On Thu, May 15, 2025 at 07:20:11PM -0300, Fabiano Rosas wrote: > The IOWatchPoll holds a reference to the iochannel while the "child" > source (iwp->src) is removed from the context and freed. Freeing the > source leads to the iochannel being also freed at > qio_channel_fd_source_finalize(). > > Later, io_watch_poll_prepare() tries to create another source with the > same iochannel and hits an use after free: > > ==8241==ERROR: AddressSanitizer: heap-use-after-free on address 0x514000000040 > READ of size 8 at 0x514000000040 thread T2 > #0 0x561c2d272fcd in object_get_class ../qom/object.c:1043:17 > #1 0x561c2d338f84 in QIO_CHANNEL_GET_CLASS include/io/channel.h:29:1 > #2 0x561c2d33b26f in qio_channel_create_watch ../io/channel.c:388:30 > #3 0x561c2d2f0993 in io_watch_poll_prepare ../chardev/char-io.c:65:20 > ... > > 0x514000000040 is located 0 bytes inside of 392-byte region > [0x514000000040,0x5140000001c8) > freed by thread T2 here: > #0 0x561c2d2319a5 in free > #1 0x7fb2c0926638 in g_free > #2 0x561c2d276507 in object_finalize ../qom/object.c:734:9 > #3 0x561c2d271d0d in object_unref ../qom/object.c:1231:9 > #4 0x561c2d32ef1d in qio_channel_fd_source_finalize > ../io/channel-watch.c:95:5 > #5 0x7fb2c091d124 in g_source_unref_internal ../glib/gmain.c:2298 > #6 0x561c2d2f0b6c in io_watch_poll_prepare ../chardev/char-io.c:71:9 > ... > > previously allocated by thread T3 (connect) here: > #0 0x561c2d231c69 in malloc > #1 0x7fb2c0926518 in g_malloc > #2 0x561c2d27246e in object_new_with_type ../qom/object.c:767:15 > #3 0x561c2d272530 in object_new ../qom/object.c:789:12 > #4 0x561c2d320193 in qio_channel_socket_new ../io/channel-socket.c:64:31 > #5 0x561c2d308013 in tcp_chr_connect_client_async > ../chardev/char-socket.c:1181:12 > #6 0x561c2d3002e7 in qmp_chardev_open_socket_client > ../chardev/char-socket.c:1281:9 > ... > > Fix the issue by incrementing the iochannel reference count when the > IOWatchPoll takes a reference and decrementing when it is finalized. > > Signed-off-by: Fabiano Rosas <faro...@suse.de> > --- > chardev/char-io.c | 5 +++++ > 1 file changed, 5 insertions(+)
Reviewed-by: Daniel P. Berrangé <berra...@redhat.com> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
