From nobody Sat May 18 02:47:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1619799931; cv=none; d=zohomail.com; s=zohoarc; b=TRfNIbqLYQF5oVhzwWCX7dOylOv1z4I6Kao612QS9ScEiL599tCkicevGHiruX8rQ3Di+DG7pwZVBB05RvwnSlLScj6ByiuLhTtzR2eX/Z/xtPfGQCI1Cr2ztX1pUNd42c8Ha6TqmHT8+LcixYL8sIXDAfrZov3k7LK24iNYcq8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1619799931; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=4L0T4eT8dybX7s5E/1hWaD9F1Awp7eU+MGs6+A+hFYI=; b=JyUdao8ngzYu7jT8AfTSx/xmwFtK5MpoVBFwEqk6HscGfZ/7oFKaiUzeCkxZ5AVE5q6uQ4LvLWoBLmYbCm3WE42sWlBSccRWQQ0wT78+Ylii6RCyioaQrdHKFQ3UY3nPArHLNiif7F+Fya6dMN5FHjnrICAGnalJG28aPJv2DJg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1619799931468171.53854382308168; Fri, 30 Apr 2021 09:25:31 -0700 (PDT) Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-559-LjHFi7SzOn-8z3CBVg_inQ-1; Fri, 30 Apr 2021 12:25:27 -0400 Received: by mail-wr1-f71.google.com with SMTP id h60-20020adf90420000b029010418c4cd0cso24832996wrh.12 for ; Fri, 30 Apr 2021 09:25:27 -0700 (PDT) Return-Path: Return-Path: Received: from localhost.localdomain (anancy-651-1-208-144.w109-217.abo.wanadoo.fr. [109.217.237.144]) by smtp.gmail.com with ESMTPSA id q12sm2683952wrx.17.2021.04.30.09.25.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Apr 2021 09:25:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1619799930; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4L0T4eT8dybX7s5E/1hWaD9F1Awp7eU+MGs6+A+hFYI=; b=NWRkGBcPY+T0jakLerGhNkdz/luwSnhpICJ4vVvpBzt8XHMOJoVYlq2kFlR00vzLV8H4kj tixAwQgB3QDTKjePiCaBqlfplZalxuEhsJRDiB8hici75WsJjl/VAU1wL0rAXqF+9Jkp+k GmKUR0Y2poVJXoPbGreUQ/Es8kTNJQQ= X-MC-Unique: LjHFi7SzOn-8z3CBVg_inQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=4L0T4eT8dybX7s5E/1hWaD9F1Awp7eU+MGs6+A+hFYI=; b=izpCSwcxth6Z95KA2y/sB5Kv25xAzXQaqnCRe1CR4WVhY/ath3lRViIWY1Sc2jiN4v EyYMD2bv3O8n5I37Xn79bkET8uuSzngKnHDN5yR3FL6j5gAXON4HQAL3YCZUdz4P2sba xMF3mtXg1FbcMkyevPL3bpLSUnjO1ebcSe5oadX7LSLbtwDaeRjSmCbQ7aWosiCGg8+o k/OSGgm62kBUFVoHW6nA/foYcbtxQl4dzSfC8f1wJboJpxdurFXzHvSzMyB7ogNVElqw +FZ9OAREx5KQtQcbQaz9RIexINf6XUrpkm9yE2B3tdT69nMhxD1ShE9rbYHJOIcGL2ge woNg== X-Gm-Message-State: AOAM533RXMVMEULAEMTiFHqSP6ZL/AASrZ08FKZffSGszgWR1EdQkPgE sIUEJuSpUHDXFEuizL6wHQXP3bO19ZQ5OZ5TgdYGjUm4NiIg/eg3whgVTiWwKKcUQ0ZFKpudLQz j4ueopLASCUx2ew== X-Received: by 2002:adf:ef92:: with SMTP id d18mr8245064wro.413.1619799926849; Fri, 30 Apr 2021 09:25:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyvSlW20BDkkdo1j2FQ9IFY1p6p35jd8qxFT5zMwdt5O7xYYY9Gg2Qtn3P5VFy8nKAXAbHxjw== X-Received: by 2002:adf:ef92:: with SMTP id d18mr8245051wro.413.1619799926728; Fri, 30 Apr 2021 09:25:26 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Max Reitz , Kevin Wolf , Johannes Schindelin , qemu-block@nongnu.org, =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [PATCH 1/4] block/vvfat: Fix leak of BDRVVVFATState::qcow_filename Date: Fri, 30 Apr 2021 18:25:16 +0200 Message-Id: <20210430162519.271607-2-philmd@redhat.com> X-Mailer: git-send-email 2.26.3 In-Reply-To: <20210430162519.271607-1-philmd@redhat.com> References: <20210430162519.271607-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) qcow_filename is allocated in enable_write_target(), called by vvfat_open(), but never free'd. Free it in vvfat_close(). This fixes (QEMU built with --enable-sanitizers): Direct leak of 4096 byte(s) in 1 object(s) allocated from: #0 0x55d7a363773f in malloc (/mnt/scratch/qemu/sanitizer/qemu-system-= x86_64+0x1dab73f) #1 0x7f55c6447958 in g_malloc (/lib64/libglib-2.0.so.0+0x58958) #2 0x55d7a5e123aa in vvfat_open block/vvfat.c:1236:19 #3 0x55d7a5a5363f in bdrv_open_driver block.c:1526:15 #4 0x55d7a5a9d369 in bdrv_open_common block.c:1802:11 #5 0x55d7a5a609f1 in bdrv_open_inherit block.c:3444:11 #6 0x55d7a5a65411 in bdrv_open_child_bs block.c:3079:10 #7 0x55d7a5a60079 in bdrv_open_inherit block.c:3391:19 #8 0x55d7a5a65da3 in bdrv_open block.c:3537:12 #9 0x55d7a5b33f6a in blk_new_open block/block-backend.c:421:10 #10 0x55d7a5a0a33e in blockdev_init blockdev.c:610:15 #11 0x55d7a5a088e7 in drive_new blockdev.c:994:11 #12 0x55d7a51b10c4 in drive_init_func softmmu/vl.c:636:12 #13 0x55d7a620e148 in qemu_opts_foreach util/qemu-option.c:1167:14 #14 0x55d7a51b0e20 in configure_blockdev softmmu/vl.c:695:9 #15 0x55d7a51a70b5 in qemu_create_early_backends softmmu/vl.c:1895:5 #16 0x55d7a519bf87 in qemu_init softmmu/vl.c:3551:5 #17 0x55d7a366f619 in main softmmu/main.c:49:5 Fixes: 8475ea48544 ("block/vvfat: Do not unref qcow on closing backing bdrv= ") Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Stefano Garzarella --- block/vvfat.c | 1 + 1 file changed, 1 insertion(+) diff --git a/block/vvfat.c b/block/vvfat.c index 54807f82ca1..5a4a7915220 100644 --- a/block/vvfat.c +++ b/block/vvfat.c @@ -3233,6 +3233,7 @@ static void vvfat_close(BlockDriverState *bs) array_free(&(s->directory)); array_free(&(s->mapping)); g_free(s->cluster_buffer); + g_free(s->qcow_filename); =20 if (s->qcow) { migrate_del_blocker(s->migration_blocker); --=20 2.26.3 From nobody Sat May 18 02:47:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1619799937; cv=none; d=zohomail.com; s=zohoarc; b=n7GYI9JL4tELKvqkA0wVpn+rIplimGSgAtjCysmoqH9ei4+Gl+5XfGp1yNXN88YXixVFkoDWXvuUdqZHrB2wkqVJkW0BBW0Xqv6ajoVm8Kehhx1wM9UP+9n5cJBLfEkKbCmgSyxukBAUh00LORpiyXhSRvJ2ugmx45f7uHUeUI8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1619799937; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=Q0q+PVZkRpHjkgV8Clf4ufwkVBb96ymjjweCH0oDKVY=; b=Rf8Et2eyNUaEo1tvMoZST7fA1t0mFFt6mhJuHhOxQh0XcfItZCMmNg5xoG/p6mtn1raiZJse5UCiJ3vp6SIzBWVdc8IaA3EM2FvMnEYhW7Z81yCJGmPBzH3+QW64Kl0aFh8IKAbRpdkSwk3GPD6RzsHKZ5TbflJ6go1tgrN1zWo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 16197999379161023.3592787926959; Fri, 30 Apr 2021 09:25:37 -0700 (PDT) Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-236-5_MB0kLnMn2OsQ282vXKfQ-1; Fri, 30 Apr 2021 12:25:33 -0400 Received: by mail-wr1-f71.google.com with SMTP id 67-20020adf81490000b029010756d109e6so14076781wrm.13 for ; Fri, 30 Apr 2021 09:25:32 -0700 (PDT) Return-Path: Return-Path: Received: from localhost.localdomain (anancy-651-1-208-144.w109-217.abo.wanadoo.fr. [109.217.237.144]) by smtp.gmail.com with ESMTPSA id a15sm2828323wrr.53.2021.04.30.09.25.