block: Fix use after free error in bdrv_open_inherit()

When a block device is opened with BDRV_O_SNAPSHOT and the bdrv_append_temp_snapshot() call fails then the error code path tries to unref the already destroyed 'options' QDict. This can be reproduced easily by setting TMPDIR to a location where the QEMU process can't write: $ TMPDIR=/nonexistent $QEMU -drive driver=null-co,snapshot=on Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
author: Alberto Garcia 2018-09-06 16:25:41 +0200
committer: Kevin Wolf 2018-09-25 15:50:15 +0200
commit: 8961be33e8ca7e809c603223803ea66ef7ea5be7 (patch)
tree: c665ac454c2a88464e16d06c67976636fbdc983c /block.c
parent: block/linux-aio: acquire AioContext before qemu_laio_process_completions (diff)
download: qemu-8961be33e8ca7e809c603223803ea66ef7ea5be7.tar.gz
qemu-8961be33e8ca7e809c603223803ea66ef7ea5be7.tar.xz
qemu-8961be33e8ca7e809c603223803ea66ef7ea5be7.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/block.c b/block.c
index 0dbb1fcc7b..a381c8ece8 100644
--- a/block.c
+++ b/block.c
@@ -2792,6 +2792,7 @@ static BlockDriverState *bdrv_open_inherit(const char *filename,
     bdrv_parent_cb_change_media(bs, true);
 
     qobject_unref(options);
+    options = NULL;
 
     /* For snapshot=on, create a temporary qcow2 overlay. bs points to the
      * temporary snapshot afterwards. */
author	Alberto Garcia	2018-09-06 16:25:41 +0200
committer	Kevin Wolf	2018-09-25 15:50:15 +0200
commit	8961be33e8ca7e809c603223803ea66ef7ea5be7 (patch)
tree	c665ac454c2a88464e16d06c67976636fbdc983c /block.c
parent	block/linux-aio: acquire AioContext before qemu_laio_process_completions (diff)
download	qemu-8961be33e8ca7e809c603223803ea66ef7ea5be7.tar.gz qemu-8961be33e8ca7e809c603223803ea66ef7ea5be7.tar.xz qemu-8961be33e8ca7e809c603223803ea66ef7ea5be7.zip