On Mon, Mar 17, 2025 at 12:28:50PM +0100, Michal Privoznik via Devel wrote:
So far, we only process NIC_RX_FILTER_CHANGED event when the corresponding device has 'trustGuestRxFilters' enabled. And the event is emitted only for virtio model. IOW, this is fairly limited situation and other scenarios don't emit any event (e.g. change of MAC address on a PCI passthrough device). Resolves: https://issues.redhat.com/browse/RHEL-7035 Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> --- src/qemu/qemu_domain.c | 16 +++++++++++++++- src/qemu/qemu_domain.h | 3 ++- src/qemu/qemu_driver.c | 9 ++++++--- src/qemu/qemu_process.c | 2 +- 4 files changed, 24 insertions(+), 6 deletions(-) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 47ae59d408..9dc0a03849 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -11018,7 +11018,8 @@ syncNicRxFilterMulticast(char *ifname, int qemuDomainSyncRxFilter(virDomainObj *vm, virDomainNetDef *def, - virDomainAsyncJob asyncJob) + virDomainAsyncJob asyncJob, + virObjectEvent **event) { qemuDomainObjPrivate *priv = vm->privateData; g_autoptr(virNetDevRxFilter) guestFilter = NULL; @@ -11085,6 +11086,19 @@ qemuDomainSyncRxFilter(virDomainObj *vm, } else { VIR_FREE(def->guestAddress);
If the mac address changed *to* the same one that is configured this is free'd, but oldMAC still points to it.
}
+
+ if (event) {
+ char oldMAC[VIR_MAC_STRING_BUFLEN] = { 0 };
+ char newMAC[VIR_MAC_STRING_BUFLEN] = { 0 };
+
+ virMacAddrFormat(&def->mac, oldMAC);
And then in such case this is use after free.
+ virMacAddrFormat(&guestFilter->mac, newMAC);
+
+ *event = virDomainEventNICMACChangeNewFromObj(vm,
+ def->info.alias,
+ oldMAC,
+ newMAC);
+ }
}
return 0;
Attachment:
signature.asc
Description: PGP signature