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Apr 2021 09:25:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1619799936; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q0q+PVZkRpHjkgV8Clf4ufwkVBb96ymjjweCH0oDKVY=; b=bem13bl6HlAjmOl+KssN5l/bdcZexSbrjbnCju/2UjnE8xlxgGYz9Dk2NgLRo3uRXZlMDm G34p2/X5ZC4WK3Ja/pWgbCEgR4JkWgRTDAkASpBCjbJgM0/SOU4uB0wuVZsfaiEFJjC4nu AmhDnoYQNHJMn6pzDPCflY8DFt2oM+c= X-MC-Unique: 5_MB0kLnMn2OsQ282vXKfQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Q0q+PVZkRpHjkgV8Clf4ufwkVBb96ymjjweCH0oDKVY=; b=mUa1qcPc46BZcMb/yCLZetuKBqvpEk1IDSNQ2WKVlxMF40kXHrHSemHrzNEwJ0YX8J hOF+wuE7BiZCkyRCxbGMYoKcx98k5V2WgCRtvc1GHJi8WNbE9XnpBeuAu01jwIBISnKn K0BUzfMc0qMG3GljrlxTGXw+Wf63tZbbbUDGpBkcwUZGAFUGi53jSVHso/fIbiXupGXE OBK6i6P3cXqWtBiWuXJxvk/VYh/LUI7iOmdVMOms15uYNEuoCYyObMeU3Teh7FZNquG3 Rz7M1EzCJFA/K+HpBBcTlk1JQlcv9n0VTkT0nflNbNsyKF3OuV+7lsW7z1CCMPfToU1u RueQ== X-Gm-Message-State: AOAM5303Vw6H3Cnq9Mpk8itHQIdOXOA1CxH+53ImUsBhrVu0ywr8RYmr xROP8F2C5Fcha8VRLu1G7AQ2+AXMYRkT16FfDPHKWZmdWQ+GfMkFmPi1dA9COD+3dAHYR7dRR2k Gc7mBhxDtwj6bGw== X-Received: by 2002:a05:6000:1084:: with SMTP id y4mr8215923wrw.364.1619799931913; Fri, 30 Apr 2021 09:25:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzWvd94iWDs7QWXEsbG9ptXDumLhtGDra5yu/nrAB5VmX50YwVihrIOgL3ZDYwaYGvLa3gxOg== X-Received: by 2002:a05:6000:1084:: with SMTP id y4mr8215911wrw.364.1619799931800; Fri, 30 Apr 2021 09:25:31 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Max Reitz , Kevin Wolf , Johannes Schindelin , qemu-block@nongnu.org, =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [PATCH 2/4] block/vvfat: Fix leak of BDRVVVFATState::used_clusters Date: Fri, 30 Apr 2021 18:25:17 +0200 Message-Id: <20210430162519.271607-3-philmd@redhat.com> X-Mailer: git-send-email 2.26.3 In-Reply-To: <20210430162519.271607-1-philmd@redhat.com> References: <20210430162519.271607-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) used_clusters is allocated in enable_write_target(), called by vvfat_open(), but never free'd. Allocate it using GLib API, and free it in vvfat_close(). This fixes (QEMU built with --enable-sanitizers): Direct leak of 64508 byte(s) in 1 object(s) allocated from: #0 0x55d7a36378f7 in calloc (qemu-system-x86_64+0x1dab8f7) #1 0x55d7a5e14246 in enable_write_target block/vvfat.c:3145:24 #2 0x55d7a5e123aa in vvfat_open block/vvfat.c:1236:19 #3 0x55d7a5a5363f in bdrv_open_driver block.c:1526:15 #4 0x55d7a5a9d369 in bdrv_open_common block.c:1802:11 #5 0x55d7a5a609f1 in bdrv_open_inherit block.c:3444:11 #6 0x55d7a5a65411 in bdrv_open_child_bs block.c:3079:10 #7 0x55d7a5a60079 in bdrv_open_inherit block.c:3391:19 #8 0x55d7a5a65da3 in bdrv_open block.c:3537:12 #9 0x55d7a5b33f6a in blk_new_open block/block-backend.c:421:10 #10 0x55d7a5a0a33e in blockdev_init blockdev.c:610:15 #11 0x55d7a5a088e7 in drive_new blockdev.c:994:11 #12 0x55d7a51b10c4 in drive_init_func softmmu/vl.c:636:12 #13 0x55d7a620e148 in qemu_opts_foreach util/qemu-option.c:1167:14 #14 0x55d7a51b0e20 in configure_blockdev softmmu/vl.c:695:9 #15 0x55d7a51a70b5 in qemu_create_early_backends softmmu/vl.c:1895:5 #16 0x55d7a519bf87 in qemu_init softmmu/vl.c:3551:5 #17 0x55d7a366f619 in main softmmu/main.c:49:5 Fixes: a046433a161 ("Major overhaul of the virtual FAT driver for read/writ= e support") Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Stefano Garzarella --- block/vvfat.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/block/vvfat.c b/block/vvfat.c index 5a4a7915220..2cc21787600 100644 --- a/block/vvfat.c +++ b/block/vvfat.c @@ -3142,7 +3142,7 @@ static int enable_write_target(BlockDriverState *bs, = Error **errp) int size =3D sector2cluster(s, s->sector_count); QDict *options; =20 - s->used_clusters =3D calloc(size, 1); + s->used_clusters =3D g_malloc0(size); =20 array_init(&(s->commits), sizeof(commit_t)); =20 @@ -3233,6 +3233,7 @@ static void vvfat_close(BlockDriverState *bs) array_free(&(s->directory)); array_free(&(s->mapping)); g_free(s->cluster_buffer); + g_free(s->used_clusters); g_free(s->qcow_filename); =20 if (s->qcow) { --=20 2.26.3 From nobody Sat May 18 02:47:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1619799940; cv=none; d=zohomail.com; s=zohoarc; b=dNS2HXTsndqkwlY8oyfRUdF+LRnbn9mYAL3T1PlxYauAaphDMhHr+spQFBaeNKuZLUwP52g1rBfllN+SV47aDhfVec1QFQ8oMefkZEVCMQWCaWDoYtFP50PDJojmwUMwUxTTiUfsncxiWGjqyt2NqV3401DTIeqVWdfVZz7zqc8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1619799940; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=gB7HrfP9JiCLO2S9Qgx/afIOpRLRteER0wJyUW0tVjw=; b=ZVAH+vyUMhYYUXRGjFGWjuxNcv7WIlUHftAXweIUu3vC8UskO2wTw2x9DFbjf3mgIDQ2kS0tCvp4SfzzqxsO4E+3wrSh+XR9SwzEhqpg+81slLNV0q/q1CMikXf83/UF8zwhr/HHBc9TcBrK9jsug6Z2iQnCGPYeRCRzRm3+azE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1619799940803427.52650012921697; Fri, 30 Apr 2021 09:25:40 -0700 (PDT) Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-216-4GuRvuJ2NICwNbpLeRjavQ-1; Fri, 30 Apr 2021 12:25:37 -0400 Received: by mail-wr1-f70.google.com with SMTP id q18-20020adfc5120000b029010c2bdd72adso7819514wrf.16 for ; Fri, 30 Apr 2021 09:25:37 -0700 (PDT) Return-Path: Return-Path: Received: from localhost.localdomain (anancy-651-1-208-144.w109-217.abo.wanadoo.fr. [109.217.237.144]) by smtp.gmail.com with ESMTPSA id s6sm15817797wms.0.2021.04.30.09.25.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Apr 2021 09:25:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1619799939; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gB7HrfP9JiCLO2S9Qgx/afIOpRLRteER0wJyUW0tVjw=; b=KMGDc2FHF826FR+awjmr9/U2+xTKhvWQcu+wjXcy4ZvLuXkCl8UJDItOL6b+OrPmXe9Exp 7UWsZCeqHzipKvUlLib4Hhm0DZtEfBVIENK+lqE2zV6m2DaFddKlbG+9BrInfKA/KUyE05 jZuojWojEoieFaYTnkoi+NqFt8/osSg= X-MC-Unique: 4GuRvuJ2NICwNbpLeRjavQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=gB7HrfP9JiCLO2S9Qgx/afIOpRLRteER0wJyUW0tVjw=; b=gxqwc+XcIlWZ4omNPbaLcfEK/gHSzqaZIrdEo/OjBBPtNMqEyH2Qn85q4JxMozfEJU