| commit | 6061f16a8a119a46e61f2ddbabdb58f83e8857f7 | |
| author | Paolo Bonzini <pbonzini@redhat.com> | |
| Fri, 25 Nov 2011 11:06:22 +0000 (25 12:06 +0100) | ||
| committer | Justin M. Forbes <jforbes@redhat.com> | |
| Tue, 10 Jan 2012 19:36:27 +0000 (10 13:36 -0600) | ||
| tree | b053b6fdb0260d75bd00ebb7cf67a0cdec3160de | treesnapshot (tar.gz zip) |
| parent | 23201c64a789cf948fedcea221a4b6e197fcd628 | commitdiff |
qiov: prevent double free or use-after-free
qemu_iovec_destroy does not clear the QEMUIOVector fully, and the data
could thus be used after free or freed again. While I do not know any
example in the tree, I observed this using virtio-scsi (and SCSI
scatter/gather) when canceling DMA requests.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
qemu_iovec_destroy does not clear the QEMUIOVector fully, and the data
could thus be used after free or freed again. While I do not know any
example in the tree, I observed this using virtio-scsi (and SCSI
scatter/gather) when canceling DMA requests.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
| cutils.c | diffblobblamehistory |