From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39718)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <imammedo@redhat.com>) id 1Vlnbp-0002pR-Bo
	for qemu-devel@nongnu.org; Wed, 27 Nov 2013 17:29:31 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <imammedo@redhat.com>) id 1Vlnbj-0007i0-Ca
	for qemu-devel@nongnu.org; Wed, 27 Nov 2013 17:29:25 -0500
Received: from mx1.redhat.com ([209.132.183.28]:11998)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <imammedo@redhat.com>) id 1Vlnbj-0007hl-2i
	for qemu-devel@nongnu.org; Wed, 27 Nov 2013 17:29:19 -0500
From: Igor Mammedov <imammedo@redhat.com>
Date: Wed, 27 Nov 2013 23:28:56 +0100
Message-Id: <1385591336-2755-17-git-send-email-imammedo@redhat.com>
In-Reply-To: <1385591336-2755-1-git-send-email-imammedo@redhat.com>
References: <1385591336-2755-1-git-send-email-imammedo@redhat.com>
Subject: [Qemu-devel] [PATCH 16/16] target-i386: cpu: fix invalid use of
	error_is_set(errp) if errp == NULL
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: afaerber@suse.de

in generic case errp may be NULL and if an Error gets raised in visitor
but not set to *errp for the lack of pointer, value might be uninitialized:
object_property_parse(obj, "invalid value", "foo", NULL);
and accessed futher in property setter leading to incorrect property
value of object instance.
So we cannot rely on error_is_set(errp) but must use a local variable
to detect error condition and return earlier.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
---
 target-i386/cpu.c | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/target-i386/cpu.c b/target-i386/cpu.c
index 2220eae..7064818 100644
--- a/target-i386/cpu.c
+++ b/target-i386/cpu.c
@@ -1110,10 +1110,12 @@ static void x86_cpuid_version_set_family(Object *obj, Visitor *v, void *opaque,
     CPUX86State *env = &cpu->env;
     const int64_t min = 0;
     const int64_t max = 0xff + 0xf;
+    Error *err = NULL;
     int64_t value;
 
-    visit_type_int(v, &value, name, errp);
-    if (error_is_set(errp)) {
+    visit_type_int(v, &value, name, &err);
+    if (err) {
+        error_propagate(errp, err);
         return;
     }
     if (value < min || value > max) {
@@ -1155,10 +1157,12 @@ static void x86_cpuid_version_set_model(Object *obj, Visitor *v, void *opaque,
     CPUX86State *env = &cpu->env;
     const int64_t min = 0;
     const int64_t max = 0xff;
+    Error *err = NULL;
     int64_t value;
 
-    visit_type_int(v, &value, name, errp);
-    if (error_is_set(errp)) {
+    visit_type_int(v, &value, name, &err);
+    if (err) {
+        error_propagate(errp, err);
         return;
     }
     if (value < min || value > max) {
@@ -1197,10 +1201,12 @@ static void x86_cpuid_version_set_stepping(Object *obj, Visitor *v,
     CPUX86State *env = &cpu->env;
     const int64_t min = 0;
     const int64_t max = 0xf;
+    Error *err = NULL;
     int64_t value;
 
-    visit_type_int(v, &value, name, errp);
-    if (error_is_set(errp)) {
+    visit_type_int(v, &value, name, &err);
+    if (err) {
+        error_propagate(errp, err);
         return;
     }
     if (value < min || value > max) {
@@ -1337,10 +1343,12 @@ static void x86_cpuid_set_tsc_freq(Object *obj, Visitor *v, void *opaque,
     X86CPU *cpu = X86_CPU(obj);
     const int64_t min = 0;
     const int64_t max = INT64_MAX;
+    Error *err = NULL;
     int64_t value;
 
-    visit_type_int(v, &value, name, errp);
-    if (error_is_set(errp)) {
+    visit_type_int(v, &value, name, &err);
+    if (err) {
+        error_propagate(errp, err);
         return;
     }
     if (value < min || value > max) {
-- 
1.8.3.1