SYS-OSS/FRET-qemu
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

block/block-copy: fix use-after-free of task pointer

Browse Source 
Obviously, we should g_free the task after trace point and offset
update.

Reported-by: Coverity (CID 1428756)
Fixes: 4ce5dd3e9b5ee0fac18625860eb3727399ee965e
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-Id: <20200507183800.22626-1-vsementsov@virtuozzo.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
This commit is contained in:
Vladimir Sementsov-Ogievskiy 2020-05-07 21:38:00 +03:00 committed by Max Reitz
parent dd488fc1c0
commit fc9aefc8c0
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
block/block-copy.c
View File

@ -591,13 +591,13 @@ static int coroutine_fn block_copy_dirty_clusters(BlockCopyState *s,
} }
if (s->skip_unallocated && !(ret & BDRV_BLOCK_ALLOCATED)) { if (s->skip_unallocated && !(ret & BDRV_BLOCK_ALLOCATED)) {
block_copy_task_end(task, 0); block_copy_task_end(task, 0);
g_free(task);
progress_set_remaining(s->progress, progress_set_remaining(s->progress,
bdrv_get_dirty_count(s->copy_bitmap) + bdrv_get_dirty_count(s->copy_bitmap) +
s->in_flight_bytes); s->in_flight_bytes);
trace_block_copy_skip_range(s, task->offset, task->bytes); trace_block_copy_skip_range(s, task->offset, task->bytes);
offset = task_end(task); offset = task_end(task);
bytes = end - offset; bytes = end - offset;
g_free(task);
continue; continue;
} }
task->zeroes = ret & BDRV_BLOCK_ZERO; task->zeroes = ret & BDRV_BLOCK_ZERO;