]> xenbits.xensource.com Git - libvirt.git/commitdiff
projects / libvirt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b3605a4)
qemuBlockJobProcessEventCompletedPull: Avoid dangling pointer after blockpull
authorPeter Krempa <pkrempa@redhat.com>
Mon, 12 Apr 2021 15:24:22 +0000 (17:24 +0200)
committerPeter Krempa <pkrempa@redhat.com>
Tue, 13 Apr 2021 08:58:25 +0000 (10:58 +0200)
When doing a full block pull job (base == NULL) and the config XML
contains a compatible disk, the completer function would leave a
dangling pointer in 'cfgdisk->src->backingStore' as cfgdisk->src would
be set to the value of 'cfgbase' which was always set to
'cfgdisk->src->backingStore'.

This is wrong though since for the live definition XML we set the
respective counterpart to 'job->data.pull.base' which is NULL in the
above scenario.

This leads to a invalid pointer read when saving the config XML and may
end up in a crash.

Resolve it by setting 'cfgbase' only when 'job->data.pull.base' is
non-NULL.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1946918
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
src/qemu/qemu_blockjob.c patch | blob | blame | history

diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c
index 66268a365a9c554c188e8ecb722d57b72e15b640..d708fd18fd58bcfa8db6b5a42e0ca2ca1420822b 100644 (file)
--- a/src/qemu/qemu_blockjob.c
+++ b/src/qemu/qemu_blockjob.c
@@ -1005,10 +1005,7 @@ qemuBlockJobProcessEventCompletedPull(virQEMUDriverPtr driver,
     if (!job->disk)
         return;
 
-    if ((cfgdisk = qemuBlockJobGetConfigDisk(vm, job->disk, job->data.pull.base)))
-        cfgbase = cfgdisk->src->backingStore;
-
-    if (!cfgdisk)
+    if (!(cfgdisk = qemuBlockJobGetConfigDisk(vm, job->disk, job->data.pull.base)))
         qemuBlockJobClearConfigChain(vm, job->disk);
 
     qemuBlockJobProcessEventCompletedPullBitmaps(vm, job, asyncJob);
@@ -1018,6 +1015,8 @@ qemuBlockJobProcessEventCompletedPull(virQEMUDriverPtr driver,
         return;
 
     if (job->data.pull.base) {
+        if (cfgdisk)
+            cfgbase = cfgdisk->src->backingStore;
         for (n = job->disk->src->backingStore; n && n != job->data.pull.base; n = n->backingStore) {
             /* find the image on top of 'base' */
 
Unnamed repository; edit this file 'description' to name the repository.