qemu/util
Marc-André Lureau 64e16fbbf4 util: fix use-after-free in module_load_one
g_hash_table_add always retains ownership of the pointer passed in as
the key. Its return status merely indicates whether the added entry was
new, or replaced an existing entry. Thus key must never be freed after
this method returns.

Spotted by ASAN:

==2407186==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020003ac4f0 at pc 0x7ffff766659c bp 0x7fffffffd1d0 sp 0x7fffffffc980
READ of size 1 at 0x6020003ac4f0 thread T0
    #0 0x7ffff766659b  (/lib64/libasan.so.6+0x8a59b)
    #1 0x7ffff6bfa843 in g_str_equal ../glib/ghash.c:2303
    #2 0x7ffff6bf8167 in g_hash_table_lookup_node ../glib/ghash.c:493
    #3 0x7ffff6bf9b78 in g_hash_table_insert_internal ../glib/ghash.c:1598
    #4 0x7ffff6bf9c32 in g_hash_table_add ../glib/ghash.c:1689
    #5 0x5555596caad4 in module_load_one ../util/module.c:233
    #6 0x5555596ca949 in module_load_one ../util/module.c:225
    #7 0x5555596ca949 in module_load_one ../util/module.c:225
    #8 0x5555596cbdf4 in module_load_qom_all ../util/module.c:349

Typical C bug...

