Commit d80cf1eb authored by Stephen Checkoway's avatar Stephen Checkoway Committed by Laurent Vivier
Browse files

block/pflash_cfi02: Fix memory leak and potential use-after-free 



Don't dynamically allocate the pflash's timer. But do use timer_del in
an unrealize function to make sure that the timer can't fire after the
pflash_t has been freed.

Signed-off-by: default avatarStephen Checkoway <stephen.checkoway@oberlin.edu>
Reviewed-by: default avatarPhilippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: default avatarWei Yang <richardw.yang@linux.intel.com>
Message-Id: <20190219153727.62279-1-stephen.checkoway@oberlin.edu>
Signed-off-by: default avatarLaurent Vivier <laurent@vivier.eu>
parent 7d9b68ac

hw/block/pflash_cfi02.c

+11 −4
Original line number Diff line number Diff line
@@ -84,7 +84,7 @@ struct pflash_t { 
    uint16_t unlock_addr0;

    uint16_t unlock_addr1;

    uint8_t cfi_table[0x52];

    QEMUTimer *timer;

    QEMUTimer timer;

    /* The device replicates the flash memory across its memory space.  Emulate

     * that by having a container (.mem) filled with an array of aliases

     * (.mem_mappings) pointing to the flash memory (.orig_mem).
@@ -429,7 +429,7 @@ static void pflash_write (pflash_t *pfl, hwaddr offset, 
            }

            pfl->status = 0x00;

            /* Let's wait 5 seconds before chip erase is done */

            timer_mod(pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +

            timer_mod(&pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +

                      (NANOSECONDS_PER_SECOND * 5));

            break;

        case 0x30:
@@ -444,7 +444,7 @@ static void pflash_write (pflash_t *pfl, hwaddr offset, 
            }

            pfl->status = 0x00;

            /* Let's wait 1/2 second before sector erase is done */

            timer_mod(pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +

            timer_mod(&pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +

                      (NANOSECONDS_PER_SECOND / 2));

            break;

        default:
@@ -596,7 +596,7 @@ static void pflash_cfi02_realize(DeviceState *dev, Error **errp) 
    pfl->rom_mode = 1;

    sysbus_init_mmio(SYS_BUS_DEVICE(dev), &pfl->mem);



    pfl->timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, pflash_timer, pfl);

    timer_init_ns(&pfl->timer, QEMU_CLOCK_VIRTUAL, pflash_timer, pfl);

    pfl->wcycle = 0;

    pfl->cmd = 0;

    pfl->status = 0;
@@ -695,11 +695,18 @@ static Property pflash_cfi02_properties[] = { 
    DEFINE_PROP_END_OF_LIST(),

};



static void pflash_cfi02_unrealize(DeviceState *dev, Error **errp)

{

    pflash_t *pfl = CFI_PFLASH02(dev);

    timer_del(&pfl->timer);

}



static void pflash_cfi02_class_init(ObjectClass *klass, void *data)

{

    DeviceClass *dc = DEVICE_CLASS(klass);



    dc->realize = pflash_cfi02_realize;

    dc->unrealize = pflash_cfi02_unrealize;

    dc->props = pflash_cfi02_properties;

    set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);

}