Fix a potential Use-after-free in test_blockjob_common_drain_node() (v6.2.0).

Commit Message

wliang@stu.xidian.edu.cn Feb. 25, 2022, 4:21 a.m. UTC

Hi all,

I find a potential Use-after-free in QEMU 6.2.0, which is in test_blockjob_common_drain_node() (./tests/unit/test-bdrv-drain.c).

Specifically, at line 880, the variable 'scr' is released by the bdrv_unref(). However, at line 881, it is subsequently used as the 1st parameter of the function bdrv_set_backing_hd(). As a result, an UAF bug may be triggered.





880    bdrv_unref(src);


881    bdrv_set_backing_hd(src, src_backing, &error_abort);





I believe that the problem can be fixed by invoking bdrv_unref() after the call of bdrv_set_backing_hd() rather than before it.


---    bdrv_unref(src);
881    bdrv_set_backing_hd(src, src_backing, &error_abort);
+++bdrv_unref(src);


It is a test program, so I could't get a mail-list to send. So I send it to you. Hope you can help me.
I'm looking forward to your confirmation.

Sincerely Thanks,
Wentao

Patch

From 0d631c66441be73666f4ce959fa00754820cd4ea Mon Sep 17 00:00:00 2001
From: Wentao_Liang <Wentao_Liang_g@163.com>
Date: Fri, 25 Feb 2022 12:12:16 +0800
Subject: [PATCH] Fix a potential Use-after-free in
 test_blockjob_common_drain_node()

Signed-off-by: Wentao_Liang <Wentao_Liang_g@163.com>
---
 tests/unit/test-bdrv-drain.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/unit/test-bdrv-drain.c b/tests/unit/test-bdrv-drain.c
index 36be84ae55..0e988badc1 100644
--- a/tests/unit/test-bdrv-drain.c
+++ b/tests/unit/test-bdrv-drain.c
@@ -877,8 +877,8 @@  static void test_blockjob_common_drain_node(enum drain_type drain_type,
                                        BDRV_O_RDWR, &error_abort);
 
     bdrv_set_backing_hd(src_overlay, src, &error_abort);
-    bdrv_unref(src);
     bdrv_set_backing_hd(src, src_backing, &error_abort);
+    bdrv_unref(src);
     bdrv_unref(src_backing);
 
     blk_src = blk_new(qemu_get_aio_context(), BLK_PERM_ALL, BLK_PERM_ALL);
-- 
2.25.1