From nobody Tue Apr 23 06:12:36 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=yandex-team.ru Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1528878158914511.4102519372044; Wed, 13 Jun 2018 01:22:38 -0700 (PDT) Received: from localhost ([::1]:60621 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fT138-0003ej-1r for importer@patchew.org; Wed, 13 Jun 2018 04:22:38 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50784) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fT10s-0002TE-Gg for qemu-devel@nongnu.org; Wed, 13 Jun 2018 04:20:23 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fT10n-0004S0-Te for qemu-devel@nongnu.org; Wed, 13 Jun 2018 04:20:18 -0400 Received: from forwardcorp1j.cmail.yandex.net ([2a02:6b8:0:1630::190]:52564) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fT10n-0004Pt-MF for qemu-devel@nongnu.org; Wed, 13 Jun 2018 04:20:13 -0400 Received: from smtpcorp1o.mail.yandex.net (smtpcorp1o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::30]) by forwardcorp1j.cmail.yandex.net (Yandex) with ESMTP id AB7D220EFB; Wed, 13 Jun 2018 11:20:11 +0300 (MSK) Received: from smtpcorp1o.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtpcorp1o.mail.yandex.net (Yandex) with ESMTP id A3C6C2440E11; Wed, 13 Jun 2018 11:20:11 +0300 (MSK) Received: from unknown (unknown [2a02:6b8:0:40c:44f:e5a2:2148:4fca]) by smtpcorp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id D4jrKxfhmi-KBumVdGw; Wed, 13 Jun 2018 11:20:11 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex-team.ru; s=default; t=1528878011; bh=F2YZPl67mA3Lkg6l8U7P8169Wb+18hvB3zznvW12Mx0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References; b=QsZ0WU9VMEF0c6cbog5NDhrRfv467147CR4d4h4XOLpW+QVnDLBQKgRt7s5Vwp6kc zrRLabu9EXkKuT/rmIdnsLWt6ALDesUmJq1ru26vK0x5glS7nZSFc8/XMvE4LMcbzO Ndqlz7jo3sralZBjLzY2pbKIxo+y+X7haYjdRCDI= Authentication-Results: smtpcorp1o.mail.yandex.net; dkim=pass header.i=@yandex-team.ru From: Dima Stepanov To: qemu-devel@nongnu.org Date: Wed, 13 Jun 2018 11:19:54 +0300 Message-Id: <1528877995-5043-2-git-send-email-dimastep@yandex-team.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1528877995-5043-1-git-send-email-dimastep@yandex-team.ru> References: <1528877995-5043-1-git-send-email-dimastep@yandex-team.ru> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2a02:6b8:0:1630::190 Subject: [Qemu-devel] [PATCH v2 1/2] memfd: fix possible usage of the uninitialized file descriptor X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: wrfsh@yandex-team.ru Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The qemu_memfd_alloc_check() routine allocates the fd variable on stack. This variable is initialized inside the qemu_memfd_alloc() function. There are several cases when *fd will be left unintialized which can lead to the unexpected close() in the qemu_memfd_free() call. Set file descriptor to -1 before calling the qemu_memfd_alloc routine. Signed-off-by: Dima Stepanov Reviewed-by: Marc-Andr=C3=A9 Lureau Reviewed-by: Thomas Huth --- util/memfd.c | 1 + 1 file changed, 1 insertion(+) diff --git a/util/memfd.c b/util/memfd.c index d248a53..6287946 100644 --- a/util/memfd.c +++ b/util/memfd.c @@ -187,6 +187,7 @@ bool qemu_memfd_alloc_check(void) int fd; void *ptr; =20 + fd =3D -1; ptr =3D qemu_memfd_alloc("test", 4096, 0, &fd, NULL); memfd_check =3D ptr ? MEMFD_OK : MEMFD_KO; qemu_memfd_free(ptr, 4096, fd); --=20 2.7.4 From nobody Tue Apr 23 06:12:36 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=yandex-team.ru Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1528878414125673.1214887615583; Wed, 13 Jun 2018 01:26:54 -0700 (PDT) Received: from localhost ([::1]:60645 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fT17F-0006m8-FO for importer@patchew.org; Wed, 13 Jun 2018 04:26:53 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50761) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fT10p-0002RP-QO for qemu-devel@nongnu.org; Wed, 13 Jun 2018 04:20:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fT10o-0004Sl-U7 for qemu-devel@nongnu.org; Wed, 13 Jun 2018 04:20:15 -0400 Received: from forwardcorp1g.cmail.yandex.net ([2a02:6b8:0:1465::fd]:46767) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fT10o-0004Qy-Ks for qemu-devel@nongnu.org; Wed, 13 Jun 2018 04:20:14 -0400 Received: from smtpcorp1o.mail.yandex.net (smtpcorp1o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::30]) by forwardcorp1g.cmail.yandex.net (Yandex) with ESMTP id AB2F921759; Wed, 13 Jun 2018 11:20:12 +0300 (MSK) Received: from smtpcorp1o.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtpcorp1o.mail.yandex.net (Yandex) with ESMTP id A47A92440E27; Wed, 13 Jun 2018 11:20:12 +0300 (MSK) Received: from unknown (unknown [2a02:6b8:0:40c:44f:e5a2:2148:4fca]) by smtpcorp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id D4jrKxfhmi-KCuapoRW; Wed, 13 Jun 2018 11:20:12 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex-team.ru; s=default; t=1528878012; bh=WkTXRRFnXj8eGvKniCP+CINHdIF0AJFQIa55Q5rTZxM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References; b=uSxPGG04buD5yJE1km6feQx6rKXJuWXOr8xCNCJC0LMD5RSWA5TGWm/bieMAAD+g7 BQmLEkCRXM6SfP9G00O+to8r/lKhMHeWNLc9YGiQH/nW8jofRDbNUhiJHKbFp1yaMT F2L58llpc3H8RRu/v4i8OfxvXCVkWJkVHN5vGc2I= Authentication-Results: smtpcorp1o.mail.yandex.net; dkim=pass header.i=@yandex-team.ru From: Dima Stepanov To: qemu-devel@nongnu.org Date: Wed, 13 Jun 2018 11:19:55 +0300 Message-Id: <1528877995-5043-3-git-send-email-dimastep@yandex-team.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1528877995-5043-1-git-send-email-dimastep@yandex-team.ru> References: <1528877995-5043-1-git-send-email-dimastep@yandex-team.ru> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2a02:6b8:0:1465::fd Subject: [Qemu-devel] [PATCH v2 2/2] memory: fix possible NULL pointer dereference X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: wrfsh@yandex-team.ru Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" In the memory_region_do_invalidate_mmio_ptr() routine the section variable is intialized by the memory_region_find() call. The section.mr field can be set to NULL. Add the check for NULL before trying to drop a section. Signed-off-by: Dima Stepanov --- memory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memory.c b/memory.c index 3212acc..bb45248 100644 --- a/memory.c +++ b/memory.c @@ -2712,7 +2712,7 @@ static void memory_region_do_invalidate_mmio_ptr(CPUS= tate *cpu, /* Reset dirty so this doesn't happen later. */ cpu_physical_memory_test_and_clear_dirty(offset, size, 1); =20 - if (section.mr !=3D mr) { + if (section.mr && (section.mr !=3D mr)) { /* memory_region_find add a ref on section.mr */ memory_region_unref(section.mr); if (MMIO_INTERFACE(section.mr->owner)) { --=20 2.7.4