From nobody Sun Nov 2 17:23:57 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1527975184238372.90871034376255; Sat, 2 Jun 2018 14:33:04 -0700 (PDT) Received: from localhost ([::1]:32846 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fPE91-0000iW-DS for importer@patchew.org; Sat, 02 Jun 2018 17:33:03 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44433) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fPE6y-0007wa-Hu for qemu-devel@nongnu.org; Sat, 02 Jun 2018 17:30:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fPE6v-0005mX-Sr for qemu-devel@nongnu.org; Sat, 02 Jun 2018 17:30:56 -0400 Received: from mail-qk0-x241.google.com ([2607:f8b0:400d:c09::241]:39436) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fPE6v-0005mB-Nu for qemu-devel@nongnu.org; Sat, 02 Jun 2018 17:30:53 -0400 Received: by mail-qk0-x241.google.com with SMTP id g14-v6so10239920qkm.6 for ; Sat, 02 Jun 2018 14:30:53 -0700 (PDT) Received: from localhost.localdomain (96-86-104-61-static.hfc.comcastbusiness.net. [96.86.104.61]) by smtp.gmail.com with ESMTPSA id k2-v6sm21366628qkl.95.2018.06.02.14.30.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 02 Jun 2018 14:30:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juliacomputing-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :in-reply-to:references; bh=bRoFQJjx8hbTJfC24YFGa/umDJaiaklsOP2aNQn0suE=; b=i+n+yYesWCPaEjcG2XC16j0a78z1V0ucVMQsf3Y8GBy3RCmP8ViKPocoJCKTM2gQzg UCVfo1w4NpXNeCdRsGvsxSOg2XhyccjK3KPoNEswya1q+Z/cfb54UM1QYEjb7drtq60F Amh7TtcdKyjz521WDr3rAPa34EaBSLt2N2YMm7QaTZ3ceuGJAfhtARk1/rSt5UHxBGec PO0XG2fmPB5VVREoX17Ue3ahE/IXRxQwfVCwz1JIR+Ji4jezrO/JI/nHcb126KKcSx7N hUZcndlN2I3G//V5xayLheQ+QI3DjpCTIilmnogm9Gbzj1TtdpFtf7WwwST1Lg8URpXQ MDoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:in-reply-to:references; bh=bRoFQJjx8hbTJfC24YFGa/umDJaiaklsOP2aNQn0suE=; b=Ko8J7zszWj5RamVRENf0blu1lZKfOSU408dri7nfvsP4N47SE0UaG3UBzetnxQ1Kuu Q168TFStg7INzlhtRm/k+WgnlVRkhlhLcPs0y9OgmV2/9caQTQsMCDNqJGaKpkWRx310 A4K2YBH/FSoDo7ZLeMn1FKq+EzMYkeSgXQIv8rAeN19ggdOiTNyNcoQw6fI2bZf58iOK fDFijXdnQ9kMtCa5MWz7I3rByMJbFq85c41A1wZDWAwNmYGVPHgQtMfIWXC86BSnVQwD v693zGQ1kTQ09AvoDuXuNoqT2q757n1zanMQWSggO2FGSKfWmy5XvVoPBJyziYxjmA7f RXHA== X-Gm-Message-State: APt69E21+L16mKUqPadDFVvMGtKiHnkzEi+YQtdGNhWmoMpKZ80CgzcW t/DcoaM0qzerg75Pvuaxz9p1PjkLlag= X-Google-Smtp-Source: ADUXVKIwd4/rXyWqK4iOIgSwUQCDE5hPOPaAaF3Z1xo18Aa8y4OZUCZCCSbM2c6gnvW5/BdSJhORKg== X-Received: by 2002:a37:bdc5:: with SMTP id n188-v6mr13697295qkf.12.1527975052746; Sat, 02 Jun 2018 14:30:52 -0700 (PDT) From: Keno Fischer To: qemu-devel@nongnu.org Date: Sat, 2 Jun 2018 17:29:36 -0400 Message-Id: X-Mailer: git-send-email 2.8.1 In-Reply-To: References: In-Reply-To: References: X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:400d:c09::241 Subject: [Qemu-devel] [PATCH v3 2/5] 9p: xattr: Fix crashes due to free of uninitialized value X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Keno Fischer , groug@kaod.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" If the size returned from llistxattr/lgetxattr is 0, we skipped the malloc call, leaving xattr.value uninitialized. However, this value is later passed to `g_free` without any further checks, causing an error. Fix that by always calling g_malloc unconditionally. If `size` is 0, it will return NULL, which is safe to pass to g_free. Signed-off-by: Keno Fischer --- Changes since v2: * Fix another instance of the problematic pattern later in the same functi= on. hw/9pfs/9p.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index d74302d..4386d69 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -3256,8 +3256,8 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) xattr_fidp->fs.xattr.len =3D size; xattr_fidp->fid_type =3D P9_FID_XATTR; xattr_fidp->fs.xattr.xattrwalk_fid =3D true; + xattr_fidp->fs.xattr.value =3D g_malloc0(size); if (size) { - xattr_fidp->fs.xattr.value =3D g_malloc0(size); err =3D v9fs_co_llistxattr(pdu, &xattr_fidp->path, xattr_fidp->fs.xattr.value, xattr_fidp->fs.xattr.len); @@ -3289,8 +3289,8 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) xattr_fidp->fs.xattr.len =3D size; xattr_fidp->fid_type =3D P9_FID_XATTR; xattr_fidp->fs.xattr.xattrwalk_fid =3D true; + xattr_fidp->fs.xattr.value =3D g_malloc0(size); if (size) { - xattr_fidp->fs.xattr.value =3D g_malloc0(size); err =3D v9fs_co_lgetxattr(pdu, &xattr_fidp->path, &name, xattr_fidp->fs.xattr.value, xattr_fidp->fs.xattr.len); --=20 2.8.1