From d65be386e9b2e40c5d170c005f4c57bd489a8f13 Mon Sep 17 00:00:00 2001 From: Jiabo Feng Date: Mon, 7 Aug 2023 16:54:24 +0800 Subject: [PATCH] QEMU update to version 6.2.0-77(master) - test-vmstate: fix bad GTree usage, use-after-free Signed-off-by: Jiabo Feng (cherry picked from commit bc91f4c9e3c038cc9a45957d6ec1db06cee9bbb9) --- qemu.spec | 6 +- ...e-fix-bad-GTree-usage-use-after-free.patch | 64 +++++++++++++++++++ 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 test-vmstate-fix-bad-GTree-usage-use-after-free.patch diff --git a/qemu.spec b/qemu.spec index c38b8900..1246a968 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 6.2.0 -Release: 76 +Release: 77 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -530,6 +530,7 @@ Patch0515: hw-pci-bridge-pxb-Fix-missing-swizzle.patch Patch0516: ide-Increment-BB-in-flight-counter-for-TRIM-BH.patch Patch0517: qga-win32-Remove-change-action-from-MSI-installer.patch Patch0518: qga-win32-Use-rundll-for-VSS-installation.patch +Patch0519: test-vmstate-fix-bad-GTree-usage-use-after-free.patch BuildRequires: flex BuildRequires: gcc @@ -1103,6 +1104,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon Aug 7 2023 - 10:6.2.0-77 +- test-vmstate: fix bad GTree usage, use-after-free + * Fri Jul 28 2023 - 10:6.2.0-76 - qga/win32: Use rundll for VSS installation - qga/win32: Remove change action from MSI installer diff --git a/test-vmstate-fix-bad-GTree-usage-use-after-free.patch b/test-vmstate-fix-bad-GTree-usage-use-after-free.patch new file mode 100644 index 00000000..be6af283 --- /dev/null +++ b/test-vmstate-fix-bad-GTree-usage-use-after-free.patch @@ -0,0 +1,64 @@ +From 974fcc3a97148b1af3bebfaa6a72645837233489 Mon Sep 17 00:00:00 2001 +From: Eric Auger +Date: Tue, 28 Feb 2023 10:29:44 +0100 +Subject: [PATCH] test-vmstate: fix bad GTree usage, use-after-free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +According to g_tree_foreach() documentation: +"The tree may not be modified while iterating over it (you can't +add/remove items)." + +compare_trees()/diff_tree() fail to respect this rule. +Historically GLib2 used a slice allocator for the GTree APIs +which did not immediately release the memory back to the system +allocator. As a result QEMU's use-after-free bug was not visible. +With GLib > 2.75.3 however, GLib2 has switched to using malloc +and now a SIGSEGV can be observed while running test-vmstate. + +Get rid of the node removal within the tree traversal. Also +check the trees have the same number of nodes before the actual +diff. + +Fixes: 9a85e4b8f6 ("migration: Support gtree migration") +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1518 +Signed-off-by: Marc-André Lureau +Signed-off-by: Eric Auger +Reported-by: Richard W.M. Jones +Tested-by: Richard W.M. Jones +Reviewed-by: Richard W.M. Jones +Reviewed-by: Daniel P. Berrangé +Reviewed-by: Juan Quintela +Signed-off-by: Juan Quintela +--- + tests/unit/test-vmstate.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/tests/unit/test-vmstate.c b/tests/unit/test-vmstate.c +index 4688c03ea7..ac47f0a44b 100644 +--- a/tests/unit/test-vmstate.c ++++ b/tests/unit/test-vmstate.c +@@ -1076,7 +1076,6 @@ static gboolean diff_tree(gpointer key, gpointer value, gpointer data) + struct match_node_data d = {tp->tree2, key, value}; + + g_tree_foreach(tp->tree2, tp->match_node, &d); +- g_tree_remove(tp->tree1, key); + return false; + } + +@@ -1085,9 +1084,9 @@ static void compare_trees(GTree *tree1, GTree *tree2, + { + struct tree_cmp_data tp = {tree1, tree2, function}; + ++ assert(g_tree_nnodes(tree1) == g_tree_nnodes(tree2)); + g_tree_foreach(tree1, diff_tree, &tp); +- assert(g_tree_nnodes(tree1) == 0); +- assert(g_tree_nnodes(tree2) == 0); ++ g_tree_destroy(g_tree_ref(tree1)); + } + + static void diff_domain(TestGTreeDomain *d1, TestGTreeDomain *d2) +-- +2.41.0.windows.1 + -- Gitee