qdev: fix use-after-free in the error path of qdev_init_nofail - focaccia-qemu - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Anthony Liguori <aliguori@us.ibm.com>	2012-06-27 07:37:54 -0500
committer	Anthony Liguori <aliguori@us.ibm.com>	2012-06-27 16:26:59 -0500
commit	7de3abe505e34398cef5bddf6c4d0bd9ee47007f (patch)
tree	6c0c64a3d067116f78673ac9d13d1f2e43896657 /hw/qdev-dma.h
parent	d24b569a4162c54426ab5088637b824f54f6ac16 (diff)
download	focaccia-qemu-7de3abe505e34398cef5bddf6c4d0bd9ee47007f.tar.gz focaccia-qemu-7de3abe505e34398cef5bddf6c4d0bd9ee47007f.zip

qdev: fix use-after-free in the error path of qdev_init_nofail

From Markus:

Before:

    $ qemu-system-x86_64 -display none -drive if=ide
    qemu-system-x86_64: Device needs media, but drive is empty
    qemu-system-x86_64: Initialization of device ide-hd failed
    [Exit 1 ]

After:

    $ qemu-system-x86_64 -display none -drive if=ide
    qemu-system-x86_64: Device needs media, but drive is empty
    Segmentation fault (core dumped)
    [Exit 139 (SIGSEGV)]

This error always existed as qdev_init() frees the object.  But QOM
goes a bit further and purposefully sets the class pointer to NULL to
help find use-after-free.  It worked :-)

Cc: Andreas Faerber <afaerber@suse.de>
Reported-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

Diffstat (limited to 'hw/qdev-dma.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: