From: Fabiano Rosas <farosas@suse.de>
To: Peter Xu <peterx@redhat.com>, qemu-devel@nongnu.org
Cc: Arun Menon <armenon@redhat.com>,
peterx@redhat.com, Peter Maydell <peter.maydell@linaro.org>,
Juraj Marcin <jmarcin@redhat.com>
Subject: Re: [PATCH 2/3] migration/cpr: Fix coverity report in cpr_exec_persist_state()
Date: Tue, 21 Oct 2025 17:49:07 -0300 [thread overview]
Message-ID: <87o6q0t1z0.fsf@suse.de> (raw)
In-Reply-To: <20251021184132.2635958-3-peterx@redhat.com>
Peter Xu <peterx@redhat.com> writes:
> Per reported and analyzed by Peter:
>
> https://lore.kernel.org/r/CAFEAcA_mUQ2NeoguR5efrhw7XYGofnriWEA=+Dg+Ocvyam1wAw@mail.gmail.com
>
> mfd leak is a false positive, try to use a coverity annotation (which I
> didn't find manual myself, but still give it a shot).
>
> Fix the other one by dumping an error message if setenv() failed.
>
> Resolves: Coverity CID 1641391
> Resolves: Coverity CID 1641392
> Fixes: efc6587313 ("migration: cpr-exec save and load")
> Signed-off-by: Peter Xu <peterx@redhat.com>
> ---
> migration/cpr-exec.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/migration/cpr-exec.c b/migration/cpr-exec.c
> index d57714bc5d..3cf44634a9 100644
> --- a/migration/cpr-exec.c
> +++ b/migration/cpr-exec.c
> @@ -43,13 +43,16 @@ static QEMUFile *qemu_file_new_fd_output(int fd, const char *name)
> void cpr_exec_persist_state(QEMUFile *f)
> {
> QIOChannelFile *fioc = QIO_CHANNEL_FILE(qemu_file_get_ioc(f));
> + /* coverity[leaked_storage] - mfd intentionally kept open across exec() */
> int mfd = dup(fioc->fd);
> char val[16];
>
> /* Remember mfd in environment for post-exec load */
> qemu_clear_cloexec(mfd);
> snprintf(val, sizeof(val), "%d", mfd);
> - g_setenv(CPR_EXEC_STATE_NAME, val, 1);
> + if (!g_setenv(CPR_EXEC_STATE_NAME, val, 1)) {
> + error_report("Setting env %s = %s failed", CPR_EXEC_STATE_NAME, val);
> + }
Best to abort no? We don't want the rest of the code reading whatever
may be at that env variable and running with it.
> }
>
> static int cpr_exec_find_state(void)
next prev parent reply other threads:[~2025-10-21 20:52 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-21 18:41 [PATCH 0/3] migration: A few fixes on coverity reports Peter Xu
2025-10-21 18:41 ` [PATCH 1/3] migration: Fix error leak in postcopy_ram_listen_thread() Peter Xu
2025-10-21 20:45 ` Fabiano Rosas
2025-10-21 21:20 ` Peter Xu
2025-10-21 18:41 ` [PATCH 2/3] migration/cpr: Fix coverity report in cpr_exec_persist_state() Peter Xu
2025-10-21 20:49 ` Fabiano Rosas [this message]
2025-10-21 21:29 ` Peter Xu
2025-10-22 12:24 ` Fabiano Rosas
2025-10-22 12:51 ` Peter Xu
2025-10-22 13:41 ` Fabiano Rosas
2025-10-21 18:41 ` [PATCH 3/3] migration/cpr: Fix UAF in cpr_exec_cb() when execvp() fails Peter Xu
2025-10-21 20:49 ` Fabiano Rosas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o6q0t1z0.fsf@suse.de \
--to=farosas@suse.de \
--cc=armenon@redhat.com \
--cc=jmarcin@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=peterx@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.