From nobody Tue Apr 7 14:39:55 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=suse.de ARC-Seal: i=1; a=rsa-sha256; t=1773348471; cv=none; d=zohomail.com; s=zohoarc; b=YMaS3yOrSOXuPZ061vvb0NdSKlt8cqP+VAn9d10vPNV3SJWuHFb6e/bfBEqYANduPnGpjEmuo+8HSwc0ZRb8zYBMNDx+4B91TL/ncbhaADoCT5Gvx/D2+OFG0Yx2EWA6wPVnH/Ll6razDaO/Y2pSJuZIPVWtOn3zqJgBWKrd5as= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1773348471; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=PKXla6oLmF2UVurBf1+U5Wn1rfvIP8d/1geFoEltdpQ=; b=cuSgbpGq0bhtifcxv2J5CuiuY8KfmOXGy6c6j1FD/PTesvBj1PKbQXmsghD6rj2mXdvK0G/Gl4WbHjt6fxqpX8Y5jOKhYlKdP0T2HMlp6n9KOCrBp/rwrTg2tJ1up1dUxFk7Rjbm2nUu0J31RcQbnrzoIPUblhjBTIQtVT/RN/I= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1773348470994237.9700018784888; Thu, 12 Mar 2026 13:47:50 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w0mvZ-0005Xm-0w; Thu, 12 Mar 2026 16:46:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w0mvM-0005WW-FB for qemu-devel@nongnu.org; Thu, 12 Mar 2026 16:46:35 -0400 Received: from smtp-out2.suse.de ([2a07:de40:b251:101:10:150:64:2]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1w0mvK-0006FP-Ce for qemu-devel@nongnu.org; Thu, 12 Mar 2026 16:46:28 -0400 Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id DED645C683; Thu, 12 Mar 2026 20:46:23 +0000 (UTC) Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 7E58F40170; Thu, 12 Mar 2026 20:46:22 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id koZBER4ms2nEfQAAD6G6ig (envelope-from ); Thu, 12 Mar 2026 20:46:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1773348384; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=PKXla6oLmF2UVurBf1+U5Wn1rfvIP8d/1geFoEltdpQ=; b=Sl+Kn7nc3fkeoswepw8gSicQJahe5On6Pc/pdp6Xkh7om+/IH7yr3ipkqlu7KsE8unxWZj wpLyf/cgvLzKfywY3EfidF+HOu1cbv8A+/1MjKfGkQyD9ryWiTmbpTKValtszljYSH0mFe jyeecJm9xgXfJeJJ9nTjQFJlz71jP7U= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1773348384; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=PKXla6oLmF2UVurBf1+U5Wn1rfvIP8d/1geFoEltdpQ=; b=RPSOa86FnHRvNWE3DgLL44ox40q18NlX++YKMzTCeiKJRgRdyHNToPqwJ4Zf4ahd0LFiTG SnH8ZvcJNTBTiJDg== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1773348383; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=PKXla6oLmF2UVurBf1+U5Wn1rfvIP8d/1geFoEltdpQ=; b=Bmwivn/AXipwPsniHRX0fKLh764neMjjtNFWUpiViMv7JgeD/88yjGpWZoitY9EkYsvxRO JK8JUcBgMDScAP5DybK9VkOa8jbvV/ajetWX/fNJPeGmr5X5C6F9fKqt52bvOrKDGxjyvU eUNrkQFVr8FJ3jWVZLpKZcHhrZBHyOQ= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1773348383; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=PKXla6oLmF2UVurBf1+U5Wn1rfvIP8d/1geFoEltdpQ=; b=Uw/0n3LA1KOuuWuE2coG/QemDJ24MpZK6peGPEZ7k0074p4hXapVt0MKF1LRAJA0uPuMK9 dbl1uGzTVGCX0cDQ== From: Fabiano Rosas To: qemu-devel@nongnu.org Cc: Peter Xu , Markus Armbruster , Peter Maydell Subject: [PATCH v3] migration/options: Fix leaks in StrOrNull qdev accessors Date: Thu, 12 Mar 2026 17:46:19 -0300 Message-ID: <20260312204619.1969-1-farosas@suse.de> X-Mailer: git-send-email 2.51.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.80 X-Spamd-Result: default: False [-2.80 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_CONTAINS_FROM(1.00)[]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[linaro.org:email,imap1.dmz-prg2.suse.org:helo]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FUZZY_RATELIMITED(0.00)[rspamd.com]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; RCPT_COUNT_THREE(0.00)[4]; RCVD_TLS_ALL(0.00)[] Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a07:de40:b251:101:10:150:64:2; envelope-from=farosas@suse.de; helo=smtp-out2.suse.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @suse.de) (identity @suse.de) X-ZM-MESSAGEID: 1773348473705158500 Content-Type: text/plain; charset="utf-8" Fix a couple of possible leaks detected by Coverity. Both are currently harmless. This code is only used for the very specific purpose of maintaining compatibility of a few migration options which can be set via QEMU command line (-global migration.tls-*). The command line interface is not supported and only used during development and testing. 