From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Date: Tue, 24 Mar 2020 15:36:26 +0000 (+0300)
Subject: block/mirror: fix use after free of local_err
X-Git-Tag: v5.0.0-rc1~10^2~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=66c8672d242e9a494216237648b7787649c2c970;p=thirdparty%2Fqemu.git

block/mirror: fix use after free of local_err

local_err is used again in mirror_exit_common() after
bdrv_set_backing_hd(), so we must zero it. Otherwise try to set
non-NULL local_err will crash.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-Id: <20200324153630.11882-3-vsementsov@virtuozzo.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
---

diff --git a/block/mirror.c b/block/mirror.c
index 447051dbc69..6203e5946e8 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -678,6 +678,7 @@ static int mirror_exit_common(Job *job)
             bdrv_set_backing_hd(target_bs, backing, &local_err);
             if (local_err) {
                 error_report_err(local_err);
+                local_err = NULL;
                 ret = -EPERM;
             }
         }