qemu-e2k/hw/pci
Alex Kompel a023b7ac62 hw/pci: use-after-free in pci_nic_init_nofail when nic device fails to initialize
object_property_set_bool(OBJECT(dev), true, "realized", &err) in
pci_nic_init_nofail may release the object if device fails to
initialize which leads to use-after-free in error handling block.
qdev_init_nofail does the same thing while holding the reference.

(gdb) run -net nic
qemu-system-x86_64: failed to find romfile "efi-e1000.rom"

Program received signal SIGSEGV, Segmentation fault.
object_unparent (obj=0x7fffe96a0010) at qom/object.c:440
440     in qom/object.c
(gdb) bt
<nd_table>, rootbus=0x5555567ed990, default_model=<optimized out>,
default_devaddr=<optimized out>) at hw/pci/pci.c:1812
pci_bus=0x5555567ed990) at hw/i386/pc.c:1634
pci_type=0x555555c1a523 "i440FX", host_type=0x555555ba564e
"i440FX-pcihost") at hw/i386/pc_piix.c:241
out>, envp=<optimized out>) at vl.c:4481

Signed-off-by: Alex Kompel <barbos@gmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2017-01-20 10:58:26 +08:00
..
Makefile.objs pci-hotplug-old: Has been dead for five major releases, bury 2015-03-01 12:37:54 +01:00
msi.c pci: Convert msi_init() to Error and fix callers to check it 2016-07-05 13:14:41 +03:00
msix.c msix: make msix_clr_pending() visible for clients 2016-06-02 10:42:09 +08:00
pci_bridge.c Fix some typos found by codespell 2016-05-18 15:04:27 +03:00
pci_host.c pci: Clean up includes 2016-01-29 15:07:24 +00:00
pci-stub.c pci: Clean up includes 2016-01-29 15:07:24 +00:00
pci.c hw/pci: use-after-free in pci_nic_init_nofail when nic device fails to initialize 2017-01-20 10:58:26 +08:00
pcie_aer.c pcie_aer: support configurable AER capa version 2017-01-10 07:02:52 +02:00
pcie_host.c pci: Clean up includes 2016-01-29 15:07:24 +00:00
pcie_port.c pci: Clean up includes 2016-01-29 15:07:24 +00:00
pcie.c virtio-pci: address space translation service (ATS) support 2017-01-10 05:56:59 +02:00
shpc.c include/qemu/osdep.h: Don't include qapi/error.h 2016-03-22 22:20:15 +01:00
slotid_cap.c pci: Clean up includes 2016-01-29 15:07:24 +00:00
trace-events trace-events: fix first line comment in trace-events 2016-08-12 10:36:01 +01:00