1) The setter function set_StrOrNull() is invoked whenever the -global migration.tls-* command line options are set. The way it could leak is that the temporary "StrOrNull *str_or_null" object is allocated before calling the visitor, which could fail and cause an early return of the function, leaving *ptr unset and str_or_null leaking. 2) The getter function get_StrOrNull() is unreachable code. It's only there to provide a complete implementation of the property. Still, the way it could leak is that the temporary "StrOrNull *str_or_null" might be allocated and is simply never returned to the caller nor freed. Fix the possible leaks: 1) at set_StrOrNull(): change the allocation of str_or_null to happen only after the visit call has returned successfully. 2) at get_StrOrNull(): assert that the object is non-NULL, there is no need for a temporary object. The reason it should be non-NULL is that the property is initialized by the default setter of the qdev property. The initialization is unlikely to fail because the call to the setter is setup by qdev, which has boilerplate ensuring the to-be-set object is allocated and of the correct type. Moreover, passing NULL via command line to -global migration.tls-* is not possible. A programming error could result in an invalid call to the setter, which would leave the object NULL and cause a crash in the getter, but that's not a worthwhile scenario to protect against given the low probability of this code being even reached. While here, update the comment about why there's no QNULL in this StrOrNull property to be more clear. Fixes: CID 1643919 Fixes: CID 1643920 Cc: Markus Armbruster Reported-by: Peter Maydell Reviewed-by: Peter Xu Signed-off-by: Fabiano Rosas Reviewed-by: Prasad Pandit --- v3: more detailed commit message stopped removing the prop variable, cleaner diff updated the QNULL comment --- migration/options.c | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/migration/options.c b/migration/options.c index f33b297929..658c578191 100644 --- a/migration/options.c +++ b/migration/options.c @@ -220,14 +220,12 @@ static void get_StrOrNull(Object *obj, Visitor *v, co= nst char *name, StrOrNull **ptr =3D object_field_prop_ptr(obj, prop); StrOrNull *str_or_null =3D *ptr; =20 - if (!str_or_null) { - str_or_null =3D g_new0(StrOrNull, 1); - str_or_null->type =3D QTYPE_QSTRING; - str_or_null->u.s =3D g_strdup(""); - } else { - /* the setter doesn't allow QNULL */ - assert(str_or_null->type !=3D QTYPE_QNULL); - } + /* + * The property should never be NULL because it's part of + * s->parameters and a default value is always set by qdev. It + * should also never be QNULL as the setter doesn't allow it. + */ + assert(str_or_null && str_or_null->type !=3D QTYPE_QNULL); visit_type_str(v, name, &str_or_null->u.s, errp); } =20 @@ -236,16 +234,25 @@ static void set_StrOrNull(Object *obj, Visitor *v, co= nst char *name, { const Property *prop =3D opaque; StrOrNull **ptr =3D object_field_prop_ptr(obj, prop); - StrOrNull *str_or_null =3D g_new0(StrOrNull, 1); + StrOrNull *str_or_null; + char *str; + + if (!visit_type_str(v, name, &str, errp)) { + return; + } =20 /* - * Only str to keep compatibility, QNULL was never used via - * command line. + * This property only applies to the command line usage of + * migration's TLS options (-global migration.tls-*) where the + * NULL value cannot be provided as input (only strings are + * allowed). Therefore, this StrOrNull implementation never + * produces a QNULL value to avoid ever returning values outside + * the range of what was previously handled by consumers of the + * TLS options. */ + str_or_null =3D g_new0(StrOrNull, 1); str_or_null->type =3D QTYPE_QSTRING; - if (!visit_type_str(v, name, &str_or_null->u.s, errp)) { - return; - } + str_or_null->u.s =3D str; =20 qapi_free_StrOrNull(*ptr); *ptr =3D str_or_null; --=20 2.51.0