block: Fix use after free error in bdrv_open_inherit()

When a block device is opened with BDRV_O_SNAPSHOT and the bdrv_append_temp_snapshot() call fails then the error code path tries to unref the already destroyed 'options' QDict. This can be reproduced easily by setting TMPDIR to a location where the QEMU process can't write: $ TMPDIR=/nonexistent $QEMU -drive driver=null-co,snapshot=on Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
author: Alberto Garcia <berto@igalia.com> 2018-09-06 17:25:41 +0300
committer: Kevin Wolf <kwolf@redhat.com> 2018-09-25 15:50:15 +0200
commit: 8961be33e8ca7e809c603223803ea66ef7ea5be7 (patch)
tree: c665ac454c2a88464e16d06c67976636fbdc983c /block.c
parent: e091f0e905a4481f347913420f327d427f18d9d4 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/block.c b/block.c
index 0dbb1fcc7b..a381c8ece8 100644
--- a/block.c
+++ b/block.c
@@ -2792,6 +2792,7 @@ static BlockDriverState *bdrv_open_inherit(const char *filename,
     bdrv_parent_cb_change_media(bs, true);
 
     qobject_unref(options);
+    options = NULL;
 
     /* For snapshot=on, create a temporary qcow2 overlay. bs points to the
      * temporary snapshot afterwards. */
author	Alberto Garcia <berto@igalia.com>	2018-09-06 17:25:41 +0300
committer	Kevin Wolf <kwolf@redhat.com>	2018-09-25 15:50:15 +0200
commit	8961be33e8ca7e809c603223803ea66ef7ea5be7 (patch)
tree	c665ac454c2a88464e16d06c67976636fbdc983c /block.c
parent	e091f0e905a4481f347913420f327d427f18d9d4 (diff)