On 01/05/2018 11:57 AM, Eric Blake wrote:
> On 01/05/2018 07:32 AM, Murilo Opsfelder Araujo wrote:
>> The find_desc_by_name() from util/qemu-option.c relies on the .name not being
>> NULL to call strcmp(). This check becomes unsafe when the list is not
>> NULL-terminated, which is the case of nbd_runtime_opts in block/nbd.c, and
>> can
>> result in segmentation fault when strcmp() tries to access an invalid memory:
>
> Thanks for the report and patch. Adding qemu-stable in cc.
>
>>
>> This patch fixes the segmentation fault in strcmp() by adding a NULL element
>> at
>> the end of nbd_runtime_opts.desc list, which is the common practice to most
>> of
>> other structs like runtime_opts in block/null.c. Thus, the desc[i].name !=
>> NULL
>> check becomes safe because it will not evaluate to true when .desc list
>> reached
>> its end.
>>
>> Reported-by: R. Nageswara Sastry <nasas...@in.ibm.com>
>> Buglink: https://bugs.launchpad.net/qemu/+bug/1727259
>> Signed-off-by: Murilo Opsfelder Araujo <muri...@linux.vnet.ibm.com>
>
> I'll update the commit message to add in the commit id that introduced
> the problem, as well as check that other QemuOptsList do not have a
> similar problem; I'm queueing this on the NBD tree and will submit a
> pull request soon.
>
> Reviewed-by: Eric Blake <ebl...@redhat.com>
Hi, Eric.
A quick look brought my attention to:
block/ssh.c
530:static QemuOptsList ssh_runtime_opts = {
I've sent a patch to fix it too.
Thanks.
--
Murilo