CpG2wfcmFx8j35jIJth/XqnegDPFB9w9XdYDhx1mxOCYE/DDQjw9A594NSAOl5qwGEhi 1ZJeLJsd3RkPPxP2L75A9Io0QcwX4cxwtmm8u4H9A9cK4OXpfq4aApMDas1V48t7xwhA fHKtF2Hp8z3V87VwzveuYL+0/wiwPIxaMrus+IA38Qzkbzxl0wmW0MY64uJV83qtC7Xj UhidNmJbN1Gi5nD274d6lnj5ehFGbKeUuuiCpVWiiFbMYfuSCNfnxokz/hf7OrWkPiMp LdrQ== X-Gm-Message-State: AOAM5333Gm1Gd4Ujb/G8nVivOsiNFXdiTUKtQs0wN4ktlrGImhbBgmkD KEBnderQhWJtG8mBvRVaQ2wlbf3c2SFyFemTGQKh8guaHlpImQD125bdms+Tzj++8asrFQia7hU pRhFFR8nCWAHDxw== X-Received: by 2002:a05:600c:3643:: with SMTP id y3mr17079467wmq.159.1619799936713; Fri, 30 Apr 2021 09:25:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw+KyZNJykbyKouIX1D2w8MWC4uDz/zRYICCgIwlYwdp01y8vAH3k9LVLOxIZCZp+WyKxKihg== X-Received: by 2002:a05:600c:3643:: with SMTP id y3mr17079453wmq.159.1619799936587; Fri, 30 Apr 2021 09:25:36 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Max Reitz , Kevin Wolf , Johannes Schindelin , qemu-block@nongnu.org, =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [PATCH 3/4] block/vvfat: Fix leak of mapping_t::path Date: Fri, 30 Apr 2021 18:25:18 +0200 Message-Id: <20210430162519.271607-4-philmd@redhat.com> X-Mailer: git-send-email 2.26.3 In-Reply-To: <20210430162519.271607-1-philmd@redhat.com> References: <20210430162519.271607-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) read_directory() keeps pointers to alloc'ed data in path ...: 743 static int read_directory(BDRVVVFATState* s, int mapping_index) 744 { ... 792 buffer =3D g_malloc(length); ... 828 /* create mapping for this file */ 829 if(!is_dot && !is_dotdot && (S_ISDIR(st.st_mode) || st.st_size= )) { 830 s->current_mapping =3D array_get_next(&(s->mapping)); ... 847 s->current_mapping->path=3Dbuffer; ... but these pointers are never free'd. Free them in vvfat_close(), to fix (QEMU built with --enable-sanitizers): Direct leak of 148 byte(s) in 6 object(s) allocated from: #0 0x55d7a363773f in malloc (qemu-system-x86_64+0x1dab73f) #1 0x7f55c6447958 in g_malloc (/lib64/libglib-2.0.so.0+0x58958) #2 0x55d7a5e17679 in init_directories block/vvfat.c:962:16 #3 0x55d7a5e1251e in vvfat_open block/vvfat.c:1255:9 #4 0x55d7a5a5363f in bdrv_open_driver block.c:1526:15 #5 0x55d7a5a9d369 in bdrv_open_common block.c:1802:11 #6 0x55d7a5a609f1 in bdrv_open_inherit block.c:3444:11 #7 0x55d7a5a65411 in bdrv_open_child_bs block.c:3079:10 #8 0x55d7a5a60079 in bdrv_open_inherit block.c:3391:19 #9 0x55d7a5a65da3 in bdrv_open block.c:3537:12 #10 0x55d7a5b33f6a in blk_new_open block/block-backend.c:421:10 #11 0x55d7a5a0a33e in blockdev_init blockdev.c:610:15 #12 0x55d7a5a088e7 in drive_new blockdev.c:994:11 #13 0x55d7a51b10c4 in drive_init_func softmmu/vl.c:636:12 #14 0x55d7a620e148 in qemu_opts_foreach util/qemu-option.c:1167:14 #15 0x55d7a51b0e20 in configure_blockdev softmmu/vl.c:695:9 #16 0x55d7a51a70b5 in qemu_create_early_backends softmmu/vl.c:1895:5 #17 0x55d7a519bf87 in qemu_init softmmu/vl.c:3551:5 #18 0x55d7a366f619 in main softmmu/main.c:49:5 Fixes: a046433a161 ("Major overhaul of the virtual FAT driver for read/writ= e support") Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Max Reitz --- block/vvfat.