From nobody Thu May  2 08:00:27 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail(p=none dis=none)  header.from=linaro.org
ARC-Seal: i=1; a=rsa-sha256; t=1554823213; cv=none;
	d=zoho.com; s=zohoarc;
	b=G8GeW31CkQyIeuyNuLO4X3IoJ0z0O6Mu8Cl56TmBZlxTX6nsLG4VYj+eHMyv/xr6w9cjhyBtJZZFe8I7D6jguswO6pbSMI/DaChMftW9l69WbvFGgnysPJryzqR50AJRpuHWQFhwcxHX4VEfPB4P2Ncrl1HR1esJzsIfXrwhmtE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com;
 s=zohoarc;
	t=1554823213;
 h=Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To:ARC-Authentication-Results;
	bh=gfY+dbclmdhipPDWOY/oT9Jrli1jXNhGCiG17GGu0/k=;
	b=lN5QvnXFDg7CszDSwXounHXCPbj4HlfGImGndQp7Wu9KzfKIqhTwoov8rU1z8K6142UbQcMcgIKGl4B0E+4CLa/zwKU44fyr1e2civNDDT/hlsKJq18etew15/zXaLqACw+RIR70HHodmoNyNpdgbZKBjK5Pp7YQTuc+tDiB1Dk=
ARC-Authentication-Results: i=1; mx.zoho.com;
	dkim=fail;
	spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail header.from=<peter.maydell@linaro.org> (p=none dis=none)
 header.from=<peter.maydell@linaro.org>
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (209.51.188.17 [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1554823213054387.70312040004046;
 Tue, 9 Apr 2019 08:20:13 -0700 (PDT)
Received: from localhost ([127.0.0.1]:43206 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1hDsXe-0004G2-Op
	for importer@patchew.org; Tue, 09 Apr 2019 11:20:06 -0400
Received: from eggs.gnu.org ([209.51.188.92]:34256)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1hDsWQ-0003kU-Cj
	for qemu-devel@nongnu.org; Tue, 09 Apr 2019 11:18:51 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1hDsWE-00029E-SR
	for qemu-devel@nongnu.org; Tue, 09 Apr 2019 11:18:46 -0400
Received: from mail-wm1-x343.google.com ([2a00:1450:4864:20::343]:40215)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <peter.maydell@linaro.org>)
	id 1hDsWE-00021x-0A
	for qemu-devel@nongnu.org; Tue, 09 Apr 2019 11:18:38 -0400
Received: by mail-wm1-x343.google.com with SMTP id z24so3808238wmi.5
	for <qemu-devel@nongnu.org>; Tue, 09 Apr 2019 08:18:34 -0700 (PDT)
Received: from orth.archaic.org.uk (orth.archaic.org.uk. [81.2.115.148])
	by smtp.gmail.com with ESMTPSA id
	h10sm57912517wrs.27.2019.04.09.08.18.31
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 09 Apr 2019 08:18:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
	h=from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=gfY+dbclmdhipPDWOY/oT9Jrli1jXNhGCiG17GGu0/k=;
	b=ceLFGLTZ9LgUlV/M/7/l4HQDFn7IShrpXxJ2SNO4dMX350IngKaX6ijna34yAkMZQk
	rLTMrIXQkYzXkJWx5eTUkg7jYjEiEO8lnT+pXQFUrTXYRxFSg5xzgqH7jjWFGzwsL7WV
	7vq02g4Fh6Fq6GLajb1kwHYIR2U9aP2sQzLIPlnB6v+eRxd4f+v0e+InfllWgZy4sqOG
	/Y0a48NUZ/vhvX+QPf/+rgFWtHbTtE/AAvoj1KHITFgv2p+gMdO6WTLM6SZk+AO4wTeF
	K+kicrIcfBvdSg6YDUhRQyCJ4nWrWMjsZfGZsMzvt8zqFoLzmbooKnQbQcXIFOKtFOUh
	VuIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=gfY+dbclmdhipPDWOY/oT9Jrli1jXNhGCiG17GGu0/k=;
	b=eTcO/RXUSXH4Z3rq5+SXB/FlySf893hkJvuc5cbV9//zygdKPGb+5DcDHdhsLFub5F
	mv3YRsZqsp6lSzzX+PmzsY6sYriKimFHSlSAL/VS5KGF/wm+EhbHYGoqfggYWOEw0awn
	OlMLXMKdOk3rxKBvHp16L9oJwJiee4PatIVVk7XOudjXzYKtgJ+AYV1Hsw0aHVB9HcEG
	I4T0rG1kJHH91I/nW6l8gT1yhjxVDnyqaJMUo1lTfdMLgilyLZwGJaTwtS4V7edk4ze4
	JObJnwKaGw0oYaE5fqapnNck0GLDgr8rgifxthLoGF4ngQ3We7gKyrnwbCly89TXN3W4
	ezHw==
X-Gm-Message-State: APjAAAULyapDTuykK7QyP+QVvOz/3AWU3Z7D91J4z+1lxcyRKojVQl+Y
	jAixTpZOzHaYs9kGATM742AsF/v3mO0=
X-Google-Smtp-Source: 
 APXvYqx9qBEmrUU3EC6USfD8Sb5UErgy0hqOmWn148jx32D1U9vKiTIXeOU88KxtmfzIg4Qf7icRTA==
X-Received: by 2002:a1c:acc8:: with SMTP id
 v191mr23331531wme.72.1554823112702;
	Tue, 09 Apr 2019 08:18:32 -0700 (PDT)
From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Date: Tue,  9 Apr 2019 16:18:30 +0100
Message-Id: <20190409151830.6024-1-peter.maydell@linaro.org>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2a00:1450:4864:20::343
Subject: [Qemu-devel] [PATCH for-4.0] migration/ram.c: Fix use-after-free in
 multifd_recv_unfill_packet()
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>,
	Juan Quintela <quintela@redhat.com>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
Content-Type: text/plain; charset="utf-8"

Coverity points out (CID 1400442) that in this code:

    if (packet->pages_alloc > p->pages->allocated) {
        multifd_pages_clear(p->pages);
        multifd_pages_init(packet->pages_alloc);
    }

we free p->pages in multifd_pages_clear() but continue to
use it in the following code. We also leak memory, because
multifd_pages_init() returns the pointer to a new MultiFDPages_t
struct but we are ignoring its return value.

Fix both of these bugs by adding the missing assignment of
the newly created struct to p->pages.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@redhat.com>
---
I don't know anything about the multifd code, but this seems like
the obvious fix based on looking at what the clear and init
functions are doing. I have only run 'make check' on this,
so review and testing definitely in order. I think we should
really put this into 4.0, which means ideally I'd like to
commit it to master today or tomorrow, though...
---
 migration/ram.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/migration/ram.c b/migration/ram.c
index f68beeeeffc..1ca9ba77b6a 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -851,7 +851,7 @@ static int multifd_recv_unfill_packet(MultiFDRecvParams=
 *p, Error **errp)
      */
     if (packet->pages_alloc > p->pages->allocated) {
         multifd_pages_clear(p->pages);
-        multifd_pages_init(packet->pages_alloc);
+        p->pages =3D multifd_pages_init(packet->pages_alloc);
     }
=20
     p->pages->used =3D be32_to_cpu(packet->pages_used);
--=20
2.20.1