mirror of https://github.com/xemu-project/xemu.git
843c4cfcf4
virtio_net_device_realize() rejects invalid duplex and speed values.
The error handling is broken:
$ ../qemu/bld-sani/x86_64-softmmu/qemu-system-x86_64 -S -display none -monitor stdio
QEMU 4.2.93 monitor - type 'help' for more information
(qemu) device_add virtio-net,duplex=x
Error: 'duplex' must be 'half' or 'full'
(qemu) c
=================================================================
==15654==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000014590 at pc 0x560b75c8dc13 bp 0x7fffdf1a6950 sp 0x7fffdf1a6940
READ of size 8 at 0x62e000014590 thread T0
#0 0x560b75c8dc12 in object_dynamic_cast_assert /work/armbru/qemu/qom/object.c:826
#1 0x560b74c38ac0 in virtio_vmstate_change /work/armbru/qemu/hw/virtio/virtio.c:3210
#2 0x560b74d9765e in vm_state_notify /work/armbru/qemu/softmmu/vl.c:1271
#3 0x560b7494ba72 in vm_prepare_start /work/armbru/qemu/cpus.c:2156
#4 0x560b7494bacd in vm_start /work/armbru/qemu/cpus.c:2162
#5 0x560b75a7d890 in qmp_cont /work/armbru/qemu/monitor/qmp-cmds.c:160
#6 0x560b75a8d70a in hmp_cont /work/armbru/qemu/monitor/hmp-cmds.c:1043
#7 0x560b75a799f2 in handle_hmp_command /work/armbru/qemu/monitor/hmp.c:1082
[...]
0x62e000014590 is located 33168 bytes inside of 42288-byte region [0x62e00000c400,0x62e000016930)
freed by thread T1 here:
#0 0x7feadd39491f in __interceptor_free (/lib64/libasan.so.5+0x10d91f)
#1 0x7feadcebcd7c in g_free (/lib64/libglib-2.0.so.0+0x55d7c)
#2 0x560b75c8fd40 in object_unref /work/armbru/qemu/qom/object.c:1128
#3 0x560b7498a625 in memory_region_unref /work/armbru/qemu/memory.c:1762
#4 0x560b74999fa4 in do_address_space_destroy /work/armbru/qemu/memory.c:2788
#5 0x560b762362fc in call_rcu_thread /work/armbru/qemu/util/rcu.c:283
#6 0x560b761c8884 in qemu_thread_start /work/armbru/qemu/util/qemu-thread-posix.c:519
#7 0x7fead9be34bf in start_thread (/lib64/libpthread.so.0+0x84bf)
previously allocated by thread T0 here:
#0 0x7feadd394d18 in __interceptor_malloc (/lib64/libasan.so.5+0x10dd18)
#1 0x7feadcebcc88 in g_malloc (/lib64/libglib-2.0.so.0+0x55c88)
#2 0x560b75c8cf8a in object_new /work/armbru/qemu/qom/object.c:699
#3 0x560b75010ad9 in qdev_device_add /work/armbru/qemu/qdev-monitor.c:654
#4 0x560b750120c2 in qmp_device_add /work/armbru/qemu/qdev-monitor.c:805
#5 0x560b75012c1b in hmp_device_add /work/armbru/qemu/qdev-monitor.c:905
[...]
==15654==ABORTING
Cause: virtio_net_device_realize() neglects to bail out after setting
the error. Fix that.
Fixes:
|
||
|---|---|---|
| .. | ||
| can | ||
| fsl_etsec | ||
| rocker | ||
| Kconfig | ||
| Makefile.objs | ||
| allwinner-sun8i-emac.c | ||
| allwinner_emac.c | ||
| cadence_gem.c | ||
| dp8393x.c | ||
| e1000.c | ||
| e1000_regs.h | ||
| e1000e.c | ||
| e1000e_core.c | ||
| e1000e_core.h | ||
| e1000x_common.c | ||
| e1000x_common.h | ||
| eepro100.c | ||
| etraxfs_eth.c | ||
| ftgmac100.c | ||
| i82596.c | ||
| i82596.h | ||
| imx_fec.c | ||
| lan9118.c | ||
| lance.c | ||
| lasi_i82596.c | ||
| mcf_fec.c | ||
| milkymist-minimac2.c | ||
| mipsnet.c | ||
| ne2000-isa.c | ||
| ne2000-pci.c | ||
| ne2000.c | ||
| ne2000.h | ||
| net_rx_pkt.c | ||
| net_rx_pkt.h | ||
| net_tx_pkt.c | ||
| net_tx_pkt.h | ||
| opencores_eth.c | ||
| pcnet-pci.c | ||
| pcnet.c | ||
| pcnet.h | ||
| rtl8139.c | ||
| smc91c111.c | ||
| spapr_llan.c | ||
| stellaris_enet.c | ||
| sungem.c | ||
| sunhme.c | ||
| trace-events | ||
| tulip.c | ||
| tulip.h | ||
| vhost_net-stub.c | ||
| vhost_net.c | ||
| virtio-net.c | ||
| vmware_utils.h | ||
| vmxnet3.c | ||
| vmxnet3.h | ||
| vmxnet3_defs.h | ||
| vmxnet_debug.h | ||
| xen_nic.c | ||
| xgmac.c | ||
| xilinx_axienet.c | ||
| xilinx_ethlite.c | ||