|
| From: | Paolo Bonzini |
| Subject: | Re: Segfault in hw/scsi/scsi-disk.c caused by null pointer |
| Date: | Fri, 12 Aug 2022 17:11:52 +0200 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 |
On 8/12/22 16:50, Peter Maydell wrote:
As I said previously, this is still absolutely wrong. If we ever get to this function with either of these fields being NULL then there has been a serious problem, probably a memory corruption or use-after-free, or possibly an attempt to use a partially constructed object.
Yeah, this would still be a use-after-free. s->version is never written (see for example release_string in hw/core/qdev-properties.c) so it means that the storage for "s" has been reused. The bug has been fixed in version 5.2 of QEMU with the following commit: 7a8202c521 scsi/scsi_bus: switch search direction in scsi_device_find 7bed89958b device_core: use drain_call_rcu in in qmp_device_add 2d24a64661 device-core: use RCU for list of children of a bus 42a90a899e scsi: switch to bus->check_address a23151e8cc device-core: use atomic_set on .realized property 8ddf958e8d scsi/scsi-bus: scsi_device_find: don't return unrealized devices 8ff3449560 scsi/scsi_bus: Add scsi_device_get 07a47d4a18 virtio-scsi: use scsi_device_get 8cfe8013ba scsi/scsi_bus: fix races in REPORT LUNS Feel free to pass this information to Canonical so that they can fix their old version of QEMU. Paolo
| [Prev in Thread] | Current Thread | [Next in Thread] |