From nobody Wed Nov 5 10:59:03 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 1534444588023271.78776558349534; Thu, 16 Aug 2018 11:36:28 -0700 (PDT) Received: from localhost ([::1]:57684 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fqN83-00008T-Qj for importer@patchew.org; Thu, 16 Aug 2018 14:36:15 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36850) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fqN76-0008Cr-3b for qemu-devel@nongnu.org; Thu, 16 Aug 2018 14:35:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fqN72-0002k1-SW for qemu-devel@nongnu.org; Thu, 16 Aug 2018 14:35:16 -0400 Received: from mx1.redhat.com ([209.132.183.28]:57480) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fqN72-0002j3-Mo for qemu-devel@nongnu.org; Thu, 16 Aug 2018 14:35:12 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2EF9B83F45 for ; Thu, 16 Aug 2018 18:35:11 +0000 (UTC) Received: from localhost (ovpn-116-57.gru2.redhat.com [10.97.116.57]) by smtp.corp.redhat.com (Postfix) with ESMTP id BAA86100191C; Thu, 16 Aug 2018 18:35:10 +0000 (UTC) From: Eduardo Habkost To: qemu-devel@nongnu.org Date: Thu, 16 Aug 2018 15:35:09 -0300 Message-Id: <20180816183509.8231-1-ehabkost@redhat.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 16 Aug 2018 18:35:11 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH] i386: Fix arch_query_cpu_model_expansion() leak X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Paolo Bonzini , Markus Armbruster , Eduardo Habkost , Igor Mammedov Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RDMRC_1 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Reported by Coverity: Error: RESOURCE_LEAK (CWE-772): [#def439] qemu-2.12.0/target/i386/cpu.c:3179: alloc_fn: Storage is returned from allo= cation function "qdict_new". qemu-2.12.0/qobject/qdict.c:34:5: alloc_fn: Storage is returned from alloca= tion function "g_malloc0". qemu-2.12.0/qobject/qdict.c:34:5: var_assign: Assigning: "qdict" =3D "g_mal= loc0(4120UL)". qemu-2.12.0/qobject/qdict.c:37:5: return_alloc: Returning allocated memory = "qdict". qemu-2.12.0/target/i386/cpu.c:3179: var_assign: Assigning: "props" =3D stor= age returned from "qdict_new()". qemu-2.12.0/target/i386/cpu.c:3217: leaked_storage: Variable "props" going = out of scope leaks the storage it points to. This was introduced by commit b8097deb359b ("i386: Improve query-cpu-model-expansion full mode"). The leak is only theoretical: if ret->model->props is set to props, the qapi_free_CpuModelExpansionInfo() call will free props too in case of errors. The only way for this to not happen is if we enter the default branch of the switch statement, which would never happen because all CpuModelExpansionType values are being handled. It's still worth to change this to make the allocation logic easier to follow and make the Coverity error go away. To make everything simpler, initialize ret->model and ret->model->props earlier in the function. While at it, remove redundant check for !prop because prop is always initialized at the beginning of the function. Fixes: b8097deb359bbbd92592b9670adfe9e245b2d0bd Signed-off-by: Eduardo Habkost --- target/i386/cpu.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 723e02221e..e23c05c4e1 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -3758,6 +3758,9 @@ arch_query_cpu_model_expansion(CpuModelExpansionType = type, } =20 props =3D qdict_new(); + ret->model =3D g_new0(CpuModelInfo, 1); + ret->model->props =3D QOBJECT(props); + ret->model->has_props =3D true; =20 switch (type) { case CPU_MODEL_EXPANSION_TYPE_STATIC: @@ -3778,15 +3781,9 @@ arch_query_cpu_model_expansion(CpuModelExpansionType= type, goto out; } =20 - if (!props) { - props =3D qdict_new(); - } x86_cpu_to_dict(xc, props); =20 - ret->model =3D g_new0(CpuModelInfo, 1); ret->model->name =3D g_strdup(base_name); - ret->model->props =3D QOBJECT(props); - ret->model->has_props =3D true; =20 out: object_unref(OBJECT(xc)); --=20 2.18.0.rc1.1.g3f1ff2140