backends/igvm.c | 37 +++++++++++++++++++++++++++++++------ 1 file changed, 31 insertions(+), 6 deletions(-)
According to the documentation we are supposed to do a null-pointer
check on the buffers returned by igvm_get_buffer() (part of the IGVM C
library).
Add these checks in the IGVM backend.
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
backends/igvm.c | 37 +++++++++++++++++++++++++++++++------
1 file changed, 31 insertions(+), 6 deletions(-)
diff --git a/backends/igvm.c b/backends/igvm.c
index b01a19ba46..3b5edf1521 100644
--- a/backends/igvm.c
+++ b/backends/igvm.c
@@ -152,9 +152,17 @@ static int qigvm_handler(QIgvm *ctx, uint32_t type, Error **errp)
(int)header_handle);
return -1;
}
- header_data = igvm_get_buffer(ctx->file, header_handle) +
- sizeof(IGVM_VHS_VARIABLE_HEADER);
- result = handlers[handler].handler(ctx, header_data, errp);
+ header_data = igvm_get_buffer(ctx->file, header_handle);
+ if (header_data != NULL) {
+ header_data += sizeof(IGVM_VHS_VARIABLE_HEADER);
+ result = handlers[handler].handler(ctx, header_data, errp);
+ } else {
+ error_setg(errp,
+ "IGVM: No buffer for handle %d: "
+ "(type 0x%X)",
+ header_handle, type);
+ result = -1;
+ }
igvm_free_buffer(ctx->file, header_handle);
return result;
}
@@ -316,6 +324,11 @@ static int qigvm_process_mem_region(QIgvm *ctx, unsigned start_index,
return -1;
}
data = igvm_get_buffer(ctx->file, data_handle);
+ if (data == NULL) {
+ error_setg(errp, "IGVM: No buffer for handle %d", data_handle);
+ igvm_free_buffer(ctx->file, data_handle);
+ return -1;
+ }
memcpy(®ion[page_index * page_size], data, data_size);
igvm_free_buffer(ctx->file, data_handle);
}
@@ -426,6 +439,11 @@ static int qigvm_directive_vp_context(QIgvm *ctx, const uint8_t *header_data,
}
data = (uint8_t *)igvm_get_buffer(ctx->file, data_handle);
+ if (data == NULL) {
+ error_setg(errp, "IGVM: No buffer for handle %d", data_handle);
+ result = -1;
+ goto exit;
+ }
if (ctx->machine_state->cgs) {
result = ctx->cgsc->set_guest_state(
@@ -441,6 +459,7 @@ static int qigvm_directive_vp_context(QIgvm *ctx, const uint8_t *header_data,
result = -1;
}
+exit:
igvm_free_buffer(ctx->file, data_handle);
if (result < 0) {
return result;
@@ -778,9 +797,15 @@ static int qigvm_supported_platform_compat_mask(QIgvm *ctx, Error **errp)
}
platform =
(IGVM_VHS_SUPPORTED_PLATFORM *)(igvm_get_buffer(ctx->file,
- header_handle) +
- sizeof(
- IGVM_VHS_VARIABLE_HEADER));
+ header_handle));
+ if (platform == NULL) {
+ error_setg(errp, "IGVM: No buffer for handle %d", header_handle);
+ igvm_free_buffer(ctx->file, header_handle);
+ return -1;
+ }
+
+ platform = (IGVM_VHS_SUPPORTED_PLATFORM *)((void *)platform
+ + sizeof(IGVM_VHS_VARIABLE_HEADER));
if ((platform->platform_type == IGVM_PLATFORM_TYPE_SEV_ES) &&
ctx->machine_state->cgs) {
if (ctx->cgsc->check_support(
--
2.53.0On Thu, Feb 12, 2026 at 04:41:14PM +0100, Oliver Steffen wrote:
>According to the documentation we are supposed to do a null-pointer
>check on the buffers returned by igvm_get_buffer() (part of the IGVM C
>library).
