blob: 8020ad860b4d995d9517d379f46dc603cfad3b68 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
id = 2635
title = "A use-after-free bug in pflash_cfi01 snapshot implementation"
state = "opened"
created_at = "2024-10-21T14:07:42.031Z"
closed_at = "n/a"
labels = []
url = "https://gitlab.com/qemu-project/qemu/-/issues/2635"
host-os = "- OS/kernel version:"
host-arch = "- QEMU flavor:"
qemu-version = "- QEMU command line:"
guest-os = "- OS/kernel version:"
guest-arch = "## Description of problem"
description = """The flash snapshot restore does not function correctly. Basically when you use “if=pflash,format=raw,unit=0,file=OVMF_VAR.fd", it crashes when trying to restore a snapshot.
The root cause is:
1. In system/runstate.c, function vm_state_notify loops through vm_change_state_head list and calls the callback function for each entry.
2. One of the callback function pointer points to function postload_update_cb in hw/block/pflash_cfi01.c.
3. In function postload_update_cb, it calls qemu_del_vm_change_state_handler in which the entry element memory is freed.
4. Note that, it is still running in the loop, the entry will be visited and get executed, the function pointer may point to a wide memory."""
reproduce = "n/a"
additional = """"""
|