[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 32/53] vhost: avoid a potential use of an uninitialized variable i
From: |
Michael S. Tsirkin |
Subject: |
[PULL 32/53] vhost: avoid a potential use of an uninitialized variable in vhost_svq_poll() |
Date: |
Thu, 2 Mar 2023 03:26:07 -0500 |
From: Carlos López <clopez@suse.de>
In vhost_svq_poll(), if vhost_svq_get_buf() fails due to a device
providing invalid descriptors, len is left uninitialized and returned
to the caller, potentally leaking stack data or causing undefined
behavior.
Fix this by initializing len to 0.
Found with GCC 13 and -fanalyzer (abridged):
../hw/virtio/vhost-shadow-virtqueue.c: In function ‘vhost_svq_poll’:
../hw/virtio/vhost-shadow-virtqueue.c:538:12: warning: use of uninitialized
value ‘len’ [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
538 | return len;
| ^~~
‘vhost_svq_poll’: events 1-4
|
| 522 | size_t vhost_svq_poll(VhostShadowVirtqueue *svq)
| | ^~~~~~~~~~~~~~
| | |
| | (1) entry to ‘vhost_svq_poll’
|......
| 525 | uint32_t len;
| | ~~~
| | |
| | (2) region created on stack here
| | (3) capacity: 4 bytes
|......
| 528 | if (vhost_svq_more_used(svq)) {
| | ~
| | |
| | (4) inlined call to ‘vhost_svq_more_used’ from
‘vhost_svq_poll’
(...)
| 528 | if (vhost_svq_more_used(svq)) {
| | ^~~~~~~~~~~~~~~~~~~~~~~~~
| | ||
| | |(8) ...to here
| | (7) following ‘true’ branch...
|......
| 537 | vhost_svq_get_buf(svq, &len);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (9) calling ‘vhost_svq_get_buf’ from ‘vhost_svq_poll’
|
+--> ‘vhost_svq_get_buf’: events 10-11
|
| 416 | static VirtQueueElement
*vhost_svq_get_buf(VhostShadowVirtqueue *svq,
| | ^~~~~~~~~~~~~~~~~
| | |
| | (10) entry to ‘vhost_svq_get_buf’
|......
| 423 | if (!vhost_svq_more_used(svq)) {
| | ~
| | |
| | (11) inlined call to ‘vhost_svq_more_used’ from
‘vhost_svq_get_buf’
|
(...)
|
‘vhost_svq_get_buf’: event 14
|
| 423 | if (!vhost_svq_more_used(svq)) {
| | ^
| | |
| | (14) following ‘false’ branch...
|
‘vhost_svq_get_buf’: event 15
|
|cc1:
| (15): ...to here
|
<------+
|
‘vhost_svq_poll’: events 16-17
|
| 537 | vhost_svq_get_buf(svq, &len);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (16) returning to ‘vhost_svq_poll’ from ‘vhost_svq_get_buf’
| 538 | return len;
| | ~~~
| | |
| | (17) use of uninitialized value ‘len’ here
Note by Laurent Vivier <lvivier@redhat.com>:
The return value is only used to detect an error:
vhost_svq_poll
vhost_vdpa_net_cvq_add
vhost_vdpa_net_load_cmd
vhost_vdpa_net_load_mac
-> a negative return is only used to detect error
vhost_vdpa_net_load_mq
-> a negative return is only used to detect error
vhost_vdpa_net_handle_ctrl_avail
-> a negative return is only used to detect error
Fixes: d368c0b052ad ("vhost: Do not depend on !NULL VirtQueueElement on
vhost_svq_flush")
Signed-off-by: Carlos López <clopez@suse.de>
Message-Id: <20230213085747.19956-1-clopez@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/virtio/vhost-shadow-virtqueue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/virtio/vhost-shadow-virtqueue.c
b/hw/virtio/vhost-shadow-virtqueue.c
index 4307296358..515ccf870d 100644
--- a/hw/virtio/vhost-shadow-virtqueue.c
+++ b/hw/virtio/vhost-shadow-virtqueue.c
@@ -522,7 +522,7 @@ static void vhost_svq_flush(VhostShadowVirtqueue *svq,
size_t vhost_svq_poll(VhostShadowVirtqueue *svq)
{
int64_t start_us = g_get_monotonic_time();
- uint32_t len;
+ uint32_t len = 0;
do {
if (vhost_svq_more_used(svq)) {
--
MST
- [PULL 27/53] pcie_regs: drop duplicated indicator value macros, (continued)
- [PULL 27/53] pcie_regs: drop duplicated indicator value macros, Michael S. Tsirkin, 2023/03/02
- [PULL 24/53] pci/shpc: pass PCIDevice pointer to shpc_slot_command(), Michael S. Tsirkin, 2023/03/02
- [PULL 25/53] pci/shpc: refactor shpc_device_plug_common(), Michael S. Tsirkin, 2023/03/02
- [PULL 26/53] pcie: pcie_cap_slot_write_config(): use correct macro, Michael S. Tsirkin, 2023/03/02
- [PULL 29/53] pcie: pcie_cap_slot_enable_power() use correct helper, Michael S. Tsirkin, 2023/03/02
- [PULL 28/53] pcie: drop unused PCIExpressIndicator, Michael S. Tsirkin, 2023/03/02
- [PULL 31/53] pcie: set power indicator to off on reset by default, Michael S. Tsirkin, 2023/03/02
- [PULL 32/53] vhost: avoid a potential use of an uninitialized variable in vhost_svq_poll(),
Michael S. Tsirkin <=
- [PULL 34/53] hw/pci: Trace IRQ routing on PCI topology, Michael S. Tsirkin, 2023/03/02
- [PULL 33/53] libvhost-user: check for NULL when allocating a virtqueue element, Michael S. Tsirkin, 2023/03/02
- [PULL 30/53] pcie: introduce pcie_sltctl_powered_off() helper, Michael S. Tsirkin, 2023/03/02
- [PULL 35/53] chardev/char-socket: set s->listener = NULL in char_socket_finalize, Michael S. Tsirkin, 2023/03/02
- [PULL 38/53] intel-iommu: fail DEVIOTLB_UNMAP without dt mode, Michael S. Tsirkin, 2023/03/02
- [PULL 39/53] memory: introduce memory_region_unmap_iommu_notifier_range(), Michael S. Tsirkin, 2023/03/02
- [PULL 37/53] intel-iommu: fail MAP notifier without caching mode, Michael S. Tsirkin, 2023/03/02
- [PULL 42/53] MAINTAINERS: Add Fan Ni as Compute eXpress Link QEMU reviewer, Michael S. Tsirkin, 2023/03/02