Hi all,
I find a potential Use-after-free in QEMU 6.2.0, which is in
test_blockjob_common_drain_node() (./tests/unit/test-bdrv-drain.c).
Specifically, at line 880, the variable 'scr' is released by the bdrv_unref().
However, at line 881, it is subsequently used as the 1st parameter of the
function bdrv_set_backing_hd(). As a result, an UAF bug may be triggered.
880 bdrv_unref(src);
881 bdrv_set_backing_hd(src, src_backing, &error_abort);
I believe that the problem can be fixed by invoking bdrv_unref() after the call
of bdrv_set_backing_hd() rather than before it.
--- bdrv_unref(src);
881 bdrv_set_backing_hd(src, src_backing, &error_abort);
+++bdrv_unref(src);
I'm looking forward to your confirmation.
Best,
Wentao
--- ./tests/unit/test-bdrv-drain.c 2022-02-23 15:06:32.384786070 +0800
+++ ./tests/unit/test-bdrv-drain-PATCH.c 2022-02-23 21:16:43.444928992 +0800
@@ -877,8 +877,8 @@
BDRV_O_RDWR, &error_abort);
bdrv_set_backing_hd(src_overlay, src, &error_abort);
- bdrv_unref(src);
bdrv_set_backing_hd(src, src_backing, &error_abort);
+ bdrv_unref(src);
bdrv_unref(src_backing);
blk_src = blk_new(qemu_get_aio_context(), BLK_PERM_ALL, BLK_PERM_ALL);
