[libvirt] [PATCH] snapshot: Fix use-after-free during snapshot delete
Eric Blake
eblake at redhat.com
Mon Apr 8 19:26:55 UTC 2019
On 4/8/19 1:35 PM, Roman Bogorodskiy wrote:
> Eric Blake wrote:
>
>> Commit b647d2195 introduced a use-after-free situation when the caller
>> is trying to delete a snapshot and its children: if the callback
>>
>> Fixes: b647d2195
>> Reported-by: Roman Bogorodskiy <bogorodskiy at gmail.com>
>> Signed-off-by: Eric Blake <eblake at redhat.com>
>> ---
>> src/conf/virdomainmomentobjlist.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/conf/virdomainmomentobjlist.c b/src/conf/virdomainmomentobjlist.c
>> index 65e82f632c..66eb66017b 100644
>> --- a/src/conf/virdomainmomentobjlist.c
>> +++ b/src/conf/virdomainmomentobjlist.c
>> @@ -80,9 +80,11 @@ virDomainMomentActOnDescendant(void *payload,
>> {
>> virDomainMomentObjPtr obj = payload;
>> struct moment_act_on_descendant *curr = data;
>> + virDomainMomentObj tmp = *obj;
>>
>> + /* Careful: curr->iter can delete obj, hence the need for tmp */
>> (curr->iter)(payload, name, curr->data);
>> - curr->number += 1 + virDomainMomentForEachDescendant(obj,
>> + curr->number += 1 + virDomainMomentForEachDescendant(&tmp,
>> curr->iter,
>> curr->data);
>> return 0;
>
> This fixes the problem for me, thanks.
> The change itself looks reasonable to me, but I'm not familiar with the code
> enough to go with Reviewed-by I guess.
Well, Tested-by is better than nothing; so I've gone ahead and pushed
it. Thanks for checking that it works :)
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20190408/5f25022d/attachment-0001.sig>
More information about the libvir-list
mailing list