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/block/vvfat.c b/block/vvfat.c index 2cc21787600..c193a816646 100644 --- a/block/vvfat.c +++ b/block/vvfat.c @@ -3228,6 +3228,11 @@ static void vvfat_close(BlockDriverState *bs) { BDRVVVFATState *s =3D bs->opaque; =20 + for (unsigned j =3D 0; j < s->mapping.next; j++) { + mapping_t *mapping =3D array_get(&(s->mapping), j); + + g_free(mapping->path); + } vvfat_close_current_file(s); array_free(&(s->fat)); array_free(&(s->directory)); --=20 2.26.3 From nobody Sat May 18 02:47:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1619799945; cv=none; d=zohomail.com; s=zohoarc; b=Hpgg8kvhrrDmGewXAbezusl9ZBJWYKQaX2jtIKx5VFb3V0VXB2/Qg2+0zskE+OY0aNpyWi8j80FNrGPkYv8ywCysWzI74gruYN5Ntsq2QqeH3LE9fclqzhPWzKLn9v5GJbKwvSyukHSl+xyV/d++UjN2lnNEk8Q18NJRkUOVr9I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1619799945; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=x+OIPAe+ZugW3+KVtHomkd7n7xZ7F3mqZnG+KoZoeOk=; b=awWbIAxq2NYhIrkoDqTW86VOPZ/HQvEGfCxb4Fxk6UzVyX9178TPx0l8hDNkQxQW05T3CGYE4l4q2JtVHHqlnY50gqX/+YJJbIveddUOwPg39QmttOn4TOhYaZxEuPNbdTPcQveLqZTR0ms4KBwZEsSCuzWcnG4u0rJTBAxLKxQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1619799945777908.4386388635223; Fri, 30 Apr 2021 09:25:45 -0700 (PDT) Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-489-apOtu2glNcCGtYDRMdylOA-1; Fri, 30 Apr 2021 12:25:42 -0400 Received: by mail-wr1-f69.google.com with SMTP id 61-20020adf84430000b029010b4cd88298so8606587wrf.21 for ; Fri, 30 Apr 2021 09:25:42 -0700 (PDT) Return-Path: Return-Path: Received: from localhost.localdomain (anancy-651-1-208-144.w109-217.abo.wanadoo.fr. [109.217.237.144]) by smtp.gmail.com with ESMTPSA id r2sm2640793wrt.79.2021.04.30.09.25.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Apr 2021 09:25:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1619799944; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=x+OIPAe+ZugW3+KVtHomkd7n7xZ7F3mqZnG+KoZoeOk=; b=N1fAe7Sm+0vpF0u32q3y84nNJgjbuS0JO5tkNb0bqWE8L1t9OHKGPPE41x4G9ZvuujAnpb S2/k51vRoy4e/Fc+CKhP8EoFCorjIrwaBqk4Rsm8QzrVNgBHmzQ73/HoDYsYRxfu0SLQ6O CqaAD35Gc5eJApM0vfo4n0lMewaNQdc= X-MC-Unique: apOtu2glNcCGtYDRMdylOA-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=x+OIPAe+ZugW3+KVtHomkd7n7xZ7F3mqZnG+KoZoeOk=; b=YDV0yFdi4OyTZQVMCbD3eIlIKubuOnmFAwiR8wUwJjGU/m7OGHbIi2wQOtdgDwoiit uQD234KrWpqAXKJRCSeEW81zNGoM8K3BlY0RZHW6QjDKTMfhdGhQtcnkHMrZ3RTZoJE0 j9W5HzECOEB7+rr6WNzxSiAFkvNzuDeOKalT/ekN7PzNBysphri7Uz972RJgP/mD9b+5 nerMs6mpdJcZftVwVXg6RE7g47lZHfo1PfYVdIaOa0RLUdfhnaq41RtkqnTx/aern19k +vQuKOfQtsk+BRMKw87sDbFzOxKekqY0Cp3HTQmJFSmhIS9wkgRRc7gQwQSs1Etbz3lw 0Lsg== X-Gm-Message-State: AOAM530O8ZzEIbJvGMp0KiAYECu4euY5thxSr7WqQMt4ZQcvu1qZ01bS WAqvsyzyEM5QjzPC/EFt6NurbVXNVIVj0pSxbt3IHwausNHxnzlWqbLr/vkDMbjpLhrkBmUlmSa ypo6W4esL3+Sv0A== X-Received: by 2002:adf:9d88:: with