yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone

Blame SOURCES/kvm-i386-Fix-arch_query_cpu_model_expansion-leak.patch

ae23c9
From 03f6fac8ac03d391fdbd7353ffd7c6eb1bd30bea Mon Sep 17 00:00:00 2001
ae23c9
From: Markus Armbruster <armbru@redhat.com>
ae23c9
Date: Fri, 31 Aug 2018 13:59:22 +0100
ae23c9
Subject: [PATCH 2/3] i386: Fix arch_query_cpu_model_expansion() leak
ae23c9
ae23c9
RH-Author: Markus Armbruster <armbru@redhat.com>
ae23c9
Message-id: <20180831135922.6073-3-armbru@redhat.com>
ae23c9
Patchwork-id: 81980
ae23c9
O-Subject: [qemu-kvm RHEL8/virt212 PATCH 2/2] i386: Fix arch_query_cpu_model_expansion() leak
ae23c9
Bugzilla: 1615717
ae23c9
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
ae23c9
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
ae23c9
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
ae23c9
ae23c9
From: Eduardo Habkost <ehabkost@redhat.com>
ae23c9
ae23c9
Reported by Coverity:
ae23c9
ae23c9
Error: RESOURCE_LEAK (CWE-772): [#def439]
ae23c9
qemu-2.12.0/target/i386/cpu.c:3179: alloc_fn: Storage is returned from allocation function "qdict_new".
ae23c9
qemu-2.12.0/qobject/qdict.c:34:5: alloc_fn: Storage is returned from allocation function "g_malloc0".
ae23c9
qemu-2.12.0/qobject/qdict.c:34:5: var_assign: Assigning: "qdict" = "g_malloc0(4120UL)".
ae23c9
qemu-2.12.0/qobject/qdict.c:37:5: return_alloc: Returning allocated memory "qdict".
ae23c9
qemu-2.12.0/target/i386/cpu.c:3179: var_assign: Assigning: "props" = storage returned from "qdict_new()".
ae23c9
qemu-2.12.0/target/i386/cpu.c:3217: leaked_storage: Variable "props" going out of scope leaks the storage it points to.
ae23c9
ae23c9
This was introduced by commit b8097deb359b ("i386: Improve
ae23c9
query-cpu-model-expansion full mode").
ae23c9
ae23c9
The leak is only theoretical: if ret->model->props is set to
ae23c9
props, the qapi_free_CpuModelExpansionInfo() call will free props
ae23c9
too in case of errors.  The only way for this to not happen is if
ae23c9
we enter the default branch of the switch statement, which would
ae23c9
never happen because all CpuModelExpansionType values are being
ae23c9
handled.
ae23c9
ae23c9
It's still worth to change this to make the allocation logic
ae23c9
easier to follow and make the Coverity error go away.  To make
ae23c9
everything simpler, initialize ret->model and ret->model->props
ae23c9
earlier in the function.
ae23c9
ae23c9
While at it, remove redundant check for !prop because prop is
ae23c9
always initialized at the beginning of the function.
ae23c9
ae23c9
Fixes: b8097deb359bbbd92592b9670adfe9e245b2d0bd
ae23c9
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
ae23c9
Message-Id: <20180816183509.8231-1-ehabkost@redhat.com>
ae23c9
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
ae23c9
(cherry picked from commit e38bf612477fca62b205ebd909b1372a7e45a8c0)
ae23c9
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
ae23c9
---
ae23c9
 target/i386/cpu.c | 9 +++------
ae23c9
 1 file changed, 3 insertions(+), 6 deletions(-)
ae23c9
ae23c9
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
ae23c9
index caab4e2..605d0fa 100644
ae23c9
--- a/target/i386/cpu.c
ae23c9
+++ b/target/i386/cpu.c
ae23c9
@@ -3727,6 +3727,9 @@ arch_query_cpu_model_expansion(CpuModelExpansionType type,
ae23c9
     }
ae23c9
 
ae23c9
     props = qdict_new();
ae23c9
+    ret->model = g_new0(CpuModelInfo, 1);
ae23c9
+    ret->model->props = QOBJECT(props);
ae23c9
+    ret->model->has_props = true;
ae23c9
 
ae23c9
     switch (type) {
ae23c9
     case CPU_MODEL_EXPANSION_TYPE_STATIC:
ae23c9
@@ -3747,15 +3750,9 @@ arch_query_cpu_model_expansion(CpuModelExpansionType type,
ae23c9
         goto out;
ae23c9
     }
ae23c9
 
ae23c9
-    if (!props) {
ae23c9
-        props = qdict_new();
ae23c9
-    }
ae23c9
     x86_cpu_to_dict(xc, props);
ae23c9
 
ae23c9
-    ret->model = g_new0(CpuModelInfo, 1);
ae23c9
     ret->model->name = g_strdup(base_name);
ae23c9
-    ret->model->props = QOBJECT(props);
ae23c9
-    ret->model->has_props = true;
ae23c9
 
ae23c9
 out:
ae23c9
     object_unref(OBJECT(xc));
ae23c9
-- 
ae23c9
1.8.3.1
ae23c9