From patchwork Mon May 9 12:07:48 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Hajnoczi X-Patchwork-Id: 9045741 Return-Path: X-Original-To: patchwork-qemu-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 93DFA9F1D3 for ; Mon, 9 May 2016 12:10:19 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id F38062012D for ; Mon, 9 May 2016 12:10:18 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3F7A62011E for ; Mon, 9 May 2016 12:10:18 +0000 (UTC) Received: from localhost ([::1]:40843 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1azk0v-0005wB-BD for patchwork-qemu-devel@patchwork.kernel.org; Mon, 09 May 2016 08:10:17 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38928) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1azjz4-0002Bh-2w for qemu-devel@nongnu.org; Mon, 09 May 2016 08:08:25 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1azjz2-0004Pc-18 for qemu-devel@nongnu.org; Mon, 09 May 2016 08:08:20 -0400 Received: from mx1.redhat.com ([209.132.183.28]:49010) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1azjz1-0004PV-Rr for qemu-devel@nongnu.org; Mon, 09 May 2016 08:08:19 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8BBDD935DA; Mon, 9 May 2016 12:08:19 +0000 (UTC) Received: from localhost (ovpn-112-46.ams2.redhat.com [10.36.112.46]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u49C8Iqb021986; Mon, 9 May 2016 08:08:19 -0400 From: Stefan Hajnoczi To: qemu-devel@nongnu.org Date: Mon, 9 May 2016 13:07:48 +0100 Message-Id: <1462795687-25698-5-git-send-email-stefanha@redhat.com> In-Reply-To: <1462795687-25698-1-git-send-email-stefanha@redhat.com> References: <1462795687-25698-1-git-send-email-stefanha@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Mon, 09 May 2016 12:08:19 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH v2 04/23] QemuOpts: Fix qemu_opts_foreach() dangling location regression X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: marc.mari.barcelo@gmail.com, Paolo Bonzini , jsnow@redhat.com, Markus Armbruster Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Markus Armbruster qemu_opts_foreach() pushes and pops a Location with automatic storage duration. Except it fails to pop when @func() returns non-zero. cur_loc then points to unused stack space, and will most likely get clobbered in short order. Clobbered cur_loc can make loc_pop() and error_print_loc() crash or report bogus locations. Affects several qemu command line options as well as qemu-img, qemu-io, qemu-nbd -object, and blkdebug's configuration file. Broken in commit a4c7367, v2.4.0. Reproducer: $ qemu-system-x86_64 -nodefaults -display none -object secret,id=foo,foo=bar main() reports "Property '.foo' not found" like this: if (qemu_opts_foreach(qemu_find_opts("object"), user_creatable_add_opts_foreach, object_create_delayed, &err)) { error_report_err(err); exit(1); } cur_loc then points to where qemu_opts_foreach()'s Location used to be, i.e. unused stack space. With optimization, this Location doesn't get clobbered for me, and also happens to be the correct location. Without optimization, it does get clobbered in a way that makes error_report_err() report no location. Signed-off-by: Markus Armbruster Message-Id: <1461767349-15329-2-git-send-email-armbru@redhat.com> Reviewed-by: Eric Blake --- util/qemu-option.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/util/qemu-option.c b/util/qemu-option.c index dd9e73d..3467dc2 100644 --- a/util/qemu-option.c +++ b/util/qemu-option.c @@ -1108,19 +1108,19 @@ int qemu_opts_foreach(QemuOptsList *list, qemu_opts_loopfunc func, { Location loc; QemuOpts *opts; - int rc; + int rc = 0; loc_push_none(&loc); QTAILQ_FOREACH(opts, &list->head, next) { loc_restore(&opts->loc); rc = func(opaque, opts, errp); if (rc) { - return rc; + break; } assert(!errp || !*errp); } loc_pop(&loc); - return 0; + return rc; } static size_t count_opts_list(QemuOptsList *list)