[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 55b4e8: exec: Stop using memory after free
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] 55b4e8: exec: Stop using memory after free |
|
Date: |
Wed, 02 Dec 2015 08:30:04 -0800 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 55b4e80b047300e1512df02887b7448ba3786b62
https://github.com/qemu/qemu/commit/55b4e80b047300e1512df02887b7448ba3786b62
Author: Don Slutz <address@hidden>
Date: 2015-12-02 (Wed, 02 Dec 2015)
Changed paths:
M exec.c
Log Message:
-----------
exec: Stop using memory after free
memory_region_unref(mr) can free memory.
For example I got:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f43280d4700 (LWP 4462)]
0x00007f43323283c0 in phys_section_destroy (mr=0x7f43259468b0)
at /home/don/xen/tools/qemu-xen-dir/exec.c:1023
1023 if (mr->subpage) {
(gdb) bt
at /home/don/xen/tools/qemu-xen-dir/exec.c:1023
at /home/don/xen/tools/qemu-xen-dir/exec.c:1034
at /home/don/xen/tools/qemu-xen-dir/exec.c:2205
(gdb) p mr
$1 = (MemoryRegion *) 0x7f43259468b0
And this change prevents this.
Signed-off-by: Don Slutz <address@hidden>
Message-Id: <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
Commit: c1f2448998062f25df395cd239169400a4c41ed6
https://github.com/qemu/qemu/commit/c1f2448998062f25df395cd239169400a4c41ed6
Author: Paolo Bonzini <address@hidden>
Date: 2015-12-02 (Wed, 02 Dec 2015)
Changed paths:
M qemu-char.c
Log Message:
-----------
qemu-char: retry g_poll on EINTR
This is a case where pty_chr_update_read_handler_locked's lack
of error checking can produce incorrect values. We are not using
SIGUSR1 anymore, so this is quite theoretical, but easy to fix.
Reported-by: Markus Armbruster <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Commit: 21a24302e85024dd7b2a151158adbc1f5dc5c4dd
https://github.com/qemu/qemu/commit/21a24302e85024dd7b2a151158adbc1f5dc5c4dd
Author: Michael S. Tsirkin <address@hidden>
Date: 2015-12-02 (Wed, 02 Dec 2015)
Changed paths:
M main-loop.c
M stubs/qtest.c
Log Message:
-----------
main-loop: suppress warnings under qtest
commit 01c22f2cdd4fcf02276ea10f48253850a5fd7259 ("main-loop: Suppress
"I/O thread spun" warnings for qtest") doesn't actually disable the
warning for everyone since some tests don't run under the qtest
accelerator.
Check qtest_driver instead.
Cc: Peter Maydell <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Commit: 0c2d70c448b7853a91cfa63659aa3cc6630fb9be
https://github.com/qemu/qemu/commit/0c2d70c448b7853a91cfa63659aa3cc6630fb9be
Author: Paolo Bonzini <address@hidden>
Date: 2015-12-02 (Wed, 02 Dec 2015)
Changed paths:
M bsd-user/elfload.c
M include/exec/cpu-all.h
M linux-user/elfload.c
M linux-user/mmap.c
M translate-all.c
M translate-common.c
Log Message:
-----------
translate-all: ensure host page mask is always extended with 1's
Anthony reported that >4GB guests on Xen with 32bit QEMU broke after
commit 4ed023c ("Round up RAMBlock sizes to host page sizes", 2015-11-05).
In that patch sizes are masked against qemu_host_page_size/mask which
are uintptr_t, and thus 32bit on a 32bit QEMU, even though the ram space
might be bigger than 4GB on Xen.
Since ram_addr_t is not available on user-mode emulation targets, ensure
that we get a sign extension when masking away the low bits of the address.
Remove the ~10 year old scary comment that the type of these variables
is probably wrong, with another equally scary comment. The new comment
however does not have "???" in it, which is arguably an improvement.
For completeness use the alignment macros in linux-user and bsd-user
instead of manually doing an &. linux-user and bsd-user are not affected
by the Xen issue, however.
Reviewed-by: Juan Quintela <address@hidden>
Reported-by: Anthony PERARD <address@hidden>
Fixes: 4ed023ce2a39ab5812d33cf4d819def168965a7f
Signed-off-by: Paolo Bonzini <address@hidden>
Commit: 30a9fd5d13b0a4290382adc4c1bf619677066b89
https://github.com/qemu/qemu/commit/30a9fd5d13b0a4290382adc4c1bf619677066b89
Author: Peter Maydell <address@hidden>
Date: 2015-12-02 (Wed, 02 Dec 2015)
Changed paths:
M bsd-user/elfload.c
M exec.c
M include/exec/cpu-all.h
M linux-user/elfload.c
M linux-user/mmap.c
M main-loop.c
M qemu-char.c
M stubs/qtest.c
M translate-all.c
M translate-common.c
Log Message:
-----------
Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging
* exec.c use after free
* Xen 32-on-64 breakage
* missing EINTR
* naughty warning under qtest
# gpg: Signature made Wed 02 Dec 2015 12:13:55 GMT using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <address@hidden>"
# gpg: aka "Paolo Bonzini <address@hidden>"
* remotes/bonzini/tags/for-upstream:
translate-all: ensure host page mask is always extended with 1's
main-loop: suppress warnings under qtest
qemu-char: retry g_poll on EINTR
exec: Stop using memory after free
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/9d7b969ea6d9...30a9fd5d13b0
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 55b4e8: exec: Stop using memory after free,
GitHub <=