From nobody Mon Feb 9 09:00:46 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1527816587806251.1935641799895; Thu, 31 May 2018 18:29:47 -0700 (PDT) Received: from localhost ([::1]:46892 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fOYt1-0004B6-0s for importer@patchew.org; Thu, 31 May 2018 21:29:47 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33281) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fOYqs-0002wl-Mn for qemu-devel@nongnu.org; Thu, 31 May 2018 21:27:35 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fOYqq-0002sA-By for qemu-devel@nongnu.org; Thu, 31 May 2018 21:27:34 -0400 Received: from mail-qt0-x242.google.com ([2607:f8b0:400d:c0d::242]:36433) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fOYqq-0002ri-7W for qemu-devel@nongnu.org; Thu, 31 May 2018 21:27:32 -0400 Received: by mail-qt0-x242.google.com with SMTP id q6-v6so30289075qtn.3 for ; Thu, 31 May 2018 18:27:32 -0700 (PDT) Received: from localhost.localdomain (96-86-104-61-static.hfc.comcastbusiness.net. [96.86.104.61]) by smtp.gmail.com with ESMTPSA id o68-v6sm2003842qkc.19.2018.05.31.18.27.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 31 May 2018 18:27:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juliacomputing-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :in-reply-to:references; bh=rif/Z2RWOcNT62+1Jsw048p3o4TD89HGclIs6z9l+8U=; b=XQmH5qF3DXAELKi77bKN5j5bqw/Q5vdvDeSP8Lb1rG5CPch0TgVME36KNlJbir8RiV J6345BNCzlrrGmo2vCEnt5UmtCQB7f7GSDyDNH94mSNr0VdErCnlmjiG65uGlTonVp4x HNuxRV7qptL5LbDeRQUwduPTb4PzLXjBQZhbPYMupOELQBg6CfsJH/M5g6z7WL/iYrJW od2T9YBm6HsFYzfuP1SGEWvOJW1UXqs+wPYrVDvr237JyBEKSqZDjgfS6E7UEAN4oWr4 GgOjBFn5jMXnZcoo2rTVMiwyBNqlWGkwhhWDXwXlihM/NYbZA36aOE0VqZzrLufr0USX LBkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:in-reply-to:references; bh=rif/Z2RWOcNT62+1Jsw048p3o4TD89HGclIs6z9l+8U=; b=gTprdBJnezjlzlbMBa+M7UoI5bi2RcEh9ckfhaFio+xUaz8CFmPwLj5SJvEYIM1iYj Vm3VrJPp6++45e2/1iPoYvLXg3558FIQLAIYTGchW4w+QHudDQ29KtwPfW7Fe5wLekcx 0DlSgpCFVPgpJY+z5rwhPdY8ArL4sTs2DTBImcpxPI02dG3rAKup2OtX/0TOp5swtMks QWT14YrW1fsjz9q3sJdkHDH60rWSnrE8TXXFvRaMUUf8kcTFDDfZVnoXfrXk4BH0f2FN KjjZlZwtCsyvRYh89iDdpEdgE8VJtuyY+nc2H9V9KVif0B6pEs5c8ztreWwgp0psePH1 ONJg== X-Gm-Message-State: APt69E2PbQYyGbwCKjyWXfUSREIWRTrPfF1Bbu5Lo3MqVx8KJoiRbUo2 jmJkayC6z0d3cknHD4cFrkXPNug/smQ= X-Google-Smtp-Source: ADUXVKLiRNeJSlAhdArezb1IEHvBzFyZlY4Vv0YDowau1I0h5g8QrtTa2/gHWyS6FS3Dmc622OGRVw== X-Received: by 2002:aed:37e6:: with SMTP id j93-v6mr9352914qtb.111.1527816451307; Thu, 31 May 2018 18:27:31 -0700 (PDT) From: Keno Fischer To: qemu-devel@nongnu.org Date: Thu, 31 May 2018 21:25:58 -0400 Message-Id: X-Mailer: git-send-email 2.8.1 In-Reply-To: References: In-Reply-To: References: X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:400d:c0d::242 Subject: [Qemu-devel] [PATCH v2 03/20] 9p: xattr: Fix crash due to free of uninitialized value X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Keno Fischer , groug@kaod.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" If the size returned from llistxattr is 0, we skipped the malloc call, leaving xattr.value uninitialized. However, this value is later passed to `g_free` without any further checks, causing an error. Fix that by always calling g_malloc unconditionally. If `size` is 0, it will return a pointer that is safe to pass to g_free, likely NULL. Signed-off-by: Keno Fischer --- Changes since v1: New patch hw/9pfs/9p.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index d74302d..b80db65 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -3256,8 +3256,8 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) xattr_fidp->fs.xattr.len =3D size; xattr_fidp->fid_type =3D P9_FID_XATTR; xattr_fidp->fs.xattr.xattrwalk_fid =3D true; + xattr_fidp->fs.xattr.value =3D g_malloc0(size); if (size) { - xattr_fidp->fs.xattr.value =3D g_malloc0(size); err =3D v9fs_co_llistxattr(pdu, &xattr_fidp->path, xattr_fidp->fs.xattr.value, xattr_fidp->fs.xattr.len); --=20 2.8.1