[Qemu-devel] [PULL 30/74] i386: Fix arch_query_cpu_model

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PULL 30/74] i386: Fix arch_query_cpu_model_expansion() lea

From:	Paolo Bonzini
Subject:	[Qemu-devel] [PULL 30/74] i386: Fix arch_query_cpu_model_expansion() leak
Date:	Tue, 21 Aug 2018 19:02:02 +0200

From: Eduardo Habkost <address@hidden>

Reported by Coverity:

Error: RESOURCE_LEAK (CWE-772): [#def439]
qemu-2.12.0/target/i386/cpu.c:3179: alloc_fn: Storage is returned from 
allocation function "qdict_new".
qemu-2.12.0/qobject/qdict.c:34:5: alloc_fn: Storage is returned from allocation 
function "g_malloc0".
qemu-2.12.0/qobject/qdict.c:34:5: var_assign: Assigning: "qdict" = 
"g_malloc0(4120UL)".
qemu-2.12.0/qobject/qdict.c:37:5: return_alloc: Returning allocated memory 
"qdict".
qemu-2.12.0/target/i386/cpu.c:3179: var_assign: Assigning: "props" = storage 
returned from "qdict_new()".
qemu-2.12.0/target/i386/cpu.c:3217: leaked_storage: Variable "props" going out 
of scope leaks the storage it points to.

This was introduced by commit b8097deb359b ("i386: Improve
query-cpu-model-expansion full mode").

The leak is only theoretical: if ret->model->props is set to
props, the qapi_free_CpuModelExpansionInfo() call will free props
too in case of errors.  The only way for this to not happen is if
we enter the default branch of the switch statement, which would
never happen because all CpuModelExpansionType values are being
handled.

It's still worth to change this to make the allocation logic
easier to follow and make the Coverity error go away.  To make
everything simpler, initialize ret->model and ret->model->props
earlier in the function.

While at it, remove redundant check for !prop because prop is
always initialized at the beginning of the function.

Fixes: b8097deb359bbbd92592b9670adfe9e245b2d0bd
Signed-off-by: Eduardo Habkost <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
 target/i386/cpu.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 4e4fe8f..f24295e 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -3880,6 +3880,9 @@ arch_query_cpu_model_expansion(CpuModelExpansionType type,
     }
 
     props = qdict_new();
+    ret->model = g_new0(CpuModelInfo, 1);
+    ret->model->props = QOBJECT(props);
+    ret->model->has_props = true;
 
     switch (type) {
     case CPU_MODEL_EXPANSION_TYPE_STATIC:
@@ -3900,15 +3903,9 @@ arch_query_cpu_model_expansion(CpuModelExpansionType 
type,
         goto out;
     }
 
-    if (!props) {
-        props = qdict_new();
-    }
     x86_cpu_to_dict(xc, props);
 
-    ret->model = g_new0(CpuModelInfo, 1);
     ret->model->name = g_strdup(base_name);
-    ret->model->props = QOBJECT(props);
-    ret->model->has_props = true;
 
 out:
     object_unref(OBJECT(xc));
-- 
1.8.3.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PULL 51/74] seqlock: add QemuLockable support, (continued)
- [Qemu-devel] [PULL 51/74] seqlock: add QemuLockable support, Paolo Bonzini, 2018/08/21
- [Qemu-devel] [PULL 41/74] test-rcu-list: access counters with atomics, Paolo Bonzini, 2018/08/21
- [Qemu-devel] [PULL 39/74] rcu_queue: add RCU QTAILQ, Paolo Bonzini, 2018/08/21
- [Qemu-devel] [PULL 46/74] qom: convert the CPU list to RCU, Paolo Bonzini, 2018/08/21
- [Qemu-devel] [PULL 23/74] tests/atomic_add-bench: add -p to enable sync profiler, Paolo Bonzini, 2018/08/21
- [Qemu-devel] [PULL 52/74] cpus: protect TimerState writes with a spinlock, Paolo Bonzini, 2018/08/21
- [Qemu-devel] [PULL 38/74] rcu_queue: add RCU QSIMPLEQ, Paolo Bonzini, 2018/08/21
- [Qemu-devel] [PULL 45/74] spapr: do not use CPU_FOREACH_REVERSE, Paolo Bonzini, 2018/08/21
  - Re: [Qemu-devel] [PULL 45/74] spapr: do not use CPU_FOREACH_REVERSE, Peter Maydell, 2018/08/24
    - Re: [Qemu-devel] [PULL 45/74] spapr: do not use CPU_FOREACH_REVERSE, Emilio G. Cota, 2018/08/24
- [Qemu-devel] [PULL 30/74] i386: Fix arch_query_cpu_model_expansion() leak, Paolo Bonzini <=
- [Qemu-devel] [PULL 40/74] test-rcu-list: access goflag with atomics, Paolo Bonzini, 2018/08/21
- [Qemu-devel] [PULL 42/74] test-rcu-list: abstract the list implementation, Paolo Bonzini, 2018/08/21
- [Qemu-devel] [PULL 55/74] vhost-scsi: unify vhost-scsi get_features implementations, Paolo Bonzini, 2018/08/21
- [Qemu-devel] [PULL 53/74] cpus: allow cpu_get_ticks out of BQL, Paolo Bonzini, 2018/08/21
- [Qemu-devel] [PULL 50/74] cpus: protect all icount computation with seqlock, Paolo Bonzini, 2018/08/21
- [Qemu-devel] [PULL 26/74] hmp-commands-info: add sync-profile, Paolo Bonzini, 2018/08/21
- [Qemu-devel] [PULL 56/74] vhost-scsi: expose 't10_pi' property for VIRTIO_SCSI_F_T10_PI, Paolo Bonzini, 2018/08/21
- [Qemu-devel] [PULL 54/74] vhost-user-scsi: move host_features into VHostSCSICommon, Paolo Bonzini, 2018/08/21
- [Qemu-devel] [PULL 29/74] fw_cfg: import & use linux/qemu_fw_cfg.h, Paolo Bonzini, 2018/08/21
- [Qemu-devel] [PULL 35/74] target-i386: fix segment limit check in ljmp, Paolo Bonzini, 2018/08/21

Prev by Date: [Qemu-devel] [PULL 45/74] spapr: do not use CPU_FOREACH_REVERSE
Next by Date: [Qemu-devel] [PULL 40/74] test-rcu-list: access goflag with atomics
Previous by thread: Re: [Qemu-devel] [PULL 45/74] spapr: do not use CPU_FOREACH_REVERSE
Next by thread: [Qemu-devel] [PULL 40/74] test-rcu-list: access goflag with atomics
Index(es):
- Date
- Thread