1. Patchew
  2. QEMU
  3. [Qemu-devel] [PATCH for 2.10 00/35] fix bugs reported by Clang Static Analyzer
  4. View patch

[Qemu-devel] [PATCH for 2.10 07/35] qcow2: fix null pointer dereference

Philippe Mathieu-Daudé posted 35 patches 8 years, 3 months ago
There is a newer version of this series
[Qemu-devel] [PATCH for 2.10 07/35] qcow2: fix null pointer dereference
Posted by Philippe Mathieu-Daudé 8 years, 3 months ago 
If find_bitmap_by_name() fails we have bm=NULL and go to the 'fail' label, then
call bitmap_free(bm) which does g_free(bm->name) with bm=NULL...

Clang's scan-build-5.0 output:
block/qcow2-bitmap.c:492:12: warning: Access to field 'name' results in a dereference of a null pointer (loaded from variable 'bm')
    g_free(bm->name);
           ^~~~~~~~

Reported-by: Clang Static Analyzer
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 block/qcow2-bitmap.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/block/qcow2-bitmap.c b/block/qcow2-bitmap.c
index fe72df5057..2fd75781ce 100644
--- a/block/qcow2-bitmap.c
+++ b/block/qcow2-bitmap.c
@@ -1259,7 +1259,7 @@ void qcow2_remove_persistent_dirty_bitmap(BlockDriverState *bs,
 
     bm = find_bitmap_by_name(bm_list, name);
     if (bm == NULL) {
-        goto fail;
+        goto fail_list;
     }
 
     QSIMPLEQ_REMOVE(bm_list, bm, Qcow2Bitmap, entry);
@@ -1274,6 +1274,7 @@ void qcow2_remove_persistent_dirty_bitmap(BlockDriverState *bs,
 
 fail:
     bitmap_free(bm);
+fail_list:
     bitmap_list_free(bm_list);
 }
 
-- 
2.13.3
Re: [Qemu-devel] [PATCH for 2.10 07/35] qcow2: fix null pointer dereference
Posted by Eric Blake 8 years, 3 months ago 
On 07/24/2017 01:27 PM, Philippe Mathieu-Daudé wrote:
> If find_bitmap_by_name() fails we have bm=NULL and go to the 'fail' label, then
> call bitmap_free(bm) which does g_free(bm->name) with bm=NULL...
> 
> Clang's scan-build-5.0 output:
> block/qcow2-bitmap.c:492:12: warning: Access to field 'name' results in a dereference of a null pointer (loaded from variable 'bm')
>     g_free(bm->name);
>            ^~~~~~~~
> 
> Reported-by: Clang Static Analyzer
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
>  block/qcow2-bitmap.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

Max already has a better patch from Vladimir pending on his block queue:
https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg04398.html

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org
Re: [Qemu-devel] [PATCH for 2.10 07/35] qcow2: fix null pointer dereference
Posted by Philippe Mathieu-Daudé 8 years, 3 months ago 
Hi Eric,

On 07/24/2017 03:46 PM, Eric Blake wrote:
> On 07/24/2017 01:27 PM, Philippe Mathieu-Daudé wrote:
>> If find_bitmap_by_name() fails we have bm=NULL and go to the 'fail' label, then
>> call bitmap_free(bm) which does g_free(bm->name) with bm=NULL...
>>
>> Clang's scan-build-5.0 output:
>> block/qcow2-bitmap.c:492:12: warning: Access to field 'name' results in a dereference of a null pointer (loaded from variable 'bm')
>>      g_free(bm->name);
>>             ^~~~~~~~
>>
>> Reported-by: Clang Static Analyzer
>> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
>> ---
>>   block/qcow2-bitmap.c | 3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> Max already has a better patch from Vladimir pending on his block queue:
> https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg04398.html

Oh I missed that.
I'm not sure it is "better", it may be safer although ;)

Patch dropped.

Regards,

Phil.

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.