On 30.11.18 09:37, Markus Armbruster wrote:
> Eduardo Habkost <ehabk...@redhat.com> writes:
>
>> host_memory_backend_set_host_nodes() was not validating
>> host-nodes before writing to backend->host_nodes, making QEMU
>> write beyond the end of the bitmap.
>>
>> Fix the crash and add a simple regression test for the fix.
>>
>> Reported-by: Markus Armbruster <arm...@redhat.com>
>> Signed-off-by: Eduardo Habkost <ehabk...@redhat.com>
>> ---
>> backends/hostmem.c | 13 +++++++---
>> tests/acceptance/host-nodes-limit.py | 36 ++++++++++++++++++++++++++++
>> 2 files changed, 46 insertions(+), 3 deletions(-)
>> create mode 100644 tests/acceptance/host-nodes-limit.py
>>
>> diff --git a/backends/hostmem.c b/backends/hostmem.c
>> index 1a89342039..ef199d32fd 100644
>> --- a/backends/hostmem.c
>> +++ b/backends/hostmem.c
>> @@ -103,11 +103,18 @@ host_memory_backend_set_host_nodes(Object *obj,
>> Visitor *v, const char *name,
>> {
>> #ifdef CONFIG_NUMA
>> HostMemoryBackend *backend = MEMORY_BACKEND(obj);
>> - uint16List *l = NULL;
>> + uint16List *l, *host_nodes = NULL;
>>
>> - visit_type_uint16List(v, name, &l, errp);
>> + visit_type_uint16List(v, name, &host_nodes, errp);
>> +
>> + for (l = host_nodes; l; l = l->next) {
>> + if (l->value >= MAX_NODES) {
>> + error_setg(errp, "Invalid host-nodes value: %d", l->value);
>> + return;
>> + }
>> + }
>>
>> - while (l) {
>> + for (l = host_nodes; l; l = l->next) {
>> bitmap_set(backend->host_nodes, l->value, 1);
>> l = l->next;
>> }
>
> Pre-existing: leaks the list created by visit_type_uint16List(), or am I
> confused?
>
I think you're right.
--
Thanks,
David / dhildenb