>Add these checks in the IGVM backend.
>
>Signed-off-by: Oliver Steffen <osteffen@redhat.com>
>---
> backends/igvm.c | 37 +++++++++++++++++++++++++++++++------
> 1 file changed, 31 insertions(+), 6 deletions(-)
>
>diff --git a/backends/igvm.c b/backends/igvm.c
>index b01a19ba46..3b5edf1521 100644
>--- a/backends/igvm.c
>+++ b/backends/igvm.c
>@@ -152,9 +152,17 @@ static int qigvm_handler(QIgvm *ctx, uint32_t type, Error **errp)
> (int)header_handle);
> return -1;
> }
>- header_data = igvm_get_buffer(ctx->file, header_handle) +
>- sizeof(IGVM_VHS_VARIABLE_HEADER);
>- result = handlers[handler].handler(ctx, header_data, errp);
>+ header_data = igvm_get_buffer(ctx->file, header_handle);
>+ if (header_data != NULL) {
>+ header_data += sizeof(IGVM_VHS_VARIABLE_HEADER);
>+ result = handlers[handler].handler(ctx, header_data, errp);
>+ } else {
>+ error_setg(errp,
>+ "IGVM: No buffer for handle %d: "
>+ "(type 0x%X)",
>+ header_handle, type);
>+ result = -1;
>+ }
> igvm_free_buffer(ctx->file, header_handle);
> return result;
> }
>@@ -316,6 +324,11 @@ static int qigvm_process_mem_region(QIgvm *ctx, unsigned start_index,
> return -1;
> }
> data = igvm_get_buffer(ctx->file, data_handle);
>+ if (data == NULL) {
>+ error_setg(errp, "IGVM: No buffer for handle %d", data_handle);
>+ igvm_free_buffer(ctx->file, data_handle);
>+ return -1;
>+ }
> memcpy(®ion[page_index * page_size], data, data_size);
> igvm_free_buffer(ctx->file, data_handle);
> }
>@@ -426,6 +439,11 @@ static int qigvm_directive_vp_context(QIgvm *ctx, const uint8_t *header_data,
> }
>
> data = (uint8_t *)igvm_get_buffer(ctx->file, data_handle);
>+ if (data == NULL) {
>+ error_setg(errp, "IGVM: No buffer for handle %d", data_handle);
>+ result = -1;
>+ goto exit;
>+ }
>
> if (ctx->machine_state->cgs) {
> result = ctx->cgsc->set_guest_state(
>@@ -441,6 +459,7 @@ static int qigvm_directive_vp_context(QIgvm *ctx, const uint8_t *header_data,
> result = -1;
> }
>
>+exit:
> igvm_free_buffer(ctx->file, data_handle);
> if (result < 0) {
> return result;
>@@ -778,9 +797,15 @@ static int qigvm_supported_platform_compat_mask(QIgvm *ctx, Error **errp)
> }
> platform =
> (IGVM_VHS_SUPPORTED_PLATFORM *)(igvm_get_buffer(ctx->file,
>- header_handle) +
>- sizeof(
>- IGVM_VHS_VARIABLE_HEADER));
>+ header_handle));
>+ if (platform == NULL) {
>+ error_setg(errp, "IGVM: No buffer for handle %d", header_handle);
>+ igvm_free_buffer(ctx->file, header_handle);
>+ return -1;
>+ }
>+
>+ platform = (IGVM_VHS_SUPPORTED_PLATFORM *)((void *)platform
>+ + sizeof(IGVM_VHS_VARIABLE_HEADER));
> if ((platform->platform_type == IGVM_PLATFORM_TYPE_SEV_ES) &&
> ctx->machine_state->cgs) {
> if (ctx->cgsc->check_support(
>--
>2.53.0
>
LGTM!
Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
© 2016 - 2026 Red Hat, Inc.