[Qemu-commits] [qemu/qemu] 841b8d: 9pfs: local: Fix possible memory leak

qemu-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 841b8d: 9pfs: local: Fix possible memory leak

From:	Peter Maydell
Subject:	[Qemu-commits] [qemu/qemu] 841b8d: 9pfs: local: Fix possible memory leak in local_link()
Date:	Tue, 21 Jan 2020 03:00:12 -0800

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 841b8d099c462cd4282c4ced8c2a6512899fd8d9
      
https://github.com/qemu/qemu/commit/841b8d099c462cd4282c4ced8c2a6512899fd8d9
  Author: Jiajun Chen <address@hidden>
  Date:   2020-01-20 (Mon, 20 Jan 2020)

  Changed paths:
    M hw/9pfs/9p-local.c

  Log Message:
  -----------
  9pfs: local: Fix possible memory leak in local_link()

There is a possible memory leak while local_link return -1 without free
odirpath and oname.

Reported-by: Euler Robot <address@hidden>
Signed-off-by: Jaijun Chen <address@hidden>
Signed-off-by: Xiang Zheng <address@hidden>
Reviewed-by: Christian Schoenebeck <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Signed-off-by: Greg Kurz <address@hidden>


  Commit: 846cf408a4c8055063f4a5a71ccf7ed030cdad30
      
https://github.com/qemu/qemu/commit/846cf408a4c8055063f4a5a71ccf7ed030cdad30
  Author: Daniel Henrique Barboza <address@hidden>
  Date:   2020-01-20 (Mon, 20 Jan 2020)

  Changed paths:
    M hw/9pfs/9p-local.c

  Log Message:
  -----------
  9p: local: always return -1 on error in local_unlinkat_common

local_unlinkat_common() is supposed to always return -1 on error.
This is being done by jumps to the 'err_out' label, which is
a 'return ret' call, and 'ret' is initialized with -1.

Unfortunately there is a condition in which the function will
return 0 on error: in a case where flags == AT_REMOVEDIR, 'ret'
will be 0 when reaching

map_dirfd = openat_dir(...)

And, if map_dirfd == -1 and errno != ENOENT, the existing 'err_out'
jump will execute 'return ret', when ret is still set to zero
at that point.

This patch fixes it by changing all 'err_out' labels by
'return -1' calls, ensuring that the function will always
return -1 on error conditions. 'ret' can be left unintialized
since it's now being used just to store the result of 'unlinkat'
calls.

CC: Greg Kurz <address@hidden>
Signed-off-by: Daniel Henrique Barboza <address@hidden>
[groug: changed prefix in title to be "9p: local:"]
Signed-off-by: Greg Kurz <address@hidden>


  Commit: 16724a173049ac29c7b5ade741da93a0f46edff7
      
https://github.com/qemu/qemu/commit/16724a173049ac29c7b5ade741da93a0f46edff7
  Author: Greg Kurz <address@hidden>
  Date:   2020-01-20 (Mon, 20 Jan 2020)

  Changed paths:
    M hw/9pfs/9p.c
    M hw/9pfs/9p.h
    M hw/9pfs/virtio-9p-device.c
    M hw/9pfs/xen-9p-backend.c

  Log Message:
  -----------
  9p: init_in_iov_from_pdu can truncate the size

init_in_iov_from_pdu might not be able to allocate the full buffer size
requested, which comes from the client and could be larger than the
transport has available at the time of the request. Specifically, this
can happen with read operations, with the client requesting a read up to
the max allowed, which might be more than the transport has available at
the time.

Today the implementation of init_in_iov_from_pdu throws an error, both
Xen and Virtio.

Instead, change the V9fsTransport interface so that the size becomes a
pointer and can be limited by the implementation of
init_in_iov_from_pdu.

Change both the Xen and Virtio implementations to set the size to the
size of the buffer they managed to allocate, instead of throwing an
error. However, if the allocated buffer size is less than P9_IOHDRSZ
(the size of the header) still throw an error as the case is unhandable.

