From nobody Fri May 17 10:34:08 2024
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=none dis=none)  header.from=suse.de
ARC-Seal: i=1; a=rsa-sha256; t=1676278757; cv=none;
	d=zohomail.com; s=zohoarc;
	b=R6SIGtq+LhGJFnZQHMCdVlO5R5aX7qRibwNVGlfZBOzq91ewXsOApWcWDpU+qOaDpZdKNMEPh9A0/ldZcgNfAXJCL0Cx7BgVay3aty9GxUtfYCSSipckq9gGKiLws5Wg0zrFaZ/l7Zy3pnwBv10x85cQxnBhRwwBGNh2x85eGtY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1676278757;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=uSCcmoM0LZ8aT+DY8XGIBxggWBxztLgk79xAS2SWe7s=;
	b=BIx9yWOCPAZ5jV4pB7Z5fuQT5TQj4geM1rrB3BanjDULXd7vb47d04wpOAvq5bu2En/ncAcib1HuwZLOJXeFa3bySMaI//wk1OienyOnK74L22hcH5Ez7/MhMR5IqYi5bXsFvebKR7HzJs5153rXZvvWifsyQvIJpCEdMiQLNnU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<clopez@suse.de> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1676278757179941.1187217695191;
 Mon, 13 Feb 2023 00:59:17 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1pRUfQ-0000UF-L7; Mon, 13 Feb 2023 03:58:32 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <clopez@suse.de>) id 1pRUfH-0000Tk-El
 for qemu-devel@nongnu.org; Mon, 13 Feb 2023 03:58:25 -0500
Received: from smtp-out1.suse.de ([195.135.220.28])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <clopez@suse.de>) id 1pRUfF-0002xa-Qn
 for qemu-devel@nongnu.org; Mon, 13 Feb 2023 03:58:23 -0500
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
 [192.168.254.74])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
 (No client certificate requested)
 by smtp-out1.suse.de (Postfix) with ESMTPS id 0803933829;
 Mon, 13 Feb 2023 08:58:19 +0000 (UTC)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
 [192.168.254.74])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
 (No client certificate requested)
 by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id B54CE1391B;
 Mon, 13 Feb 2023 08:58:18 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
 by imap2.suse-dmz.suse.de with ESMTPSA id /E0CKar76WPBSwAAMHmgww
 (envelope-from <clopez@suse.de>); Mon, 13 Feb 2023 08:58:18 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_rsa;
 t=1676278699;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=uSCcmoM0LZ8aT+DY8XGIBxggWBxztLgk79xAS2SWe7s=;
 b=lhkWUeVojuimm0UcJB3ChDJaLWSFCcAkY8gkJ5qPEXxfWCgR9Ue/H+W91A7jg15YJn8APB
 54TRiA3yUpe+utNlkH1TcVKXbKP18VQ5MHZUUzhL+qrjHuHwh92ebdvGoOw02Ldk6oL+yu
 PckeZanEF9fsArItTZYXqYVHJSakMx8=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_ed25519; t=1676278699;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=uSCcmoM0LZ8aT+DY8XGIBxggWBxztLgk79xAS2SWe7s=;
 b=HI59likBR4N5w8IMQj+2lX5OlrcfGL4JHYgdLTGelrh3LWbAbHrRmmX7JzZS0RqGZKCeBQ
 k504Q0cc6zUgm4Dw==
From: =?UTF-8?q?Carlos=20L=C3=B3pez?= <clopez@suse.de>
To: qemu-devel@nongnu.org
Cc: =?UTF-8?q?Carlos=20L=C3=B3pez?= <clopez@suse.de>,
 "Michael S. Tsirkin" <mst@redhat.com>
Subject: [PATCH v2] vhost: avoid a potential use of an uninitialized variable
 in vhost_svq_poll()
Date: Mon, 13 Feb 2023 09:57:47 +0100
Message-Id: <20230213085747.19956-1-clopez@suse.de>
X-Mailer: git-send-email 2.35.3
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=195.135.220.28; envelope-from=clopez@suse.de;
 helo=smtp-out1.suse.de
X-Spam_score_int: -43
X-Spam_score: -4.4
X-Spam_bar: ----
X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @suse.de)
X-ZM-MESSAGEID: 1676278757424100001

In vhost_svq_poll(), if vhost_svq_get_buf() fails due to a device
providing invalid descriptors, len is left uninitialized and returned
to the caller, potentally leaking stack data or causing undefined
behavior.

Fix this by initializing len to 0.

