From patchwork Tue Jan 12 12:52:39 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wolfgang Bumiller X-Patchwork-Id: 566546 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 31A2F1402A0 for ; Tue, 12 Jan 2016 23:53:51 +1100 (AEDT) Received: from localhost ([::1]:60035 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aIySL-0005e3-4d for incoming@patchwork.ozlabs.org; Tue, 12 Jan 2016 07:53:49 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41945) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aIyRt-0004xK-JG for qemu-devel@nongnu.org; Tue, 12 Jan 2016 07:53:22 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aIyRp-0007s6-Cy for qemu-devel@nongnu.org; Tue, 12 Jan 2016 07:53:21 -0500 Received: from proxmox.maurer-it.com ([94.136.31.133]:33331) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aIyRp-0007rY-6z; Tue, 12 Jan 2016 07:53:17 -0500 Received: from proxmox.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox.maurer-it.com (Proxmox) with ESMTP id 2F274AD08F8; Tue, 12 Jan 2016 13:52:45 +0100 (CET) From: Wolfgang Bumiller To: Gerd Hoffmann Date: Tue, 12 Jan 2016 13:52:39 +0100 Message-Id: <1452603159-19782-1-git-send-email-w.bumiller@proxmox.com> X-Mailer: git-send-email 2.1.4 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 94.136.31.133 Cc: qemu-trivial@nongnu.org, qemu-devel@nongnu.org Subject: [Qemu-devel] [PATCH] vnc: clear vs->tlscreds after unparenting it X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org This pointer should be cleared in vnc_display_close() otherwise a use-after-free can happen when when using the old style 'x509' and 'tls' options rather than a persistent tls-creds -object, by issuing monitor commands to change the vnc server like so: Start with: -vnc unix:test.socket,x509,tls Then use the following monitor command: change vnc unix:test.socket After this the pointer is still set but invalid and a crash can be triggered for instance by issuing the same command a second time which will try to object_unparent() the same pointer again. Reviewed-by: Daniel P. Berrange Signed-off-by: Wolfgang Bumiller --- ui/vnc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ui/vnc.c b/ui/vnc.c index 09756cd..35843b5 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -3134,6 +3134,7 @@ static void vnc_display_close(VncDisplay *vs) vs->subauth = VNC_AUTH_INVALID; if (vs->tlscreds) { object_unparent(OBJECT(vs->tlscreds)); + vs->tlscreds = NULL; } g_free(vs->tlsaclname); vs->tlsaclname = NULL;