[tip:tools/kvm] kvm tools, x86: Fix use after free in irq__exit()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Commit-ID:  a03b5cb64b9f09803204014f3189869f0f72969d
Gitweb:     http://git.kernel.org/tip/a03b5cb64b9f09803204014f3189869f0f72969d
Author:     Pekka Enberg <penberg@xxxxxxxxxx>
AuthorDate: Sat, 4 Feb 2012 10:30:42 +0200
Committer:  Pekka Enberg <penberg@xxxxxxxxxx>
CommitDate: Sat, 4 Feb 2012 10:30:42 +0200

kvm tools, x86: Fix use after free in irq__exit()

Valgrind spotted this issue with KVM tool shutdown:

  ==1823== Invalid read of size 8
  ==1823==    at 0x410DD0: rb_next (rbtree.c:390)
  ==1823==    by 0x417376: irq__exit (irq.c:182)
  ==1823==    by 0x406230: kvm_cmd_run (builtin-run.c:1275)
  ==1823==    by 0x410670: handle_command (kvm-cmd.c:84)
  ==1823==    by 0x3DE682139C: (below main) (in /lib64/libc-2.14.so)
  ==1823==  Address 0x4f7cca0 is 0 bytes inside a block of size 48 free'd
  ==1823==    at 0x4A055FE: free (vg_replace_malloc.c:366)
  ==1823==    by 0x41736E: irq__exit (irq.c:192)
  ==1823==    by 0x406230: kvm_cmd_run (builtin-run.c:1275)
  ==1823==    by 0x410670: handle_command (kvm-cmd.c:84)
  ==1823==    by 0x3DE682139C: (below main) (in /lib64/libc-2.14.so)

Fix it up.

Signed-off-by: Pekka Enberg <penberg@xxxxxxxxxx>
---
 tools/kvm/x86/irq.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

diff --git a/tools/kvm/x86/irq.c b/tools/kvm/x86/irq.c
index 1d8ae2b..dc07f28 100644
--- a/tools/kvm/x86/irq.c
+++ b/tools/kvm/x86/irq.c
@@ -179,17 +179,25 @@ int irq__exit(struct kvm *kvm)
 
 	free(irq_routing);
 
-	for (ent = rb_first(&pci_tree); ent; ent = rb_next(ent)) {
+	ent = rb_first(&pci_tree);
+	for (;;) {
 		struct pci_dev *dev;
+		struct rb_node *next;
 		struct irq_line *line;
 		struct list_head *node, *tmp;
 
+		if (!ent)
+			break;
+
+		next = rb_next(ent);
+
 		dev = rb_entry(ent, struct pci_dev, node);
 		list_for_each_safe(node, tmp, &dev->lines) {
 			line = list_entry(node, struct irq_line, node);
 			free(line);
 		}
 		free(dev);
+		ent = next;
 	}
 
 	return 0;
--
To unsubscribe from this list: send the line "unsubscribe linux-tip-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Stable Commits]     [Linux Stable Kernel]     [Linux Kernel]     [Linux USB Devel]     [Linux Video &Media]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux