[Spice-devel] [PATCH] server/red_worker: fix use after free for listeners

Tue Mar 6 06:56:30 PST 2012

ACK!

On 03/06/2012 03:50 PM, Alon Levy wrote:
> This fixes a core dumped observed once by repeated migration. So far 100
> migrations and no recurrence.
>
> Core was generated by `/home/alon/spice/upstream/bin/qemu-system-x86_64 --enable-kvm -qmp unix:/tmp/mi'.
> Program terminated with signal 11, Segmentation fault.
> 11197	                if (evt_listener&&  evt_listener->refs>  1) {
> Missing separate debuginfos, use: debuginfo-install bluez-libs-4.98-3.fc17.x86_64 brlapi-0.5.6-4.fc17.x86_64 bzip2-libs-1.0.6-4.fc17.x86_64 cryptopp-5.6.1-6.fc17.x86_64 keyutils-libs-1.5.5-2.fc17.x86_64 libssh2-1.4.0-1.fc17.x86_64 nss-softokn-freebl-3.13.1-20.fc17.x86_64 xen-libs-4.1.2-11.fc17.x86_64 xz-libs-5.1.1-2alpha.fc17.x86_64
> (gdb) bt
> (gdb) l
> 11192	        for (i = 0; i<  MAX_EVENT_SOURCES; i++) {
> 11193	            struct pollfd *pfd = worker.poll_fds + i;
> 11194	            if (pfd->revents) {
> 11195	                EventListener *evt_listener = worker.listeners[i];
> 11196
> 11197	                if (evt_listener&&  evt_listener->refs>  1) {
> 11198	                    evt_listener->action(evt_listener, pfd);
> 11199	                    if (--evt_listener->refs) {
> 11200	                        continue;
> 11201	                    }
> (gdb) p evt_listener
> $1 = (EventListener *) 0x7f15a9a5d1e0
> (gdb) p *evt_listener
> Cannot access memory at address 0x7f15a9a5d1e0
> (gdb) p i
> $2 = 2
> (gdb) p worker.listeners
> $3 = {0x7f15bc832520, 0x7f15a406e1a0, 0x7f15a9a5d1e0, 0x0<repeats 17 times>}
> ---
>   server/red_worker.c |    3 ++-
>   1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/server/red_worker.c b/server/red_worker.c
> index e88dbc0..a2f31c0 100644
> --- a/server/red_worker.c
> +++ b/server/red_worker.c
> @@ -11194,7 +11194,7 @@ void *red_worker_main(void *arg)
>               if (pfd->revents) {
>                   EventListener *evt_listener = worker.listeners[i];
>
> -                if (evt_listener->refs>  1) {
> +                if (evt_listener&&  evt_listener->refs>  1) {
>                       evt_listener->action(evt_listener, pfd);
>                       if (--evt_listener->refs) {
>                           continue;
> @@ -11202,6 +11202,7 @@ void *red_worker_main(void *arg)
>                   }
>                   red_printf("freeing event listener");
>                   evt_listener->free(evt_listener);
> +                worker.listeners[i] = NULL;
>               }
>           }
>