SMTP id p8mr8017177wre.138.1619799941473; Fri, 30 Apr 2021 09:25:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJymAOSGNRE0wyn7BwTZXJQntlyr39AwxDWGk6v7Qbj8do3Bzf53f9m4Awcfw77Gd/yJos5rdg== X-Received: by 2002:adf:9d88:: with SMTP id p8mr8017163wre.138.1619799941367; Fri, 30 Apr 2021 09:25:41 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Max Reitz , Kevin Wolf , Johannes Schindelin , qemu-block@nongnu.org, =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [PATCH 4/4] block/vvfat: Avoid out of bounds write in create_long_filename() Date: Fri, 30 Apr 2021 18:25:19 +0200 Message-Id: <20210430162519.271607-5-philmd@redhat.com> X-Mailer: git-send-email 2.26.3 In-Reply-To: <20210430162519.271607-1-philmd@redhat.com> References: <20210430162519.271607-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) The direntry_t::name holds 11 bytes: typedef struct direntry_t { uint8_t name[8 + 3]; ... However create_long_filename() writes up to 31 bytes into it: 421 for(i=3D0;i<26*number_of_entries;i++) { 422 int offset=3D(i%26); 423 if(offset<10) offset=3D1+offset; 424 else if(offset<22) offset=3D14+offset-10; 425 else offset=3D28+offset-22; 426 entry=3Darray_get(&(s->directory),s->directory.next-1-(i/26)); 427 if (i >=3D 2 * length + 2) { 428 entry->name[offset] =3D 0xff; 429 } else if (i % 2 =3D=3D 0) { 430 entry->name[offset] =3D longname[i / 2] & 0xff; 431 } else { 432 entry->name[offset] =3D longname[i / 2] >> 8; 433 } 434 } For example, if i=3D25, offset=3D28+25-22=3D31 Then in lines 428, 430 and 432 the entry->name[] array is written beside its 11 bytes, as reported by Clang sanitizer: block/vvfat.c:430:13: runtime error: index 14 out of bounds for type 'uin= t8_t [11]' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior block/vvfat.c:430= :13 in block/vvfat.c:432:13: runtime error: index 15 out of bounds for type 'uin= t8_t [11]' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior block/vvfat.c:432= :13 in block/vvfat.c:428:13: runtime error: index 18 out of bounds for type 'uin= t8_t [11]' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior block/vvfat.c:428= :13 in As I have no idea about what this code does, simply skip the writes if out of range, since it is not worst than what we have currently (and my tests using vvfat work identically). Fixes: de167e416fa ("Virtual VFAT support (Johannes Schindelin)") Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- block/vvfat.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/block/vvfat.c b/block/vvfat.c index c193a816646..c7162e77d68 100644 --- a/block/vvfat.c +++ b/block/vvfat.c @@ -423,6 +423,9 @@ static direntry_t *create_long_filename(BDRVVVFATState = *s, const char *filename) if(offset<10) offset=3D1+offset; else if(offset<22) offset=3D14+offset-10; else offset=3D28+offset-22; + if (offset >=3D ARRAY_SIZE(entry->name)) { + continue; + } entry=3Darray_get(&(s->directory),s->directory.next-1-(i/26)); if (i >=3D 2 * length + 2) { entry->name[offset] =3D 0xff; --=20 2.26.3