From patchwork Fri Feb 25 04:21:24 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: wliang@stu.xidian.edu.cn
X-Patchwork-Id: 12759662
Return-Path: <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 9007EC433F5
	for <qemu-devel@archiver.kernel.org>; Fri, 25 Feb 2022 04:23:19 +0000 (UTC)
Received: from localhost ([::1]:46424 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from
 <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>)
	id 1nNS8U-0007hV-5a
	for qemu-devel@archiver.kernel.org; Thu, 24 Feb 2022 23:23:18 -0500
Received: from eggs.gnu.org ([209.51.188.92]:60700)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <wliang@stu.xidian.edu.cn>)
 id 1nNS6p-0006zX-JG
 for qemu-devel@nongnu.org; Thu, 24 Feb 2022 23:21:35 -0500
Received: from zg8tmty3ljk5ljewns4xndka.icoremail.net ([167.99.105.149]:59969)
 by eggs.gnu.org with smtp (Exim 4.90_1)
 (envelope-from <wliang@stu.xidian.edu.cn>) id 1nNS6m-0008Ao-BU
 for qemu-devel@nongnu.org; Thu, 24 Feb 2022 23:21:34 -0500
Received: by ajax-webmail-sr0414.icoremail.net (Coremail) ; Fri, 25 Feb 2022
 12:21:24 +0800 (GMT+08:00)
X-Originating-IP: [39.128.6.55]
Date: Fri, 25 Feb 2022 12:21:24 +0800 (GMT+08:00)
X-CM-HeaderCharset: UTF-8
From: wliang@stu.xidian.edu.cn
To: thuth@redhat.com
Subject: Fix a potential Use-after-free in test_blockjob_common_drain_node()
 (v6.2.0).
X-Priority: 3
X-Mailer: Coremail Webmail Server Version XT5.0.13 build 20210401(fdb522e2)
 Copyright (c) 2002-2022 www.mailtech.cn
 mispb-ac60dc67-ddbe-4478-9127-1d3314495f10-icoremail.net
In-Reply-To: <21fd23f8.25ce.17f2703f0f8.Coremail.wliang@stu.xidian.edu.cn>
References: <21fd23f8.25ce.17f2703f0f8.Coremail.wliang@stu.xidian.edu.cn>
MIME-Version: 1.0
Message-ID: <22f80063.bd7.17f2f1cb4c2.Coremail.wliang@stu.xidian.edu.cn>
X-Coremail-Locale: zh_CN
X-CM-TRANSID: AQAAfwAXVJFEWRhikd0EAA--.608W
X-CM-SenderInfo: pzolt0vj6v33wo0lvxldqovvfxof0/1tbiAQAOA1wR-vcLKQAAsq
X-Coremail-Antispam: 1Ur529EdanIXcx71UUUUU7IcSsGvfJ3iIAIbVAYjsxI4VWxJw
 CS07vEb4IE77IF4wCS07vE1I0E4x80FVAKz4kxMIAIbVAFxVCaYxvI4VCIwcAKzIAtYxBI
 daVFxhVjvjDU=
Received-SPF: pass client-ip=167.99.105.149;
 envelope-from=wliang@stu.xidian.edu.cn;
 helo=zg8tmty3ljk5ljewns4xndka.icoremail.net
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, HTML_MESSAGE=0.001,
 RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: "Qemu-devel"
 <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>

Hi all,

I find a potential Use-after-free in QEMU 6.2.0, which is in test_blockjob_common_drain_node() (./tests/unit/test-bdrv-drain.c).

Specifically, at line 880, the variable 'scr' is released by the bdrv_unref(). However, at line 881, it is subsequently used as the 1st parameter of the function bdrv_set_backing_hd(). As a result, an UAF bug may be triggered.





880    bdrv_unref(src);


881    bdrv_set_backing_hd(src, src_backing, &error_abort);





I believe that the problem can be fixed by invoking bdrv_unref() after the call of bdrv_set_backing_hd() rather than before it.


---    bdrv_unref(src);
881    bdrv_set_backing_hd(src, src_backing, &error_abort);
+++bdrv_unref(src);


It is a test program, so I could't get a mail-list to send. So I send it to you. Hope you can help me.
I'm looking forward to your confirmation.

Sincerely Thanks,
Wentao

From 0d631c66441be73666f4ce959fa00754820cd4ea Mon Sep 17 00:00:00 2001
From: Wentao_Liang <Wentao_Liang_g@163.com>
Date: Fri, 25 Feb 2022 12:12:16 +0800
Subject: [PATCH] Fix a potential Use-after-free in
 test_blockjob_common_drain_node()

Signed-off-by: Wentao_Liang <Wentao_Liang_g@163.com>
---
 tests/unit/test-bdrv-drain.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/unit/test-bdrv-drain.c b/tests/unit/test-bdrv-drain.c
index 36be84ae55..0e988badc1 100644
--- a/tests/unit/test-bdrv-drain.c
+++ b/tests/unit/test-bdrv-drain.c
@@ -877,8 +877,8 @@ static void test_blockjob_common_drain_node(enum drain_type drain_type,
                                        BDRV_O_RDWR, &error_abort);
 
     bdrv_set_backing_hd(src_overlay, src, &error_abort);
-    bdrv_unref(src);
     bdrv_set_backing_hd(src, src_backing, &error_abort);
+    bdrv_unref(src);
     bdrv_unref(src_backing);
 
     blk_src = blk_new(qemu_get_aio_context(), BLK_PERM_ALL, BLK_PERM_ALL);
-- 
2.25.1