From 03f6fac8ac03d391fdbd7353ffd7c6eb1bd30bea Mon Sep 17 00:00:00 2001

From: Markus Armbruster <armbru@redhat.com>

Date: Fri, 31 Aug 2018 13:59:22 +0100

Subject: [PATCH 2/3] i386: Fix arch_query_cpu_model_expansion() leak

RH-Author: Markus Armbruster <armbru@redhat.com>

Message-id: <20180831135922.6073-3-armbru@redhat.com>

Patchwork-id: 81980

O-Subject: [qemu-kvm RHEL8/virt212 PATCH 2/2] i386: Fix arch_query_cpu_model_expansion() leak

Bugzilla: 1615717

RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>

RH-Acked-by: Laszlo Ersek <lersek@redhat.com>

RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>

From: Eduardo Habkost <ehabkost@redhat.com>

Reported by Coverity:

Error: RESOURCE_LEAK (CWE-772): [#def439]

qemu-2.12.0/target/i386/cpu.c:3179: alloc_fn: Storage is returned from allocation function "qdict_new".

qemu-2.12.0/qobject/qdict.c:34:5: alloc_fn: Storage is returned from allocation function "g_malloc0".

qemu-2.12.0/qobject/qdict.c:34:5: var_assign: Assigning: "qdict" = "g_malloc0(4120UL)".

qemu-2.12.0/qobject/qdict.c:37:5: return_alloc: Returning allocated memory "qdict".

qemu-2.12.0/target/i386/cpu.c:3179: var_assign: Assigning: "props" = storage returned from "qdict_new()".

qemu-2.12.0/target/i386/cpu.c:3217: leaked_storage: Variable "props" going out of scope leaks the storage it points to.

This was introduced by commit b8097deb359b ("i386: Improve

query-cpu-model-expansion full mode").

The leak is only theoretical: if ret->model->props is set to

props, the qapi_free_CpuModelExpansionInfo() call will free props

too in case of errors.  The only way for this to not happen is if

we enter the default branch of the switch statement, which would

never happen because all CpuModelExpansionType values are being

handled.

It's still worth to change this to make the allocation logic

easier to follow and make the Coverity error go away.  To make

everything simpler, initialize ret->model and ret->model->props

earlier in the function.

While at it, remove redundant check for !prop because prop is

always initialized at the beginning of the function.

Fixes: b8097deb359bbbd92592b9670adfe9e245b2d0bd

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>

Message-Id: <20180816183509.8231-1-ehabkost@redhat.com>

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

(cherry picked from commit e38bf612477fca62b205ebd909b1372a7e45a8c0)

Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>

---

 target/i386/cpu.c | 9 +++------

 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c

index caab4e2..605d0fa 100644

--- a/target/i386/cpu.c

+++ b/target/i386/cpu.c

@@ -3727,6 +3727,9 @@ arch_query_cpu_model_expansion(CpuModelExpansionType type,

     }

     props = qdict_new();

+    ret->model = g_new0(CpuModelInfo, 1);

+    ret->model->props = QOBJECT(props);

+    ret->model->has_props = true;

     switch (type) {

     case CPU_MODEL_EXPANSION_TYPE_STATIC:

@@ -3747,15 +3750,9 @@ arch_query_cpu_model_expansion(CpuModelExpansionType type,

         goto out;

     }

-    if (!props) {

-        props = qdict_new();

-    }

     x86_cpu_to_dict(xc, props);

-    ret->model = g_new0(CpuModelInfo, 1);

     ret->model->name = g_strdup(base_name);

-    ret->model->props = QOBJECT(props);

-    ret->model->has_props = true;

 out:

     object_unref(OBJECT(xc));

-- 

1.8.3.1