From nobody Wed Dec 17 21:52:44 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1602273363; cv=none; d=zohomail.com; s=zohoarc; b=elv5Mp5ClNetpg2gTvfX80qpPlbyrMn3w6Qfopxyds5hGQLz6VewCChCaTMw9sEyHxnMGk1hVmBe6Fnm7BacsZNZ16om1wzGdTat7Wn4G4xgU7s2KD2053b9s4vlPgSoY8EluxAONGrQ53XldV7Rhrk910yTzScGwxHBFRjonto= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1602273363; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=I+LTzTUIb2928C1uSf4ZQhp/G7K/O8pDRPsM875ErhY=; b=MkMWwnMxAZt9bF8QpLeD6lPOb0HzYltyvLJeDeD9eV0lbqfBI3da3rFMhdblVMA1w9AaQkHkxSeuv7SvQHznNeMaIqp9393oN8/lcyEQoG+lkN7QhKDxFNFGnCzQvHAhiMSakJkYjz8tFP7581HdvxGQUl0XO0czHx5aGRdfAbo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1602273363259680.4608982748812; Fri, 9 Oct 2020 12:56:03 -0700 (PDT) Received: from localhost ([::1]:39736 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kQyUj-0006aq-Vk for importer@patchew.org; Fri, 09 Oct 2020 15:56:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48060) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kQyCK-0001uz-AS for qemu-devel@nongnu.org; Fri, 09 Oct 2020 15:37:00 -0400 Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:50379) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1kQyCI-0002zn-6G for qemu-devel@nongnu.org; Fri, 09 Oct 2020 15:36:59 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-534-yZMAddtWMWmXaOOy1GgsGw-1; Fri, 09 Oct 2020 15:36:55 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 02B9157039; Fri, 9 Oct 2020 19:36:54 +0000 (UTC) Received: from localhost (ovpn-112-20.ams2.redhat.com [10.36.112.20]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9D4667EEB4; Fri, 9 Oct 2020 19:36:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1602272217; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=I+LTzTUIb2928C1uSf4ZQhp/G7K/O8pDRPsM875ErhY=; b=Vnjv9rkHOYQ0DGO4ToMkJR/VexMCQBD6et4cnVnp09kfg3oikIO5Znr8WCXaot5PCJpkgx 9ktSvpyYGhsLENElXTlt39uH8Ex0HyBFroFBOumoujfZyehNeTY5vhh8537Maea3wXF2g/ P6jRHNKUJTTK2BWl0/EGL0gFoSp6qO4= X-MC-Unique: yZMAddtWMWmXaOOy1GgsGw-1 From: Stefan Hajnoczi To: Peter Maydell , qemu-devel@nongnu.org Subject: [PULL 14/30] util/vhost-user-server: fix memory leak in vu_message_read() Date: Fri, 9 Oct 2020 20:35:13 +0100 Message-Id: <20201009193529.322822-15-stefanha@redhat.com> In-Reply-To: <20201009193529.322822-1-stefanha@redhat.com> References: <20201009193529.322822-1-stefanha@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=stefanha@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=63.128.21.124; envelope-from=stefanha@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/09 02:34:40 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -3 X-Spam_score: -0.4 X-Spam_bar: / X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_BASE64_TEXT=1.741, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Kevin Wolf , Thomas Huth , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eduardo Habkost , qemu-block@nongnu.org, Markus Armbruster , "Dr. David Alan Gilbert" , Coiby Xu , Max Reitz , Stefan Hajnoczi , Cleber Rosa , Paolo Bonzini , Fam Zheng Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" fds[] is