306==    at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
> >     ==4306==    by 0x1E4CBE18: g_malloc (in
> /usr/lib64/libglib-2.0.so.0.4800.2)
> >     ==4306==    by 0x344BF8: monitor_init (monitor.c:4021)
> >     ==4306==    by 0x49063C: mon_init_func (vl.c:2417)
> >     ==4306==    by 0x7FC6DE: qemu_opts_foreach (qemu-option.c:1116)
> >     ==4306==    by 0x4954E0: main (vl.c:4473)
> > ...
> >
> > The following two patches fix this by unregistering the muxed chr
> handlers.
>
> If I read the code right, patch 1 without patch 2 can cause the mux_cnt
> to overflow the size of the d->chr_* arrays.  Ok to invert the order?
>
>
Makes sense, thanks
-- 
Marc-André Lureau

Reply via email to