| Message ID | 1461767349-15329-3-git-send-email-armbru@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 04/27/2016 08:29 AM, Markus Armbruster wrote: > replay_configure() pushes and pops a Location with automatic storage > duration. Except it fails to pop when -icount parameter "rr" isn't > given. cur_loc then points to unused stack space, and will most > likely get clobbered in short order. > > Clobbered cur_loc can make loc_pop() and error_print_loc() crash or > report bogus locations. > > Broken in commit 890ad55. > > I didn't take the time to find a reproducer. > > Cc: Eduardo Habkost <ehabkost@redhat.com> > Signed-off-by: Markus Armbruster <armbru@redhat.com> > --- > replay/replay.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > Reviewed-by: Eric Blake <eblake@redhat.com>
On Wed, Apr 27, 2016 at 04:29:08PM +0200, Markus Armbruster wrote: > replay_configure() pushes and pops a Location with automatic storage > duration. Except it fails to pop when -icount parameter "rr" isn't > given. cur_loc then points to unused stack space, and will most > likely get clobbered in short order. > > Clobbered cur_loc can make loc_pop() and error_print_loc() crash or > report bogus locations. > > Broken in commit 890ad55. > > I didn't take the time to find a reproducer. > > Cc: Eduardo Habkost <ehabkost@redhat.com> > Signed-off-by: Markus Armbruster <armbru@redhat.com> Oops! Thanks for catching it. Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
diff --git a/replay/replay.c b/replay/replay.c index 7c2573a..167fd29 100644 --- a/replay/replay.c +++ b/replay/replay.c @@ -275,7 +275,7 @@ void replay_configure(QemuOpts *opts) rr = qemu_opt_get(opts, "rr"); if (!rr) { /* Just enabling icount */ - return; + goto out; } else if (!strcmp(rr, "record")) { mode = REPLAY_MODE_RECORD; } else if (!strcmp(rr, "replay")) { @@ -293,6 +293,7 @@ void replay_configure(QemuOpts *opts) replay_enable(fname, mode); +out: loc_pop(&loc); }
replay_configure() pushes and pops a Location with automatic storage duration. Except it fails to pop when -icount parameter "rr" isn't given. cur_loc then points to unused stack space, and will most likely get clobbered in short order. Clobbered cur_loc can make loc_pop() and error_print_loc() crash or report bogus locations. Broken in commit 890ad55. I didn't take the time to find a reproducer. Cc: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> --- replay/replay.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)