Signed-off-by: Stefano Stabellini <address@hidden>
CC: address@hidden
CC: address@hidden
CC: address@hidden
CC: address@hidden
[groug: fix 32-bit build]
Signed-off-by: Greg Kurz <address@hidden>


  Commit: ff59c5ee78f11f0667c575b2b6c26a7d954658fb
      
https://github.com/qemu/qemu/commit/ff59c5ee78f11f0667c575b2b6c26a7d954658fb
  Author: Daniel Henrique Barboza <address@hidden>
  Date:   2020-01-20 (Mon, 20 Jan 2020)

  Changed paths:
    M fsdev/virtfs-proxy-helper.c

  Log Message:
  -----------
  virtfs-proxy-helper.c: remove 'err_out' label in setugid()

'err_out' can be removed and be replaced by 'return -errno'
in its only instance in the function.

CC: Greg Kurz <address@hidden>
Signed-off-by: Daniel Henrique Barboza <address@hidden>
Acked-by: Greg Kurz <address@hidden>
Signed-off-by: Greg Kurz <address@hidden>


  Commit: b858e80a02ca64b9208499155f4dab4ef298b523
      
https://github.com/qemu/qemu/commit/b858e80a02ca64b9208499155f4dab4ef298b523
  Author: Daniel Henrique Barboza <address@hidden>
  Date:   2020-01-20 (Mon, 20 Jan 2020)

  Changed paths:
    M hw/9pfs/9p.c

  Log Message:
  -----------
  9pfs/9p.c: remove unneeded labels

'out' label in v9fs_xattr_write() and 'out_nofid' label in
v9fs_complete_rename() can be replaced by appropriate return
calls.

CC: Greg Kurz <address@hidden>
Signed-off-by: Daniel Henrique Barboza <address@hidden>
Acked-by: Greg Kurz <address@hidden>
Signed-off-by: Greg Kurz <address@hidden>


  Commit: 4354edb6dcc72610c4344666d1664a67f6a86c84
      
https://github.com/qemu/qemu/commit/4354edb6dcc72610c4344666d1664a67f6a86c84
  Author: Peter Maydell <address@hidden>
  Date:   2020-01-20 (Mon, 20 Jan 2020)

  Changed paths:
    M fsdev/virtfs-proxy-helper.c
    M hw/9pfs/9p-local.c
    M hw/9pfs/9p.c
    M hw/9pfs/9p.h
    M hw/9pfs/virtio-9p-device.c
    M hw/9pfs/xen-9p-backend.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/gkurz/tags/9p-next-2020-01-20' into 
staging

Assorted fixes and cleanups.
v2: - fix 32-bit build

# gpg: Signature made Mon 20 Jan 2020 14:14:11 GMT
# gpg:                using RSA key B4828BAF943140CEF2A3491071D4D5E5822F73D6
# gpg: Good signature from "Greg Kurz <address@hidden>" [full]
# gpg:                 aka "Gregory Kurz <address@hidden>" [full]
# gpg:                 aka "[jpeg image of size 3330]" [full]
# Primary key fingerprint: B482 8BAF 9431 40CE F2A3  4910 71D4 D5E5 822F 73D6

* remotes/gkurz/tags/9p-next-2020-01-20:
  9pfs/9p.c: remove unneeded labels
  virtfs-proxy-helper.c: remove 'err_out' label in setugid()
  9p: init_in_iov_from_pdu can truncate the size
  9p: local: always return -1 on error in local_unlinkat_common
  9pfs: local: Fix possible memory leak in local_link()

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/43d1455cf842...4354edb6dcc7

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-commits] [qemu/qemu] 841b8d: 9pfs: local: Fix possible memory leak in local_link(), Peter Maydell <=

Prev by Date: [Qemu-commits] [qemu/qemu] 43d145: qapi: Fix code generation with Python 3.5
Next by Date: [Qemu-commits] [qemu/qemu] d83bbe: Makefile: add missing mkdir MANUAL_BUILDDIR
Previous by thread: [Qemu-commits] [qemu/qemu] 43d145: qapi: Fix code generation with Python 3.5
Next by thread: [Qemu-commits] [qemu/qemu] d83bbe: Makefile: add missing mkdir MANUAL_BUILDDIR
Index(es):
- Date
- Thread