|
|
1bdc94 |
From c8edc3f99b203feb6795d2d727c9b46058bcf3bd Mon Sep 17 00:00:00 2001
|
|
|
1bdc94 |
From: Markus Armbruster <armbru@redhat.com>
|
|
|
1bdc94 |
Date: Fri, 31 Aug 2018 14:24:59 +0200
|
|
|
1bdc94 |
Subject: [PATCH 08/29] i386: Fix arch_query_cpu_model_expansion() leak
|
|
|
1bdc94 |
|
|
|
1bdc94 |
RH-Author: Markus Armbruster <armbru@redhat.com>
|
|
|
1bdc94 |
Message-id: <20180831142459.18567-3-armbru@redhat.com>
|
|
|
1bdc94 |
Patchwork-id: 81985
|
|
|
1bdc94 |
O-Subject: [RHEL-7.6 qemu-kvm-rhev PATCH 2/2] i386: Fix arch_query_cpu_model_expansion() leak
|
|
|
1bdc94 |
Bugzilla: 1624390
|
|
|
1bdc94 |
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
|
|
1bdc94 |
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
1bdc94 |
RH-Acked-by: Auger Eric <eric.auger@redhat.com>
|
|
|
1bdc94 |
|
|
|
1bdc94 |
From: Eduardo Habkost <ehabkost@redhat.com>
|
|
|
1bdc94 |
|
|
|
1bdc94 |
Reported by Coverity:
|
|
|
1bdc94 |
|
|
|
1bdc94 |
Error: RESOURCE_LEAK (CWE-772): [#def439]
|
|
|
1bdc94 |
qemu-2.12.0/target/i386/cpu.c:3179: alloc_fn: Storage is returned from allocation function "qdict_new".
|
|
|
1bdc94 |
qemu-2.12.0/qobject/qdict.c:34:5: alloc_fn: Storage is returned from allocation function "g_malloc0".
|
|
|
1bdc94 |
qemu-2.12.0/qobject/qdict.c:34:5: var_assign: Assigning: "qdict" = "g_malloc0(4120UL)".
|
|
|
1bdc94 |
qemu-2.12.0/qobject/qdict.c:37:5: return_alloc: Returning allocated memory "qdict".
|
|
|
1bdc94 |
qemu-2.12.0/target/i386/cpu.c:3179: var_assign: Assigning: "props" = storage returned from "qdict_new()".
|
|
|
1bdc94 |
qemu-2.12.0/target/i386/cpu.c:3217: leaked_storage: Variable "props" going out of scope leaks the storage it points to.
|
|
|
1bdc94 |
|
|
|
1bdc94 |
This was introduced by commit b8097deb359b ("i386: Improve
|
|
|
1bdc94 |
query-cpu-model-expansion full mode").
|
|
|
1bdc94 |
|
|
|
1bdc94 |
The leak is only theoretical: if ret->model->props is set to
|
|
|
1bdc94 |
props, the qapi_free_CpuModelExpansionInfo() call will free props
|
|
|
1bdc94 |
too in case of errors. The only way for this to not happen is if
|
|
|
1bdc94 |
we enter the default branch of the switch statement, which would
|
|
|
1bdc94 |
never happen because all CpuModelExpansionType values are being
|
|
|
1bdc94 |
handled.
|
|
|
1bdc94 |
|
|
|
1bdc94 |
It's still worth to change this to make the allocation logic
|
|
|
1bdc94 |
easier to follow and make the Coverity error go away. To make
|
|
|
1bdc94 |
everything simpler, initialize ret->model and ret->model->props
|
|
|
1bdc94 |
earlier in the function.
|
|
|
1bdc94 |
|
|
|
1bdc94 |
While at it, remove redundant check for !prop because prop is
|
|
|
1bdc94 |
always initialized at the beginning of the function.
|
|
|
1bdc94 |
|
|
|
1bdc94 |
Fixes: b8097deb359bbbd92592b9670adfe9e245b2d0bd
|
|
|
1bdc94 |
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
|
|
|
1bdc94 |
Message-Id: <20180816183509.8231-1-ehabkost@redhat.com>
|
|
|
1bdc94 |
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
1bdc94 |
(cherry picked from commit e38bf612477fca62b205ebd909b1372a7e45a8c0)
|
|
|
1bdc94 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
1bdc94 |
---
|
|
|
1bdc94 |
target/i386/cpu.c | 9 +++------
|
|
|
1bdc94 |
1 file changed, 3 insertions(+), 6 deletions(-)
|
|
|
1bdc94 |
|
|
|
1bdc94 |
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
|
|
|
1bdc94 |
index e317aaf..6b5acdf 100644
|
|
|
1bdc94 |
--- a/target/i386/cpu.c
|
|
|
1bdc94 |
+++ b/target/i386/cpu.c
|
|
|
1bdc94 |
@@ -3733,6 +3733,9 @@ arch_query_cpu_model_expansion(CpuModelExpansionType type,
|
|
|
1bdc94 |
}
|
|
|
1bdc94 |
|
|
|
1bdc94 |
props = qdict_new();
|
|
|
1bdc94 |
+ ret->model = g_new0(CpuModelInfo, 1);
|
|
|
1bdc94 |
+ ret->model->props = QOBJECT(props);
|
|
|
1bdc94 |
+ ret->model->has_props = true;
|
|
|
1bdc94 |
|
|
|
1bdc94 |
switch (type) {
|
|
|
1bdc94 |
case CPU_MODEL_EXPANSION_TYPE_STATIC:
|
|
|
1bdc94 |
@@ -3753,15 +3756,9 @@ arch_query_cpu_model_expansion(CpuModelExpansionType type,
|
|
|
1bdc94 |
goto out;
|
|
|
1bdc94 |
}
|
|
|
1bdc94 |
|
|
|
1bdc94 |
- if (!props) {
|
|
|
1bdc94 |
- props = qdict_new();
|
|
|
1bdc94 |
- }
|
|
|
1bdc94 |
x86_cpu_to_dict(xc, props);
|
|
|
1bdc94 |
|
|
|
1bdc94 |
- ret->model = g_new0(CpuModelInfo, 1);
|
|
|
1bdc94 |
ret->model->name = g_strdup(base_name);
|
|
|
1bdc94 |
- ret->model->props = QOBJECT(props);
|
|
|
1bdc94 |
- ret->model->has_props = true;
|
|
|
1bdc94 |
|
|
|
1bdc94 |
out:
|
|
|
1bdc94 |
object_unref(OBJECT(xc));
|
|
|
1bdc94 |
--
|
|
|
1bdc94 |
1.8.3.1
|
|
|
1bdc94 |
|