Re: [Spice-devel] [PATCH] server/red_worker: fix use after free for listeners

Tue, 06 Mar 2012 06:54:50 -0800 

ACK!

On 03/06/2012 03:50 PM, Alon Levy wrote:

This fixes a core dumped observed once by repeated migration. So far 100
migrations and no recurrence.

Core was generated by `/home/alon/spice/upstream/bin/qemu-system-x86_64 
--enable-kvm -qmp unix:/tmp/mi'.
Program terminated with signal 11, Segmentation fault.
11197                   if (evt_listener&&  evt_listener->refs>  1) {
Missing separate debuginfos, use: debuginfo-install 
bluez-libs-4.98-3.fc17.x86_64 brlapi-0.5.6-4.fc17.x86_64 
bzip2-libs-1.0.6-4.fc17.x86_64 cryptopp-5.6.1-6.fc17.x86_64 
keyutils-libs-1.5.5-2.fc17.x86_64 libssh2-1.4.0-1.fc17.x86_64 
nss-softokn-freebl-3.13.1-20.fc17.x86_64 xen-libs-4.1.2-11.fc17.x86_64 
xz-libs-5.1.1-2alpha.fc17.x86_64
(gdb) bt
(gdb) l
11192           for (i = 0; i<  MAX_EVENT_SOURCES; i++) {
11193               struct pollfd *pfd = worker.poll_fds + i;
11194               if (pfd->revents) {
11195                   EventListener *evt_listener = worker.listeners[i];
11196
11197                   if (evt_listener&&  evt_listener->refs>  1) {
11198                       evt_listener->action(evt_listener, pfd);
11199                       if (--evt_listener->refs) {
11200                           continue;
11201                       }
(gdb) p evt_listener
$1 = (EventListener *) 0x7f15a9a5d1e0
(gdb) p *evt_listener
Cannot access memory at address 0x7f15a9a5d1e0
(gdb) p i
$2 = 2
(gdb) p worker.listeners
$3 = {0x7f15bc832520, 0x7f15a406e1a0, 0x7f15a9a5d1e0, 0x0<repeats 17 times>}
---
  server/red_worker.c |    3 ++-
  1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/server/red_worker.c b/server/red_worker.c
index e88dbc0..a2f31c0 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -11194,7 +11194,7 @@ void *red_worker_main(void *arg)
              if (pfd->revents) {
                  EventListener *evt_listener = worker.listeners[i];

-                if (evt_listener->refs>  1) {
+                if (evt_listener&&  evt_listener->refs>  1) {
                      evt_listener->action(evt_listener, pfd);
                      if (--evt_listener->refs) {
                          continue;
@@ -11202,6 +11202,7 @@ void *red_worker_main(void *arg)
                  }
                  red_printf("freeing event listener");
                  evt_listener->free(evt_listener);
+                worker.listeners[i] = NULL;
              }
          }


_______________________________________________
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Reply via email to