From: Anthony Liguori <aliguori@us.ibm.com>
Date: Wed, 27 Jun 2012 12:37:54 +0000 (-0500)
Subject: qdev: fix use-after-free in the error path of qdev_init_nofail
X-Git-Tag: v1.1.2~68
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=36ed337845a00240c370bbea782f953a8110d0c0;p=thirdparty%2Fqemu.git

qdev: fix use-after-free in the error path of qdev_init_nofail

From Markus:

Before:

    $ qemu-system-x86_64 -display none -drive if=ide
    qemu-system-x86_64: Device needs media, but drive is empty
    qemu-system-x86_64: Initialization of device ide-hd failed
    [Exit 1 ]

After:

    $ qemu-system-x86_64 -display none -drive if=ide
    qemu-system-x86_64: Device needs media, but drive is empty
    Segmentation fault (core dumped)
    [Exit 139 (SIGSEGV)]

This error always existed as qdev_init() frees the object.  But QOM
goes a bit further and purposefully sets the class pointer to NULL to
help find use-after-free.  It worked :-)

Cc: Andreas Faerber <afaerber@suse.de>
Reported-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 7de3abe505e34398cef5bddf6c4d0bd9ee47007f)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---

diff --git a/hw/qdev.c b/hw/qdev.c
index af419b9c131..8e8ca3ff9af 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -256,9 +256,10 @@ int qdev_simple_unplug_cb(DeviceState *dev)
    way is somewhat unclean, and best avoided.  */
 void qdev_init_nofail(DeviceState *dev)
 {
+    const char *typename = object_get_typename(OBJECT(dev));
+
     if (qdev_init(dev) < 0) {
-        error_report("Initialization of device %s failed",
-                     object_get_typename(OBJECT(dev)));
+        error_report("Initialization of device %s failed", typename);
         exit(1);
     }
 }