mir/criu
2
0
Fork 0
mirror of https://github.com/checkpoint-restore/criu synced 2025-08-31 06:15:24 +00:00
Code Issues Releases Wiki Activity

image: don't free an img object from pb_write_one()

Browse Source 
This is unexpected behaviour.
pb_write_one
  open_image_lazy
    do_open_image
      xfree(img)

255             if (pb_write_one(img, &cpu_info, PB_CPUINFO) < 0) {
>>> >>>     CID 92728:  Memory - illegal accesses  (USE_AFTER_FREE)
>>> >>>     Calling "close_image" dereferences freed pointer "img".
256                     close_image(img);
257                     return -1;
258             }

Signed-off-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
This commit is contained in:
Andrey Vagin
2015-05-01 16:03:00 +03:00
committed by Pavel Emelyanov
parent 281a0f9d20
commit af555618c6
1 changed files with 18 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
image.c
View File

@@ -212,7 +212,7 @@ struct cr_imgset *cr_glob_imgset_open(int mode)
return cr_imgset_open(-1 /* ignored */, GLOB, mode); return cr_imgset_open(-1 /* ignored */, GLOB, mode);
} }
static struct cr_img *do_open_image(struct cr_img *img, int dfd, int type, unsigned long flags, char *path); static int do_open_image(struct cr_img *img, int dfd, int type, unsigned long flags, char *path);
struct cr_img *open_image_at(int dfd, int type, unsigned long flags, ...) struct cr_img *open_image_at(int dfd, int type, unsigned long flags, ...)
{ {
@@ -243,9 +243,15 @@ struct cr_img *open_image_at(int dfd, int type, unsigned long flags, ...)
img->oflags = oflags; img->oflags = oflags;
img->path = xstrdup(path); img->path = xstrdup(path);
return img; return img;
} else
img->fd = EMPTY_IMG_FD;
if (do_open_image(img, dfd, type, oflags, path)) {
close_image(img);
return NULL;
} }
return do_open_image(img, dfd, type, oflags, path); return img;
} }
static inline u32 head_magic(int oflags) static inline u32 head_magic(int oflags)
@@ -291,7 +297,7 @@ static int img_write_magic(struct cr_img *img, int oflags, int type)
return write_img(img, &imgset_template[type].magic); return write_img(img, &imgset_template[type].magic);
} }
static struct cr_img *do_open_image(struct cr_img *img, int dfd, int type, unsigned long oflags, char *path) static int do_open_image(struct cr_img *img, int dfd, int type, unsigned long oflags, char *path)
{ {
int ret, flags; int ret, flags;
@@ -319,7 +325,7 @@ static struct cr_img *do_open_image(struct cr_img *img, int dfd, int type, unsig
ret = bfdopenw(&img->_x); ret = bfdopenw(&img->_x);
if (ret) if (ret)
goto err_close; goto err;
} }
if (imgset_template[type].magic == RAW_IMAGE_MAGIC) if (imgset_template[type].magic == RAW_IMAGE_MAGIC)
@@ -330,18 +336,13 @@ static struct cr_img *do_open_image(struct cr_img *img, int dfd, int type, unsig
else else
ret = img_write_magic(img, oflags, type); ret = img_write_magic(img, oflags, type);
if (ret) if (ret)
goto err_close; goto err;
skip_magic: skip_magic:
return img; return 0;
err: err:
xfree(img); return -1;
return NULL;
err_close:
close_image(img);
return NULL;
} }
int open_image_lazy(struct cr_img *img) int open_image_lazy(struct cr_img *img)
@@ -349,9 +350,13 @@ int open_image_lazy(struct cr_img *img)
int dfd; int dfd;
char *path = img->path; char *path = img->path;
img->path = NULL;
dfd = get_service_fd(IMG_FD_OFF); dfd = get_service_fd(IMG_FD_OFF);
if (do_open_image(img, dfd, img->type, img->oflags, path) == NULL) if (do_open_image(img, dfd, img->type, img->oflags, path)) {
xfree(path);
return -1; return -1;
}
xfree(path); xfree(path);
return 0; return 0;