[PATCH 41/47] libvhost-user: check for NULL when allocating a virtqueue

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 41/47] libvhost-user: check for NULL when allocating a virtqueue

From:	Michael Tokarev
Subject:	[PATCH 41/47] libvhost-user: check for NULL when allocating a virtqueue element
Date:	Wed, 8 Mar 2023 19:57:44 +0300

From: Carlos López <clopez@suse.de>

Check the return value for malloc(), avoiding a NULL pointer
dereference, and propagate error in function callers.

Found with GCC 13 and -fanalyzer:

../subprojects/libvhost-user/libvhost-user.c: In function 
‘virtqueue_alloc_element’:
../subprojects/libvhost-user/libvhost-user.c:2556:19: error: dereference of 
possibly-NULL ‘elem’ [CWE-690] [-Werror=analyzer-possible-null-dereference]
 2556 |     elem->out_num = out_num;
      |     ~~~~~~~~~~~~~~^~~~~~~~~
  ‘virtqueue_alloc_element’: event 1
    |
    | 2554 |     assert(sz >= sizeof(VuVirtqElement));
    |      |     ^~~~~~
    |      |     |
    |      |     (1) following ‘true’ branch (when ‘sz > 31’)...
    |
  ‘virtqueue_alloc_element’: events 2-4
    |
    | 2555 |     elem = malloc(out_sg_end);
    |      |     ^~~~   ~~~~~~~~~~~~~~~~~~
    |      |     |      |
    |      |     |      (3) this call could return NULL
    |      |     (2) ...to here
    | 2556 |     elem->out_num = out_num;
    |      |     ~~~~~~~~~~~~~~~~~~~~~~~
    |      |                   |
    |      |                   (4) ‘elem’ could be NULL: unchecked value from 
(3)
    |

Signed-off-by: Carlos López <clopez@suse.de>
Message-Id: <20230210112514.16858-1-clopez@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 9c1916057a8b14411116106e5a5c0c33d551cfeb)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
---
 subprojects/libvhost-user/libvhost-user.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/subprojects/libvhost-user/libvhost-user.c 
b/subprojects/libvhost-user/libvhost-user.c
index d6ee6e7d91..b17e82b2b0 100644
--- a/subprojects/libvhost-user/libvhost-user.c
+++ b/subprojects/libvhost-user/libvhost-user.c
@@ -2547,6 +2547,10 @@ virtqueue_alloc_element(size_t sz,
 
     assert(sz >= sizeof(VuVirtqElement));
     elem = malloc(out_sg_end);
+    if (!elem) {
+        DPRINT("%s: failed to malloc virtqueue element\n", __func__);
+        return NULL;
+    }
     elem->out_num = out_num;
     elem->in_num = in_num;
     elem->in_sg = (void *)elem + in_sg_ofs;
@@ -2633,6 +2637,9 @@ vu_queue_map_desc(VuDev *dev, VuVirtq *vq, unsigned int 
idx, size_t sz)
 
     /* Now copy what we have collected and mapped */
     elem = virtqueue_alloc_element(sz, out_num, in_num);
+    if (!elem) {
+        return NULL;
+    }
     elem->index = idx;
     for (i = 0; i < out_num; i++) {
         elem->out_sg[i] = iov[i];
-- 
2.30.2

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 26/47] hw/smbios: fix field corruption in type 4 table, (continued)
- [PATCH 26/47] hw/smbios: fix field corruption in type 4 table, Michael Tokarev, 2023/03/08
- [PATCH 25/47] block/iscsi: fix double-free on BUSY or similar statuses, Michael Tokarev, 2023/03/08
- [PATCH 27/47] Revert "x86: do not re-randomize RNG seed on snapshot load", Michael Tokarev, 2023/03/08
- [PATCH 32/47] Revert "hw/i386: pass RNG seed via setup_data entry", Michael Tokarev, 2023/03/08
- [PATCH 28/47] Revert "x86: re-initialize RNG seed when selecting kernel", Michael Tokarev, 2023/03/08
- [PATCH 29/47] Revert "x86: reinitialize RNG seed on system reboot", Michael Tokarev, 2023/03/08
- [PATCH 33/47] vhost-user-gpio: Configure vhost_dev when connecting, Michael Tokarev, 2023/03/08
- [PATCH 31/47] Revert "x86: return modified setup_data only if read as memory, not as file", Michael Tokarev, 2023/03/08
- [PATCH 30/47] Revert "x86: use typedef for SetupData struct", Michael Tokarev, 2023/03/08
- [PATCH 34/47] vhost-user-i2c: Back up vqs before cleaning up vhost_dev, Michael Tokarev, 2023/03/08
- [PATCH 41/47] libvhost-user: check for NULL when allocating a virtqueue element, Michael Tokarev <=
- [PATCH 42/47] chardev/char-socket: set s->listener = NULL in char_socket_finalize, Michael Tokarev, 2023/03/08
- [PATCH 40/47] vhost: avoid a potential use of an uninitialized variable in vhost_svq_poll(), Michael Tokarev, 2023/03/08
- [PATCH 35/47] vhost-user-rng: Back up vqs before cleaning up vhost_dev, Michael Tokarev, 2023/03/08
- [PATCH 38/47] hw/timer/hpet: Fix expiration time overflow, Michael Tokarev, 2023/03/08
- [PATCH 39/47] vdpa: stop all svq on device deletion, Michael Tokarev, 2023/03/08
- [PATCH 37/47] virtio-rng-pci: fix transitional migration compat for vectors, Michael Tokarev, 2023/03/08
- [PATCH 43/47] intel-iommu: fail MAP notifier without caching mode, Michael Tokarev, 2023/03/08
- [PATCH 45/47] block: Handle curl 7.55.0, 7.85.0 version changes, Michael Tokarev, 2023/03/08
- [PATCH 44/47] intel-iommu: fail DEVIOTLB_UNMAP without dt mode, Michael Tokarev, 2023/03/08
- [PATCH 46/47] tests/tcg: fix unused variable in linux-test, Michael Tokarev, 2023/03/08

Prev by Date: [PATCH 34/47] vhost-user-i2c: Back up vqs before cleaning up vhost_dev
Next by Date: [PATCH 42/47] chardev/char-socket: set s->listener = NULL in char_socket_finalize
Previous by thread: [PATCH 34/47] vhost-user-i2c: Back up vqs before cleaning up vhost_dev
Next by thread: [PATCH 42/47] chardev/char-socket: set s->listener = NULL in char_socket_finalize
Index(es):
- Date
- Thread