From: Philippe Mathieu-Daudé <philmd@redhat.com>
Date: Sat, 21 Mar 2020 12:06:54 +0000 (+0100)
Subject: tools/virtiofsd/passthrough_ll: Fix double close()
X-Git-Tag: qemu-xen-4.14.0~50^2~4
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=e1cd92d95cd4f97b3464c4e08cd5b22bf5ca05cb;p=qemu-xen.git

tools/virtiofsd/passthrough_ll: Fix double close()

On success, the fdopendir() call closes fd. Later on the error
path we try to close an already-closed fd. This can lead to
use-after-free. Fix by only closing the fd if the fdopendir()
call failed.

Cc: qemu-stable@nongnu.org
Fixes: b39bce121b (add dirp_map to hide lo_dirp pointers)
Reported-by: Coverity (CID 1421933 USE_AFTER_FREE)
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20200321120654.7985-1-philmd@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
---

diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 4f259aac70..4c35c95b25 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -1520,8 +1520,7 @@ out_err:
     if (d) {
         if (d->dp) {
             closedir(d->dp);
-        }
-        if (fd != -1) {
+        } else if (fd != -1) {
             close(fd);
         }
         free(d);