From nobody Wed Nov  5 14:28:10 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as
 permitted sender) client-ip=208.118.235.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by
 mx.zohomail.com
	with SMTPS id 153487437656321.323459732955598;
 Tue, 21 Aug 2018 10:59:36 -0700 (PDT)
Received: from localhost ([::1]:55236 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1fsAwJ-0008Al-1n
	for importer@patchew.org; Tue, 21 Aug 2018 13:59:35 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33719)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1fsA4n-0002IN-UU
	for qemu-devel@nongnu.org; Tue, 21 Aug 2018 13:04:22 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1fsA4X-0006rA-Qj
	for qemu-devel@nongnu.org; Tue, 21 Aug 2018 13:04:11 -0400
Received: from mail-wm0-x235.google.com ([2a00:1450:400c:c09::235]:36956)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <paolo.bonzini@gmail.com>)
	id 1fsA4W-0006Eo-Rw
	for qemu-devel@nongnu.org; Tue, 21 Aug 2018 13:04:01 -0400
Received: by mail-wm0-x235.google.com with SMTP id n11-v6so3495222wmc.2
	for <qemu-devel@nongnu.org>; Tue, 21 Aug 2018 10:03:37 -0700 (PDT)
Received: from 640k.lan (dynamic-adsl-78-12-184-244.clienti.tiscali.it.
	[78.12.184.244]) by smtp.gmail.com with ESMTPSA id
	v6-v6sm2608955wmc.43.2018.08.21.10.03.35
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 21 Aug 2018 10:03:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=yYniDVJ66Ihkr5EOqoebwbknbiqg/1Ykdp7lFZ0OLf0=;
	b=m1R5Jf9kuVzLmmd0cGsHjH6pNl/OoneerBfKCnS716qnJugWC/eHe0WDKQrcTjdRqH
	btXG3Gq6muyHNXaeE58xDHhKfX0RDkUfT5/9uE9ZZpMNnF9qaWUAbw9zhBnd3GDw0YQT
	91Ja9gF2Y5XWtwUSXgBL6EsQhgioxT/ut0lQB1fheFzA1Y+B+4FVW2tz+cng89IFAQ7H
	ShVpzj2kxFW+BavGNJ1HzPHrBOSM8xjUdbeLcibI+gWMv+O0XWmDLoA/Mllk52NgS202
	h/YQsQz7nscDj2/3kL/gUwBkxms6xkUr006JRH9355tWGquo6E9s/q7HHUSYfplsgMid
	9E4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
	:in-reply-to:references;
	bh=yYniDVJ66Ihkr5EOqoebwbknbiqg/1Ykdp7lFZ0OLf0=;
	b=pE87V1vZOax9pkl7PdIjl7P0kP6xflrolY+VfQE3wkocMZFMUt6Uv4ZcuzaE4jCteK
	NKTe9owbiNibRj1uQDMl9d3d/FwLW+RroxwsZ5wIK4svGSwkoO5LaRNscxqM6Vsz3pca
	Df/DmJckuqcawMZBqk+3So9NKitsMwQYhcOLiuPRECNFAj0P3vciA7YoIJnrkmwvMWiK
	9ZHpAwOk15xCj4AC+fVm53/jSzmgMzZLvreP4zxeBi9jXbqUOQh5ieilc0ReIg7SpS8Y
	21K5rsQX7OtedwDJPcfnfL6eTMajMNHEa0Pi25CC3GQfxVx3sttd7XUfrEYej3hj7D/G
	vlRA==
X-Gm-Message-State: APzg51BYN1+Nf1D0DO4wm3AYUr2PUQr/sQuzcf1427K5WJx+nRdNli+5
	ZrusQJyGnrV69lt6RX4TEQaDEwge
X-Google-Smtp-Source: 
 ANB0VdYx43ee/K9ZHEU/erpL9r3wAX/JDi5bbvMLVGL8AQ3eog6gEkKYL8/mf2KU/EcHeh+KC1m3rQ==
X-Received: by 2002:a1c:9550:: with SMTP id
	x77-v6mr111585wmd.135.1534871016320;
	Tue, 21 Aug 2018 10:03:36 -0700 (PDT)
From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Date: Tue, 21 Aug 2018 19:02:02 +0200
Message-Id: <1534870966-9287-31-git-send-email-pbonzini@redhat.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1534870966-9287-1-git-send-email-pbonzini@redhat.com>
References: <1534870966-9287-1-git-send-email-pbonzini@redhat.com>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2a00:1450:400c:c09::235
Subject: [Qemu-devel] [PULL 30/74] i386: Fix
 arch_query_cpu_model_expansion() leak
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZohoMail: RDMRC_1  RDKM_2  RSF_0  Z_629925259 SPT_0
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

From: Eduardo Habkost <ehabkost@redhat.com>

Reported by Coverity:

Error: RESOURCE_LEAK (CWE-772): [#def439]
qemu-2.12.0/target/i386/cpu.c:3179: alloc_fn: Storage is returned from allo=
cation function "qdict_new".
qemu-2.12.0/qobject/qdict.c:34:5: alloc_fn: Storage is returned from alloca=
tion function "g_malloc0".
qemu-2.12.0/qobject/qdict.c:34:5: var_assign: Assigning: "qdict" =3D "g_mal=
loc0(4120UL)".
qemu-2.12.0/qobject/qdict.c:37:5: return_alloc: Returning allocated memory =
"qdict".
qemu-2.12.0/target/i386/cpu.c:3179: var_assign: Assigning: "props" =3D stor=
age returned from "qdict_new()".
qemu-2.12.0/target/i386/cpu.c:3217: leaked_storage: Variable "props" going =
out of scope leaks the storage it points to.

This was introduced by commit b8097deb359b ("i386: Improve
query-cpu-model-expansion full mode").

The leak is only theoretical: if ret->model->props is set to
props, the qapi_free_CpuModelExpansionInfo() call will free props
too in case of errors.  The only way for this to not happen is if
we enter the default branch of the switch statement, which would
never happen because all CpuModelExpansionType values are being
handled.

It's still worth to change this to make the allocation logic
easier to follow and make the Coverity error go away.  To make
everything simpler, initialize ret->model and ret->model->props
earlier in the function.

While at it, remove redundant check for !prop because prop is
always initialized at the beginning of the function.

Fixes: b8097deb359bbbd92592b9670adfe9e245b2d0bd
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <20180816183509.8231-1-ehabkost@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 target/i386/cpu.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 4e4fe8f..f24295e 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -3880,6 +3880,9 @@ arch_query_cpu_model_expansion(CpuModelExpansionType =
type,
     }
=20
     props =3D qdict_new();
+    ret->model =3D g_new0(CpuModelInfo, 1);
+    ret->model->props =3D QOBJECT(props);
+    ret->model->has_props =3D true;
=20
     switch (type) {
     case CPU_MODEL_EXPANSION_TYPE_STATIC:
@@ -3900,15 +3903,9 @@ arch_query_cpu_model_expansion(CpuModelExpansionType=
 type,
         goto out;
     }
=20
-    if (!props) {
-        props =3D qdict_new();
-    }
     x86_cpu_to_dict(xc, props);
=20
-    ret->model =3D g_new0(CpuModelInfo, 1);
     ret->model->name =3D g_strdup(base_name);
-    ret->model->props =3D QOBJECT(props);
-    ret->model->has_props =3D true;
=20
 out:
     object_unref(OBJECT(xc));
--=20
1.8.3.1