diff options
author | Max Reitz <mreitz@redhat.com> | 2017-04-03 19:51:49 +0200 |
---|---|---|
committer | Kevin Wolf <kwolf@redhat.com> | 2017-04-07 14:44:05 +0200 |
commit | 7a25fcd056ddd34ee7abc906c957d252e2889461 (patch) | |
tree | fe920473168525c8bcb464025ddb665dfbe83189 /qemu-img-cmds.hx | |
parent | 0d0676a1040d34339731a4e26a9b39b78c8a1fdf (diff) |
block/mirror: Fix use-after-free
If @bs does not have any parents, the only reference to @mirror_top_bs
will be held by the BlockJob object after the bdrv_unref() following
block_job_create(). However, if block_job_create() fails, this reference
will not exist and @mirror_top_bs will have been deleted when we
goto fail.
The issue comes back at all later entries to the fail label: We delete
the BlockJob object before rolling back our changes to the node graph.
This means that we will delete @mirror_top_bs in the process.
All in all, whenever @bs does not have any parents and we go down the
fail path we will dereference @mirror_top_bs after it has been deleted.
Fix this by invoking bdrv_unref() only when block_job_create() was
successful and by bdrv_ref()'ing @mirror_top_bs in the fail path before
deleting the BlockJob object. Finally, bdrv_unref() it at the end of the
fail path after we actually no longer need it.
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Diffstat (limited to 'qemu-img-cmds.hx')
0 files changed, 0 insertions, 0 deletions