Found with GCC 13 and -fanalyzer (abridged):

../hw/virtio/vhost-shadow-virtqueue.c: In function =E2=80=98vhost_svq_poll=
=E2=80=99:
../hw/virtio/vhost-shadow-virtqueue.c:538:12: warning: use of uninitialized=
 value =E2=80=98len=E2=80=99 [CWE-457] [-Wanalyzer-use-of-uninitialized-val=
ue]
  538 |     return len;
      |            ^~~
  =E2=80=98vhost_svq_poll=E2=80=99: events 1-4
    |
    |  522 | size_t vhost_svq_poll(VhostShadowVirtqueue *svq)
    |      |        ^~~~~~~~~~~~~~
    |      |        |
    |      |        (1) entry to =E2=80=98vhost_svq_poll=E2=80=99
    |......
    |  525 |     uint32_t len;
    |      |              ~~~
    |      |              |
    |      |              (2) region created on stack here
    |      |              (3) capacity: 4 bytes
    |......
    |  528 |         if (vhost_svq_more_used(svq)) {
    |      |             ~
    |      |             |
    |      |             (4) inlined call to =E2=80=98vhost_svq_more_used=
=E2=80=99 from =E2=80=98vhost_svq_poll=E2=80=99

    (...)

    |  528 |         if (vhost_svq_more_used(svq)) {
    |      |            ^~~~~~~~~~~~~~~~~~~~~~~~~
    |      |            ||
    |      |            |(8) ...to here
    |      |            (7) following =E2=80=98true=E2=80=99 branch...
    |......
    |  537 |     vhost_svq_get_buf(svq, &len);
    |      |     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |     |
    |      |     (9) calling =E2=80=98vhost_svq_get_buf=E2=80=99 from =E2=
=80=98vhost_svq_poll=E2=80=99
    |
    +--> =E2=80=98vhost_svq_get_buf=E2=80=99: events 10-11
           |
           |  416 | static VirtQueueElement *vhost_svq_get_buf(VhostShadowV=
irtqueue *svq,
           |      |                          ^~~~~~~~~~~~~~~~~
           |      |                          |
           |      |                          (10) entry to =E2=80=98vhost_s=
vq_get_buf=E2=80=99
           |......
           |  423 |     if (!vhost_svq_more_used(svq)) {
           |      |          ~
           |      |          |
           |      |          (11) inlined call to =E2=80=98vhost_svq_more_u=
sed=E2=80=99 from =E2=80=98vhost_svq_get_buf=E2=80=99
           |

           (...)

           |
         =E2=80=98vhost_svq_get_buf=E2=80=99: event 14
           |
           |  423 |     if (!vhost_svq_more_used(svq)) {
           |      |        ^
           |      |        |
           |      |        (14) following =E2=80=98false=E2=80=99 branch...
           |
         =E2=80=98vhost_svq_get_buf=E2=80=99: event 15
           |
           |cc1:
           | (15): ...to here
           |
    <------+
    |
  =E2=80=98vhost_svq_poll=E2=80=99: events 16-17
    |
    |  537 |     vhost_svq_get_buf(svq, &len);
    |      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |     |
    |      |     (16) returning to =E2=80=98vhost_svq_poll=E2=80=99 from =
=E2=80=98vhost_svq_get_buf=E2=80=99
    |  538 |     return len;
    |      |            ~~~
    |      |            |
    |      |            (17) use of uninitialized value =E2=80=98len=E2=80=
=99 here

Fixes: d368c0b052ad ("vhost: Do not depend on !NULL VirtQueueElement on vho=
st_svq_flush")
Signed-off-by: Carlos L=C3=B3pez <clopez@suse.de>
---
v2: Added Fixes tag

 hw/virtio/vhost-shadow-virtqueue.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/virtio/vhost-shadow-virtqueue.c b/hw/virtio/vhost-shadow-vi=
rtqueue.c
index 4307296358..515ccf870d 100644
--- a/hw/virtio/vhost-shadow-virtqueue.c
+++ b/hw/virtio/vhost-shadow-virtqueue.c
@@ -522,7 +522,7 @@ static void vhost_svq_flush(VhostShadowVirtqueue *svq,
 size_t vhost_svq_poll(VhostShadowVirtqueue *svq)
 {
     int64_t start_us =3D g_get_monotonic_time();
-    uint32_t len;
+    uint32_t len =3D 0;
=20
     do {
         if (vhost_svq_more_used(svq)) {
--=20
2.35.3