Changeset
memory.c     | 2 +-
util/memfd.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
Git apply log
Switched to a new branch '1528877995-5043-1-git-send-email-dimastep@yandex-team.ru'
Applying: memfd: fix possible usage of the uninitialized file descriptor
Applying: memory: fix possible NULL pointer dereference
To https://github.com/patchew-project/qemu
 + 8d4cd93...2bc0048 patchew/1528877995-5043-1-git-send-email-dimastep@yandex-team.ru -> patchew/1528877995-5043-1-git-send-email-dimastep@yandex-team.ru (forced update)
Test passed: checkpatch

loading

Test passed: docker-mingw@fedora

loading

Test passed: docker-quick@centos7

loading

Test passed: s390x

loading

[Qemu-devel] [PATCH v2 0/2] misc fixes found by static analyzer
Posted by Dima Stepanov, 1 week ago
During the development process we used scan-build as static analyzer to
check the changes. There are some issues found. The patch set below is
to resolve issues found.

Changes v2:
 - remove one patch, since it was resolved by: 7eb24009

Dima Stepanov (2):
  memfd: fix possible usage of the uninitialized file descriptor
  memory: fix possible NULL pointer dereference

 memory.c     | 2 +-
 util/memfd.c | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

-- 
2.7.4


[Qemu-devel] [PATCH v2 1/2] memfd: fix possible usage of the uninitialized file descriptor
Posted by Dima Stepanov, 1 week ago
The qemu_memfd_alloc_check() routine allocates the fd variable on stack.
This variable is initialized inside the qemu_memfd_alloc() function.
There are several cases when *fd will be left unintialized which can
lead to the unexpected close() in the qemu_memfd_free() call.

Set file descriptor to -1 before calling the qemu_memfd_alloc routine.

Signed-off-by: Dima Stepanov <dimastep@yandex-team.ru>
---
 util/memfd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/util/memfd.c b/util/memfd.c
index d248a53..6287946 100644
--- a/util/memfd.c
+++ b/util/memfd.c
@@ -187,6 +187,7 @@ bool qemu_memfd_alloc_check(void)
         int fd;
         void *ptr;
 
+        fd = -1;
         ptr = qemu_memfd_alloc("test", 4096, 0, &fd, NULL);
         memfd_check = ptr ? MEMFD_OK : MEMFD_KO;
         qemu_memfd_free(ptr, 4096, fd);
-- 
2.7.4


Re: [Qemu-devel] [PATCH v2 1/2] memfd: fix possible usage of the uninitialized file descriptor
Posted by Marc-André Lureau, 1 week ago
On Wed, Jun 13, 2018 at 10:19 AM, Dima Stepanov <dimastep@yandex-team.ru> wrote:
> The qemu_memfd_alloc_check() routine allocates the fd variable on stack.
> This variable is initialized inside the qemu_memfd_alloc() function.
> There are several cases when *fd will be left unintialized which can
> lead to the unexpected close() in the qemu_memfd_free() call.
>
> Set file descriptor to -1 before calling the qemu_memfd_alloc routine.
>
> Signed-off-by: Dima Stepanov <dimastep@yandex-team.ru>

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>

> ---
>  util/memfd.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/util/memfd.c b/util/memfd.c
> index d248a53..6287946 100644
> --- a/util/memfd.c
> +++ b/util/memfd.c
> @@ -187,6 +187,7 @@ bool qemu_memfd_alloc_check(void)
>          int fd;
>          void *ptr;
>
> +        fd = -1;
>          ptr = qemu_memfd_alloc("test", 4096, 0, &fd, NULL);
>          memfd_check = ptr ? MEMFD_OK : MEMFD_KO;
>          qemu_memfd_free(ptr, 4096, fd);
> --
> 2.7.4
>
>



-- 
Marc-André Lureau

[Qemu-devel] [PATCH v2 2/2] memory: fix possible NULL pointer dereference
Posted by Dima Stepanov, 1 week ago
In the memory_region_do_invalidate_mmio_ptr() routine the section
variable is intialized by the memory_region_find() call. The section.mr
field can be set to NULL.

Add the check for NULL before trying to drop a section.

Signed-off-by: Dima Stepanov <dimastep@yandex-team.ru>
---
 memory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/memory.c b/memory.c
index 3212acc..bb45248 100644
--- a/memory.c
+++ b/memory.c
@@ -2712,7 +2712,7 @@ static void memory_region_do_invalidate_mmio_ptr(CPUState *cpu,
     /* Reset dirty so this doesn't happen later. */
     cpu_physical_memory_test_and_clear_dirty(offset, size, 1);
 
-    if (section.mr != mr) {
+    if (section.mr && (section.mr != mr)) {
         /* memory_region_find add a ref on section.mr */
         memory_region_unref(section.mr);
         if (MMIO_INTERFACE(section.mr->owner)) {
-- 
2.7.4


Re: [Qemu-devel] [PATCH v2 2/2] memory: fix possible NULL pointer dereference
Posted by Dima Stepanov, 5 days ago
Ping. I believe i forgot to add the maintainer to CC.

+ pbonzini@redhat.com

Regards, Dima.

On Wed, Jun 13, 2018 at 11:19:55AM +0300, Dima Stepanov wrote:
> In the memory_region_do_invalidate_mmio_ptr() routine the section
> variable is intialized by the memory_region_find() call. The section.mr
> field can be set to NULL.
> 
> Add the check for NULL before trying to drop a section.
> 
> Signed-off-by: Dima Stepanov <dimastep@yandex-team.ru>
> ---
>  memory.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/memory.c b/memory.c
> index 3212acc..bb45248 100644
> --- a/memory.c
> +++ b/memory.c
> @@ -2712,7 +2712,7 @@ static void memory_region_do_invalidate_mmio_ptr(CPUState *cpu,
>      /* Reset dirty so this doesn't happen later. */
>      cpu_physical_memory_test_and_clear_dirty(offset, size, 1);
>  
> -    if (section.mr != mr) {
> +    if (section.mr && (section.mr != mr)) {
>          /* memory_region_find add a ref on section.mr */
>          memory_region_unref(section.mr);
>          if (MMIO_INTERFACE(section.mr->owner)) {
> -- 
> 2.7.4
> 
>