From 8ce8ccc2a22798a89bac06a37427c3a3cea91a62 Mon Sep 17 00:00:00 2001 From: "Dr. David Alan Gilbert" Date: Tue, 5 May 2020 16:35:54 +0100 Subject: [PATCH 3/9] tools/virtiofsd/passthrough_ll: Fix double close() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Dr. David Alan Gilbert Message-id: <20200505163600.22956-2-dgilbert@redhat.com> Patchwork-id: 96269 O-Subject: [RHEL-AV-8.2.1 qemu-kvm PATCH 1/7] tools/virtiofsd/passthrough_ll: Fix double close() Bugzilla: 1817445 RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Max Reitz RH-Acked-by: Philippe Mathieu-Daudé RH-Acked-by: Michael S. Tsirkin From: Philippe Mathieu-Daudé On success, the fdopendir() call closes fd. Later on the error path we try to close an already-closed fd. This can lead to use-after-free. Fix by only closing the fd if the fdopendir() call failed. Cc: qemu-stable@nongnu.org Fixes: b39bce121b (add dirp_map to hide lo_dirp pointers) Reported-by: Coverity (CID 1421933 USE_AFTER_FREE) Suggested-by: Peter Maydell Signed-off-by: Philippe Mathieu-Daudé Message-Id: <20200321120654.7985-1-philmd@redhat.com> Reviewed-by: Stefan Hajnoczi Signed-off-by: Dr. David Alan Gilbert (cherry picked from commit e1cd92d95cd4f97b3464c4e08cd5b22bf5ca05cb) Signed-off-by: Danilo C. L. de Paula --- tools/virtiofsd/passthrough_ll.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c index 9cba3f1..50ff672 100644 --- a/tools/virtiofsd/passthrough_ll.c +++ b/tools/virtiofsd/passthrough_ll.c @@ -1524,8 +1524,7 @@ out_err: if (d) { if (d->dp) { closedir(d->dp); - } - if (fd != -1) { + } else if (fd != -1) { close(fd); } free(d); -- 1.8.3.1