1. Patchew
  2. Xen
  3. View series

[PATCH v2] Mini-OS: fix 9pfs frontend error path

Juergen Gross posted 1 patch 2 months, 3 weeks ago
Failed in applying to current master (apply log)
9pfront.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
[PATCH v2] Mini-OS: fix 9pfs frontend error path
Posted by Juergen Gross 2 months, 3 weeks ago 
The early error exit in p9_stat() returns without zeroing the p9_stat
buffer, resulting in free() being called with an uninitialized pointer.

Fix that by calling free_stat() in p9_stat() in case of returning an
error and potentially having allocated strings.

Reported-by: Julien Grall <julien@xen.org>
Fixes: 2d1dfccd3aa3 ("Mini-OS: add read and write support to 9pfsfront")
Signed-off-by: Juergen Gross <jgross@suse.com>
---
V2:
- call free_stat() in p9_stat() in case of returning an error
  (Samuel Thibault)
---
 9pfront.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/9pfront.c b/9pfront.c
index 315089bc..042879a7 100644
--- a/9pfront.c
+++ b/9pfront.c
@@ -728,6 +728,8 @@ static int p9_stat(struct dev_9pfs *dev, uint32_t fid, struct p9_stat *stat)
            &stat->extension, &stat->n_uid, &stat->n_gid, &stat->n_muid);
 
     ret = req->result;
+    if ( ret )
+        free_stat(&stat);
 
     put_free_req(dev, req);
 
@@ -932,13 +934,13 @@ static int write_9pfs(struct file *file, const void *buf, size_t nbytes)
     if ( f9pfs->append )
     {
         ret = p9_stat(f9pfs->dev, f9pfs->fid, &stat);
-        free_stat(&stat);
         if ( ret )
         {
             errno = EIO;
             return -1;
         }
         file->offset = stat.length;
+        free_stat(&stat);
     }
 
     ret = p9_write(f9pfs->dev, f9pfs->fid, file->offset, buf, nbytes);
-- 
2.35.3
Re: [PATCH v2] Mini-OS: fix 9pfs frontend error path
Posted by Samuel Thibault 2 months, 3 weeks ago 
Juergen Gross, le mar. 06 févr. 2024 20:11:25 +0100, a ecrit:
> The early error exit in p9_stat() returns without zeroing the p9_stat
> buffer, resulting in free() being called with an uninitialized pointer.
> 
> Fix that by calling free_stat() in p9_stat() in case of returning an
> error and potentially having allocated strings.
> 
> Reported-by: Julien Grall <julien@xen.org>
> Fixes: 2d1dfccd3aa3 ("Mini-OS: add read and write support to 9pfsfront")
> Signed-off-by: Juergen Gross <jgross@suse.com>

Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

Thanks!

> ---
> V2:
> - call free_stat() in p9_stat() in case of returning an error
>   (Samuel Thibault)
> ---
>  9pfront.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/9pfront.c b/9pfront.c
> index 315089bc..042879a7 100644
> --- a/9pfront.c
> +++ b/9pfront.c
> @@ -728,6 +728,8 @@ static int p9_stat(struct dev_9pfs *dev, uint32_t fid, struct p9_stat *stat)
>             &stat->extension, &stat->n_uid, &stat->n_gid, &stat->n_muid);
>  
>      ret = req->result;
> +    if ( ret )
> +        free_stat(&stat);
>  
>      put_free_req(dev, req);
>  
> @@ -932,13 +934,13 @@ static int write_9pfs(struct file *file, const void *buf, size_t nbytes)
>      if ( f9pfs->append )
>      {
>          ret = p9_stat(f9pfs->dev, f9pfs->fid, &stat);
> -        free_stat(&stat);
>          if ( ret )
>          {
>              errno = EIO;
>              return -1;
>          }
>          file->offset = stat.length;
> +        free_stat(&stat);
>      }
>  
>      ret = p9_write(f9pfs->dev, f9pfs->fid, file->offset, buf, nbytes);
> -- 
> 2.35.3

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.