1. Patchew
  2. Libvirt
  3. View series

[PATCH] virt-aa-helper: Fix unchecked return values

Dmitry Lopatin posted 1 patch 1 week, 4 days ago
Failed in applying to current master (apply log)
src/security/virt-aa-helper.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
[PATCH] virt-aa-helper: Fix unchecked return values
Posted by Dmitry Lopatin 1 week, 4 days ago 
Add missing return value checks to fix the following issues reported
by the static analyzer:

 - vah_add_file() call when adding render node path to the AppArmor
   profile (line 1029) was not checked, while there are examples with
   return code check throughout the code.

 - vah_add_file() call when adding default render node path (line 1037)
   had the same issue.

 - virDriverLoadModule() call when loading the storage driver (line 908)
   was not checked, while there are examples with return code check
   throughout the code.

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
---
 src/security/virt-aa-helper.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 067a17f331..07e5882237 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -905,7 +905,8 @@ get_files(vahControl * ctl)
 
     /* load the storage driver so that backing store can be accessed */
 #ifdef WITH_STORAGE
-    virDriverLoadModule("storage", "storageRegister", false);
+    if (virDriverLoadModule("storage", "storageRegister", false) < 0)
+        goto cleanup;
 #endif
 
     for (i = 0; i < ctl->def->ndisks; i++) {
@@ -1026,7 +1027,8 @@ get_files(vahControl * ctl)
         const char *rendernode = virDomainGraphicsGetRenderNode(graphics);
 
         if (rendernode) {
-            vah_add_file(&buf, rendernode, "rw");
+            if (vah_add_file(&buf, rendernode, "rw") != 0)
+                goto cleanup;
             needsgl = true;
         } else {
             if (virDomainGraphicsNeedsAutoRenderNode(graphics)) {
@@ -1034,7 +1036,8 @@ get_files(vahControl * ctl)
                 needsgl = true;
 
                 if (defaultRenderNode) {
-                    vah_add_file(&buf, defaultRenderNode, "rw");
+                    if (vah_add_file(&buf, defaultRenderNode, "rw") != 0)
+                        goto cleanup;
                     VIR_FREE(defaultRenderNode);
                 }
             }
-- 
2.34.1
Re: [PATCH] virt-aa-helper: Fix unchecked return values
Posted by Ján Tomko via Devel 2 days, 12 hours ago 
On a Thursday in 2026, dmitry.lopatin@flant.com wrote:
>Sorry for the ping, I worry this patch was missed, because its my first contribution and I've sent patch without subscription and it was delayed.
>

Yeah, the setup is a bit unfortunate. You can sometimes check in the
archives if it made it through:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/
But there have also been situations when just the archives were broken.

On a Wednesday in 2026, Dmitry Lopatin wrote:
>Add missing return value checks to fix the following issues reported
>by the static analyzer:
>
> - vah_add_file() call when adding render node path to the AppArmor
>   profile (line 1029) was not checked, while there are examples with
>   return code check throughout the code.
>
> - vah_add_file() call when adding default render node path (line 1037)
>   had the same issue.
>
> - virDriverLoadModule() call when loading the storage driver (line 908)
>   was not checked, while there are examples with return code check
>   throughout the code.
>
>Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
>---
> src/security/virt-aa-helper.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>

The patch does not apply for me on current master,
please send patches against the current master branch.

>diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
>index 067a17f331..07e5882237 100644
>--- a/src/security/virt-aa-helper.c
>+++ b/src/security/virt-aa-helper.c
>@@ -905,7 +905,8 @@ get_files(vahControl * ctl)
>
>     /* load the storage driver so that backing store can be accessed */
> #ifdef WITH_STORAGE
>-    virDriverLoadModule("storage", "storageRegister", false);
>+    if (virDriverLoadModule("storage", "storageRegister", false) < 0)
>+        goto cleanup;
> #endif
>
>     for (i = 0; i < ctl->def->ndisks; i++) {

>@@ -1026,7 +1027,8 @@ get_files(vahControl * ctl)
>         const char *rendernode = virDomainGraphicsGetRenderNode(graphics);
>
>         if (rendernode) {
>-            vah_add_file(&buf, rendernode, "rw");
>+            if (vah_add_file(&buf, rendernode, "rw") != 0)
>+                goto cleanup;
>             needsgl = true;
>         } else {
>             if (virDomainGraphicsNeedsAutoRenderNode(graphics)) {
>@@ -1034,7 +1036,8 @@ get_files(vahControl * ctl)
>                 needsgl = true;
>
>                 if (defaultRenderNode) {
>-                    vah_add_file(&buf, defaultRenderNode, "rw");
>+                    if (vah_add_file(&buf, defaultRenderNode, "rw") != 0)
>+                        goto cleanup;
>                     VIR_FREE(defaultRenderNode);
>                 }
>             }

These two vah_add_file calls are already checked since:

commit ecca0dded412c84c3c89f9e4f1d6f2c5c57b4174
Author:     Michal Prívozník <mprivozn@redhat.com>
AuthorDate: 2025-06-11 13:59:49 +0200
Commit:     Michal Prívozník <mprivozn@redhat.com>
CommitDate: 2025-07-02 13:54:30 +0200

     virt-aa-helper: Check retval of vah_add_file()

Which was already released in libvirt 11.6.0

Jano
Re: [PATCH] virt-aa-helper: Fix unchecked return values
Posted by dmitry.lopatin@flant.com 3 days, 11 hours ago 
Sorry for the ping, I worry this patch was missed, because its my first contribution and I've sent patch without subscription and it was delayed.

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.