On 01/05/2018 11:57 AM, Eric Blake wrote: > On 01/05/2018 07:32 AM, Murilo Opsfelder Araujo wrote: >> The find_desc_by_name() from util/qemu-option.c relies on the .name not being >> NULL to call strcmp(). This check becomes unsafe when the list is not >> NULL-terminated, which is the case of nbd_runtime_opts in block/nbd.c, and >> can >> result in segmentation fault when strcmp() tries to access an invalid memory: > > Thanks for the report and patch. Adding qemu-stable in cc. > >> >> This patch fixes the segmentation fault in strcmp() by adding a NULL element >> at >> the end of nbd_runtime_opts.desc list, which is the common practice to most >> of >> other structs like runtime_opts in block/null.c. Thus, the desc[i].name != >> NULL >> check becomes safe because it will not evaluate to true when .desc list >> reached >> its end. >> >> Reported-by: R. Nageswara Sastry <nasas...@in.ibm.com> >> Buglink: https://bugs.launchpad.net/qemu/+bug/1727259 >> Signed-off-by: Murilo Opsfelder Araujo <muri...@linux.vnet.ibm.com> > > I'll update the commit message to add in the commit id that introduced > the problem, as well as check that other QemuOptsList do not have a > similar problem; I'm queueing this on the NBD tree and will submit a > pull request soon. > > Reviewed-by: Eric Blake <ebl...@redhat.com>
Hi, Eric. A quick look brought my attention to: block/ssh.c 530:static QemuOptsList ssh_runtime_opts = { I've sent a patch to fix it too. Thanks. -- Murilo