Fixes: 90629122d2 ("module: use g_hash_table_add()")
Cc: qemu-stable@nongnu.org
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20210316134456.3243102-1-marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2021-04-01 15:27:44 +04:00
..
aio-posix.c qmp: Move dispatcher to a coroutine 2020-10-09 07:08:20 +02:00
aio-posix.h aio-posix: remove idle poll handlers to improve scalability 2020-03-09 16:45:16 +00:00
aio-wait.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
aio-win32.c qmp: fix aio_poll() assertion failure on Windows 2020-11-03 16:24:56 +01:00
aiocb.c block: move AioContext, QEMUTimer, main-loop to libqemuutil 2017-02-21 11:14:07 +00:00
async.c util/async: Add aio_co_reschedule_self() 2020-10-09 07:08:20 +02:00
atomic64.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
base64.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
bitmap.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
bitops.c avoid TABs in files that only contain a few 2019-01-11 15:46:56 +01:00
block-helpers.c block: move logical block size check function to a common utility function 2020-10-23 13:42:16 +01:00
block-helpers.h block: move logical block size check function to a common utility function 2020-10-23 13:42:16 +01:00
buffer.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
bufferiszero.c util/bufferiszero: improve avx2 accelerator 2020-04-01 14:24:03 -04:00
cacheflush.c util/cacheflush: Fix error generated by clang 2021-01-21 13:00:41 +01:00
cacheinfo.c util: Enhance flush_icache_range with separate data pointer 2021-01-07 05:09:41 -10:00
compatfd.c util/compatfd.c: Only include <sys/syscall.h> if CONFIG_SIGNALFD 2020-07-13 14:36:10 +01:00
coroutine-sigaltstack.c coroutine-sigaltstack: Add SIGUSR2 mutex 2021-01-26 14:36:37 +01:00
coroutine-ucontext.c Remove the CONFIG_PRAGMA_DIAGNOSTIC_AVAILABLE switch 2020-07-13 11:40:52 +02:00
coroutine-win32.c coroutine: add a macro for the coroutine stack size 2016-09-29 14:13:39 +02:00
crc32c.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
crc-ccitt.c util: Add CRC16 (CCITT) calculation routines 2021-01-24 20:10:54 +01:00
cutils.c utils: Work around mingw strto*l bug with 0x 2021-03-24 14:25:41 +00:00
dbus.c util: add dbus helper unit 2020-01-06 18:41:32 +04:00
drm.c util/drm: make portable by avoiding struct dirent d_type 2020-07-13 14:36:10 +01:00
envlist.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
error.c error: make Error **errp const where it is appropriate 2019-12-18 08:36:16 +01:00
event_notifier-posix.c event_notifier: Set ->initialized earlier in event_notifier_init() 2021-02-16 17:15:39 +01:00
event_notifier-win32.c Revert "qemu: add a cleanup callback function to EventNotifier" 2018-01-24 19:20:19 +02:00
fdmon-epoll.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
fdmon-io_uring.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
fdmon-poll.c fdmon-poll: reset npfd when upgrading to fdmon-epoll 2020-09-23 13:45:52 +01:00
fifo8.c utils/fifo8: change fatal errors from abort() to assert() 2021-02-07 20:38:20 +00:00
filemonitor-inotify.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
filemonitor-stub.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
getauxval.c util/getauxval: Porting to FreeBSD getauxval feature 2020-06-26 06:45:29 -04:00
guest-random.c replay: record and replay random number sources 2020-01-07 12:08:39 +01:00
hbitmap.c block/dirty-bitmap: improve _next_dirty_area API 2020-03-18 14:03:46 -04:00
hexdump.c util/hexdump: introduce qemu_hexdump_line() 2020-09-29 02:14:30 -04:00
host-utils.c host-utils: Implement unsigned quadword left/right shift and unit tests 2017-01-31 10:10:14 +11:00
id.c net: Use id_generate() in the network subsystem, too 2021-03-09 21:47:45 +01:00
iov.c util/iov: make qemu_iovec_init_extended() honest 2021-02-03 08:00:33 -06:00
iova-tree.c util: remove redundant include of glib.h and add osdep.h 2018-06-29 12:22:28 +01:00
keyval.c keyval: Use GString to accumulate value strings 2020-12-19 10:39:23 +01:00
lockcnt.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
log.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
main-loop.c qtest: delete superfluous inclusions of qtest.h 2021-03-09 06:03:53 +01:00
memfd.c linux-user: add memfd_create 2019-09-11 08:46:17 +02:00
meson.build migration: introduce UFFD-WP low-level interface helpers 2021-02-08 11:19:51 +00:00
mmap-alloc.c memory: alloc RAM from file at offset 2021-02-09 20:53:56 +00:00
module.c util: fix use-after-free in module_load_one 2021-04-01 15:27:44 +04:00
notify.c xen / notify: introduce a new XenWatchList abstraction 2019-09-24 12:18:47 +01:00
nvdimm-utils.c Clean up includes 2020-12-10 17:16:44 +01:00
osdep.c Pull request trivial patches 20200919 2020-09-22 15:42:23 +01:00
oslib-posix.c memory: alloc RAM from file at offset 2021-02-09 20:53:56 +00:00
oslib-win32.c util/oslib-win32: Fix _aligned_malloc() arguments order 2021-01-11 14:59:21 +01:00
pagesize.c util: move qemu_real_host_page_size/mask to osdep.h 2017-10-10 09:45:00 -07:00
path.c util/path: Do not cache all filenames at startup 2019-06-24 22:19:30 +02:00
qdist.c qdist: return "(empty)" instead of NULL when printing an empty dist 2016-08-03 18:44:56 +02:00
qemu-co-shared-resource.c util: introduce SharedResource 2019-10-28 11:22:31 +01:00
qemu-config.c qemu-config: add error propagation to qemu_config_parse 2021-03-06 11:41:54 +01:00
qemu-coroutine-io.c yield_until_fd_readable: make it work with any AioContect 2019-10-25 14:38:29 +02:00
qemu-coroutine-lock.c coroutine: let CoQueue wake up outside a coroutine 2020-11-04 08:02:24 +01:00
qemu-coroutine-sleep.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
qemu-coroutine.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
qemu-error.c error: rename error_with_timestamp to message_with_timestamp 2021-02-01 10:50:55 +00:00
qemu-openpty.c util/qemu-openpty.c: Don't assume pty.h is glibc-only 2020-07-13 14:36:09 +01:00
qemu-option.c qemu-option: do not suggest using the delay option 2021-03-06 11:42:57 +01:00
qemu-print.c monitor: Use getter/setter functions for cur_mon 2020-10-09 07:08:19 +02:00
qemu-progress.c util/: fix some comment spelling errors 2020-09-17 20:38:42 +02:00
qemu-sockets.c sockets: Make abstract UnixSocketAddress depend on CONFIG_LINUX 2020-11-03 13:17:25 +00:00
qemu-thread-common.h Clean up includes 2018-12-20 10:29:08 +01:00
qemu-thread-posix.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
qemu-thread-win32.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
qemu-timer-common.c semihosting: Implement SYS_ELAPSED and SYS_TICKFREQ 2021-01-18 10:05:06 +00:00
qemu-timer.c ppc patch queue for 2021-03-10 2021-03-12 11:30:55 +00:00
qht.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
qsp.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
range.c Don't talk about the LGPL if the file is licensed under the GPL 2019-01-30 10:51:20 +01:00
rcu.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
readline.c readline: Fix possible array index out of bounds in readline_hist_add() 2021-01-04 11:13:39 +00:00
selfmap.c linux-user: factor out reading of /proc/self/maps 2020-04-07 16:19:49 +01:00
stats64.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
sys_membarrier.c sys_membarrier: fix up include directives 2018-04-05 14:37:38 +02:00
systemd.c tools: Fix use of fcntl(F_SETFD) during socket activation 2020-05-04 14:54:35 -05:00
thread-pool.c lockable: replaced locks with lock guard macros where appropriate 2020-05-04 16:07:43 +01:00
throttle.c Remove superfluous timer_del() calls 2021-01-08 15:13:38 +00:00
timed-average.c Fix some typos found by codespell 2016-05-18 15:04:27 +03:00
trace-events migration: introduce UFFD-WP low-level interface helpers 2021-02-08 11:19:51 +00:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
unicode.c json: Reject invalid UTF-8 sequences 2018-08-24 20:26:37 +02:00
uri.c cutils: Provide strchrnul 2018-06-29 12:32:10 +02:00
userfaultfd.c migration: introduce UFFD-WP low-level interface helpers 2021-02-08 11:19:51 +00:00
uuid.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
vfio-helpers.c Pull request for 5.2 2020-11-23 13:03:13 +00:00
vhost-user-server.c util/vhost-user-server: move header to include/ 2020-10-23 13:42:16 +01:00
yank.c Introduce yank feature 2021-01-13 10:21:17 +01:00