subject:"\[Qemu\-devel\] \[PATCH for\-2.6 2\/3\] replay\: Fix dangling location bug in replay

Re: [Qemu-devel] [PATCH for-2.6 2/3] replay: Fix dangling location bug in replay_configure()

2016-04-27 Thread Eduardo Habkost

On Wed, Apr 27, 2016 at 04:29:08PM +0200, Markus Armbruster wrote:
> replay_configure() pushes and pops a Location with automatic storage
> duration.  Except it fails to pop when -icount parameter "rr" isn't
> given.  cur_loc then points to unused stack space, and will most
> likely get clobbered in short order.
> 
> Clobbered cur_loc can make loc_pop() and error_print_loc() crash or
> report bogus locations.
> 
> Broken in commit 890ad55.
> 
> I didn't take the time to find a reproducer.
> 
> Cc: Eduardo Habkost 
> Signed-off-by: Markus Armbruster 

Oops! Thanks for catching it.

Reviewed-by: Eduardo Habkost 

-- 
Eduardo

Re: [Qemu-devel] [PATCH for-2.6 2/3] replay: Fix dangling location bug in replay_configure()

2016-04-27 Thread Eric Blake

On 04/27/2016 08:29 AM, Markus Armbruster wrote:
> replay_configure() pushes and pops a Location with automatic storage
> duration.  Except it fails to pop when -icount parameter "rr" isn't
> given.  cur_loc then points to unused stack space, and will most
> likely get clobbered in short order.
> 
> Clobbered cur_loc can make loc_pop() and error_print_loc() crash or
> report bogus locations.
> 
> Broken in commit 890ad55.
> 
> I didn't take the time to find a reproducer.
> 
> Cc: Eduardo Habkost 
> Signed-off-by: Markus Armbruster 
> ---
>  replay/replay.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 

Reviewed-by: Eric Blake 

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

[Qemu-devel] [PATCH for-2.6 2/3] replay: Fix dangling location bug in replay_configure()

2016-04-27 Thread Markus Armbruster

replay_configure() pushes and pops a Location with automatic storage
duration.  Except it fails to pop when -icount parameter "rr" isn't
given.  cur_loc then points to unused stack space, and will most
likely get clobbered in short order.

Clobbered cur_loc can make loc_pop() and error_print_loc() crash or
report bogus locations.

Broken in commit 890ad55.

I didn't take the time to find a reproducer.

Cc: Eduardo Habkost 
Signed-off-by: Markus Armbruster 
---
 replay/replay.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/replay/replay.c b/replay/replay.c
index 7c2573a..167fd29 100644
--- a/replay/replay.c
+++ b/replay/replay.c
@@ -275,7 +275,7 @@ void replay_configure(QemuOpts *opts)
 rr = qemu_opt_get(opts, "rr");
 if (!rr) {
 /* Just enabling icount */
-return;
+goto out;
 } else if (!strcmp(rr, "record")) {
 mode = REPLAY_MODE_RECORD;
 } else if (!strcmp(rr, "replay")) {
@@ -293,6 +293,7 @@ void replay_configure(QemuOpts *opts)
 
 replay_enable(fname, mode);
 
+out:
 loc_pop();
 }
 
-- 
2.5.5

Re: [Qemu-devel] [PATCH for-2.6 2/3] replay: Fix dangling location bug in replay_configure()

Re: [Qemu-devel] [PATCH for-2.6 2/3] replay: Fix dangling location bug in replay_configure()

[Qemu-devel] [PATCH for-2.6 2/3] replay: Fix dangling location bug in replay_configure()

3 matches

Site Navigation

Mail list logo

Footer information