Re: [Qemu-devel] [PATCH v2] make check-unit: use after free in test-opts-visitor

2019-08-05 Thread Markus Armbruster
Andrey Shinkevich writes: > On 02/08/2019 14:34, Markus Armbruster wrote: >> Andrey Shinkevich writes: >> >>> In struct OptsVisitor, repeated_opts member points to a list in the >>> unprocessed_opts hash table after the list has been destroyed. A >>> subsequent call to visit_type_int() referenc

Re: [Qemu-devel] [PATCH v2] make check-unit: use after free in test-opts-visitor

2019-08-05 Thread Andrey Shinkevich
On 02/08/2019 14:34, Markus Armbruster wrote: > Andrey Shinkevich writes: > >> In struct OptsVisitor, repeated_opts member points to a list in the >> unprocessed_opts hash table after the list has been destroyed. A >> subsequent call to visit_type_int() references the deleted list. It >> result

Re: [Qemu-devel] [PATCH v2] make check-unit: use after free in test-opts-visitor

2019-08-02 Thread Markus Armbruster
Andrey Shinkevich writes: > In struct OptsVisitor, repeated_opts member points to a list in the > unprocessed_opts hash table after the list has been destroyed. A > subsequent call to visit_type_int() references the deleted list. It > results in use-after-free issue. Let's mention the reproducer

[Qemu-devel] [PATCH v2] make check-unit: use after free in test-opts-visitor

2019-08-01 Thread Andrey Shinkevich
In struct OptsVisitor, repeated_opts member points to a list in the unprocessed_opts hash table after the list has been destroyed. A subsequent call to visit_type_int() references the deleted list. It results in use-after-free issue. Also, the Visitor object call back functions are supposed to set