[PATCH 1/2] qemuBlockJobProcessEventCompletedPull: Avoid dangling pointer after blockpull

[Peter Krempa]

When doing a full block pull job (base == NULL) and the config XML
contains a compatible disk, the completer function would leave a
dangling pointer in 'cfgdisk->src->backingStore' as cfgdisk->src would
be set to the value of 'cfgbase' which was always set to
'cfgdisk->src->backingStore'.

This is wrong though since for the live definition XML we set the
respective counterpart to 'job->data.pull.base' which is NULL in the
above scenario.

This leads to a invalid pointer read when saving the config XML and may
end up in a crash.

Resolve it by setting 'cfgbase' only when 'job->data.pull.base' is
non-NULL.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1946918
Signed-off-by: Peter Krempa <pkrempa at redhat.com>
---
 src/qemu/qemu_blockjob.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c
index 66268a365a..d708fd18fd 100644
--- a/src/qemu/qemu_blockjob.c
+++ b/src/qemu/qemu_blockjob.c
@@ -1005,10 +1005,7 @@ qemuBlockJobProcessEventCompletedPull(virQEMUDriverPtr driver,
     if (!job->disk)
         return;

-    if ((cfgdisk = qemuBlockJobGetConfigDisk(vm, job->disk, job->data.pull.base)))
-        cfgbase = cfgdisk->src->backingStore;
-
-    if (!cfgdisk)
+    if (!(cfgdisk = qemuBlockJobGetConfigDisk(vm, job->disk, job->data.pull.base)))
         qemuBlockJobClearConfigChain(vm, job->disk);

     qemuBlockJobProcessEventCompletedPullBitmaps(vm, job, asyncJob);
@@ -1018,6 +1015,8 @@ qemuBlockJobProcessEventCompletedPull(virQEMUDriverPtr driver,
         return;

     if (job->data.pull.base) {
+        if (cfgdisk)
+            cfgbase = cfgdisk->src->backingStore;
         for (n = job->disk->src->backingStore; n && n != job->data.pull.base; n = n->backingStore) {
             /* find the image on top of 'base' */

-- 
2.30.2