aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony Liguori <aliguori@us.ibm.com>2012-06-27 07:37:54 -0500
committerAnthony Liguori <aliguori@us.ibm.com>2012-06-27 16:26:59 -0500
commit7de3abe505e34398cef5bddf6c4d0bd9ee47007f (patch)
tree6c0c64a3d067116f78673ac9d13d1f2e43896657
parentd24b569a4162c54426ab5088637b824f54f6ac16 (diff)
downloadqemu-7de3abe505e34398cef5bddf6c4d0bd9ee47007f.zip
qemu-7de3abe505e34398cef5bddf6c4d0bd9ee47007f.tar.gz
qemu-7de3abe505e34398cef5bddf6c4d0bd9ee47007f.tar.bz2
qdev: fix use-after-free in the error path of qdev_init_nofail
From Markus: Before: $ qemu-system-x86_64 -display none -drive if=ide qemu-system-x86_64: Device needs media, but drive is empty qemu-system-x86_64: Initialization of device ide-hd failed [Exit 1 ] After: $ qemu-system-x86_64 -display none -drive if=ide qemu-system-x86_64: Device needs media, but drive is empty Segmentation fault (core dumped) [Exit 139 (SIGSEGV)] This error always existed as qdev_init() frees the object. But QOM goes a bit further and purposefully sets the class pointer to NULL to help find use-after-free. It worked :-) Cc: Andreas Faerber <afaerber@suse.de> Reported-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
-rw-r--r--hw/qdev.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/hw/qdev.c b/hw/qdev.c
index a6c4c02..af54467 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -258,9 +258,10 @@ int qdev_simple_unplug_cb(DeviceState *dev)
way is somewhat unclean, and best avoided. */
void qdev_init_nofail(DeviceState *dev)
{
+ const char *typename = object_get_typename(OBJECT(dev));
+
if (qdev_init(dev) < 0) {
- error_report("Initialization of device %s failed",
- object_get_typename(OBJECT(dev)));
+ error_report("Initialization of device %s failed", typename);
exit(1);
}
}