leaked when qio_channel_readv_full() fails. Use vmsg->fds[] instead of keeping a local fds[] array. Then we can reuse goto fail to clean up fds. vmsg->fd_num must be zeroed before the loop to make this safe. Signed-off-by: Stefan Hajnoczi Message-id: 20200924151549.913737-8-stefanha@redhat.com Signed-off-by: Stefan Hajnoczi --- util/vhost-user-server.c | 50 ++++++++++++++++++---------------------- 1 file changed, 23 insertions(+), 27 deletions(-) diff --git a/util/vhost-user-server.c b/util/vhost-user-server.c index 892815827d..5a60e2ca2a 100644 --- a/util/vhost-user-server.c +++ b/util/vhost-user-server.c @@ -100,21 +100,11 @@ vu_message_read(VuDev *vu_dev, int conn_fd, VhostUser= Msg *vmsg) }; int rc, read_bytes =3D 0; Error *local_err =3D NULL; - /* - * Store fds/nfds returned from qio_channel_readv_full into - * temporary variables. - * - * VhostUserMsg is a packed structure, gcc will complain about passing - * pointer to a packed structure member if we pass &VhostUserMsg.fd_num - * and &VhostUserMsg.fds directly when calling qio_channel_readv_full, - * thus two temporary variables nfds and fds are used here. - */ - size_t nfds =3D 0, nfds_t =3D 0; const size_t max_fds =3D G_N_ELEMENTS(vmsg->fds); - int *fds_t =3D NULL; VuServer *server =3D container_of(vu_dev, VuServer, vu_dev); QIOChannel *ioc =3D server->ioc; =20 + vmsg->fd_num =3D 0; if (!ioc) { error_report_err(local_err); goto fail; @@ -122,41 +112,47 @@ vu_message_read(VuDev *vu_dev, int conn_fd, VhostUser= Msg *vmsg) =20 assert(qemu_in_coroutine()); do { + size_t nfds =3D 0; + int *fds =3D NULL; + /* * qio_channel_readv_full may have short reads, keeping calling it * until getting VHOST_USER_HDR_SIZE or 0 bytes in total */ - rc =3D qio_channel_readv_full(ioc, &iov, 1, &fds_t, &nfds_t, &loca= l_err); + rc =3D qio_channel_readv_full(ioc, &iov, 1, &fds, &nfds, &local_er= r); if (rc < 0) { if (rc =3D=3D QIO_CHANNEL_ERR_BLOCK) { + assert(local_err =3D=3D NULL); qio_channel_yield(ioc, G_IO_IN); continue; } else { error_report_err(local_err); - return false; + goto fail; } } - read_bytes +=3D rc; - if (nfds_t > 0) { - if (nfds + nfds_t > max_fds) { + + if (nfds > 0) { + if (vmsg->fd_num + nfds > max_fds) { error_report("A maximum of %zu fds are allowed, " "however got %lu fds now", - max_fds, nfds + nfds_t); + max_fds, vmsg->fd_num + nfds); + g_free(fds); goto fail; } - memcpy(vmsg->fds + nfds, fds_t, - nfds_t *sizeof(vmsg->fds[0])); - nfds +=3D nfds_t; - g_free(fds_t); + memcpy(vmsg->fds + vmsg->fd_num, fds, nfds * sizeof(vmsg->fds[= 0])); + vmsg->fd_num +=3D nfds; + g_free(fds); } - if (read_bytes =3D=3D VHOST_USER_HDR_SIZE || rc =3D=3D 0) { - break; + + if (rc =3D=3D 0) { /* socket closed */ + goto fail; } - iov.iov_base =3D (char *)vmsg + read_bytes; - iov.iov_len =3D VHOST_USER_HDR_SIZE - read_bytes; - } while (true); =20 - vmsg->fd_num =3D nfds; + iov.iov_base +=3D rc; + iov.iov_len -=3D rc; + read_bytes +=3D rc; + } while (read_bytes !=3D VHOST_USER_HDR_SIZE); + /* qio_channel_readv_full will make socket fds blocking, unblock them = */ vmsg_unblock_fds(vmsg); if (vmsg->size > sizeof(vmsg->payload)) { --=20 2.26.2