[PATCH] qemu_driver: avoid NULL dereference

Jim Meyering <jim@xxxxxxxxxxxx> · Mon, 17 May 2010 13:04:24 +0200

The following theoretical possibility of a NULL dereference
has been in the code since April 1
(commit 6e41f30efcac08e50b21d9c943d6d27e90555951).
It's theoretical, because if that vm = NULL
statement is ever executed, the very next one,
calling virDomainObjUnlock would dereference that now-NULL "vm".
Hence, I think we can conclude the vm = NULL statement is
effectively dead code.  That conclusion is in line with the
"should" in the preceding comment.

At first, it seemed like it would deserve an sa_assert.
But without the assert, "n_refs" would be unused,
(so this first patch is solely FYI -- not proposed)
I solved it differently in the 2nd patch.

>From 524aec3ebed613f86b64584d2f461f4a18d2e618 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@xxxxxxxxxx>
Date: Mon, 17 May 2010 12:10:52 +0200
Subject: [PATCH] qemu_driver: avoid NULL dereference

* src/qemu/qemu_driver.c (qemudDomainStart): Rather than trying to
handle a "can't happen" case, simply sa_assert that it won't happen.
---
 src/qemu/qemu_driver.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 8f69b5a..819ea17 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6489,8 +6489,9 @@ static int qemudDomainStart(virDomainPtr dom) {
          * We should still have a reference left to vm but
          * one should check for 0 anyway
          */
-        if (qemuDomainObjEndJob(vm) == 0)
-            vm = NULL;
+        int n_refs = qemuDomainObjEndJob(vm);
+        sa_assert (n_refs);
+
         virDomainObjUnlock(vm);
         qemuDriverUnlock(driver);
         ret = qemudDomainRestore(dom->conn, managed_save);
--
1.7.1.250.g7d1e8



>From f88969b986a1c88985671c9d6fa9cb1dc449ed74 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@xxxxxxxxxx>
Date: Mon, 17 May 2010 12:10:52 +0200
Subject: [PATCH] qemu_driver: avoid NULL dereference

* src/qemu/qemu_driver.c (qemudDomainStart): After setting vm to NULL,
goto cleanup, rather than dereferencing the NULL pointer.
---
 src/qemu/qemu_driver.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 8f69b5a..3559e36 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6489,8 +6489,11 @@ static int qemudDomainStart(virDomainPtr dom) {
          * We should still have a reference left to vm but
          * one should check for 0 anyway
          */
-        if (qemuDomainObjEndJob(vm) == 0)
+        if (qemuDomainObjEndJob(vm) = 0) {
             vm = NULL;
+            goto cleanup;
+        }
+
         virDomainObjUnlock(vm);
         qemuDriverUnlock(driver);
         ret = qemudDomainRestore(dom->conn, managed_save);
--
1.7.1.250.g7d1e8

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




