[Qemu-devel] [PATCH 0/4] linux-user: four patches for coverity errors

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH 0/4] linux-user: four patches for coverity errors
@ 2014-02-17 18:55 Peter Maydell
  2014-02-17 18:55 ` [Qemu-devel] [PATCH 1/4] linux-user/elfload.c: Avoid calling g_free() on uninitialized data Peter Maydell
                   ` (3 more replies)
  0 siblings, 4 replies; 8+ messages in thread
From: Peter Maydell @ 2014-02-17 18:55 UTC (permalink / raw)
  To: qemu-devel; +Cc: Riku Voipio, patches

This patchset contains fixes for four bugs spotted by coverity;
mostly these are problems in error-handling codepaths.

Peter Maydell (4):
  linux-user/elfload.c: Avoid calling g_free() on uninitialized data
  linux-user/signal.c: Don't pass sigaction uninitialised sa_flags
  linux-user: Fix error handling in lock_iovec()
  linux-user: Fix error handling in target_to_host_semarray()

 linux-user/elfload.c | 16 ++++++++++++----
 linux-user/signal.c  |  1 +
 linux-user/syscall.c | 19 +++++++++++++------
 3 files changed, 26 insertions(+), 10 deletions(-)

-- 
1.8.5

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [Qemu-devel] [PATCH 1/4] linux-user/elfload.c: Avoid calling g_free() on uninitialized data
  2014-02-17 18:55 [Qemu-devel] [PATCH 0/4] linux-user: four patches for coverity errors Peter Maydell
@ 2014-02-17 18:55 ` Peter Maydell
  2014-02-17 18:55 ` [Qemu-devel] [PATCH 2/4] linux-user/signal.c: Don't pass sigaction uninitialised sa_flags Peter Maydell
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 8+ messages in thread
From: Peter Maydell @ 2014-02-17 18:55 UTC (permalink / raw)
  To: qemu-devel; +Cc: Riku Voipio, patches

Avoid calling g_free() on unintialized data in the error-handling
paths in elf_core_dump() by splitting the initialization of the
elf_note_info struct out of fill_note_info() so that it's always
valid to call free_note_info() whether we got to the point of
being able to fill_note_info() or not.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/elfload.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index 5902f16..c0687e3 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -2636,6 +2636,16 @@ static void fill_thread_info(struct elf_note_info *info, const CPUArchState *env
     info->notes_size += note_size(&ets->notes[0]);
 }
 
+static void init_note_info(struct elf_note_info *info)
+{
+    /* Initialize the elf_note_info structure so that it is at
+     * least safe to call free_note_info() on it. Must be
+     * called before calling fill_note_info().
+     */
+    memset(info, 0, sizeof (*info));
+    QTAILQ_INIT(&info->thread_list);
+}
+
 static int fill_note_info(struct elf_note_info *info,
                           long signr, const CPUArchState *env)
 {
@@ -2644,10 +2654,6 @@ static int fill_note_info(struct elf_note_info *info,
     TaskState *ts = (TaskState *)env->opaque;
     int i;
 
-    (void) memset(info, 0, sizeof (*info));
-
-    QTAILQ_INIT(&info->thread_list);
-
     info->notes = g_malloc0(NUMNOTES * sizeof (struct memelfnote));
     if (info->notes == NULL)
         return (-ENOMEM);
@@ -2781,6 +2787,8 @@ static int elf_core_dump(int signr, const CPUArchState *env)
     int segs = 0;
     int fd = -1;
 
+    init_note_info(&info);
+
     errno = 0;
     getrlimit(RLIMIT_CORE, &dumpsize);
     if (dumpsize.rlim_cur == 0)
-- 
1.8.5

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [Qemu-devel] [PATCH 2/4] linux-user/signal.c: Don't pass sigaction uninitialised sa_flags
  2014-02-17 18:55 [Qemu-devel] [PATCH 0/4] linux-user: four patches for coverity errors Peter Maydell
  2014-02-17 18:55 ` [Qemu-devel] [PATCH 1/4] linux-user/elfload.c: Avoid calling g_free() on uninitialized data Peter Maydell
@ 2014-02-17 18:55 ` Peter Maydell
  2014-02-17 18:55 ` [Qemu-devel] [PATCH 3/4] linux-user: Fix error handling in lock_iovec() Peter Maydell
  2014-02-17 18:55 ` [Qemu-devel] [PATCH 4/4] linux-user: Fix error handling in target_to_host_semarray() Peter Maydell
  3 siblings, 0 replies; 8+ messages in thread
From: Peter Maydell @ 2014-02-17 18:55 UTC (permalink / raw)
  To: qemu-devel; +Cc: Riku Voipio, patches

When forcing a fatal signal, we weren't initialising the sa_flags
field in the struct sigaction we used to reset the signal handler
to SIG_DFL.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/signal.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/linux-user/signal.c b/linux-user/signal.c
index 82e8592..04638e2 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -420,6 +420,7 @@ static void QEMU_NORETURN force_sig(int target_sig)
      * it to arrive. */
     sigfillset(&act.sa_mask);
     act.sa_handler = SIG_DFL;
+    act.sa_flags = 0;
     sigaction(host_sig, &act, NULL);
 
     /* For some reason raise(host_sig) doesn't send the signal when
-- 
1.8.5

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [Qemu-devel] [PATCH 3/4] linux-user: Fix error handling in lock_iovec()
  2014-02-17 18:55 [Qemu-devel] [PATCH 0/4] linux-user: four patches for coverity errors Peter Maydell
  2014-02-17 18:55 ` [Qemu-devel] [PATCH 1/4] linux-user/elfload.c: Avoid calling g_free() on uninitialized data Peter Maydell
  2014-02-17 18:55 ` [Qemu-devel] [PATCH 2/4] linux-user/signal.c: Don't pass sigaction uninitialised sa_flags Peter Maydell
@ 2014-02-17 18:55 ` Peter Maydell
  2014-02-17 18:55 ` [Qemu-devel] [PATCH 4/4] linux-user: Fix error handling in target_to_host_semarray() Peter Maydell
  3 siblings, 0 replies; 8+ messages in thread
From: Peter Maydell @ 2014-02-17 18:55 UTC (permalink / raw)
  To: qemu-devel; +Cc: Riku Voipio, patches

In lock_iovec() if lock_user() failed we were doing an unlock_user
but not a free(vec), which is the wrong way round. We were also
assuming that free() and unlock_user() don't touch errno, which
is not guaranteed. Fix both these problems.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/syscall.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index f370087..bb3e4b1 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1707,6 +1707,7 @@ static struct iovec *lock_iovec(int type, abi_ulong target_addr,
     struct iovec *vec;
     abi_ulong total_len, max_len;
     int i;
+    int err = 0;
 
     if (count == 0) {
         errno = 0;
@@ -1726,7 +1727,7 @@ static struct iovec *lock_iovec(int type, abi_ulong target_addr,
     target_vec = lock_user(VERIFY_READ, target_addr,
                            count * sizeof(struct target_iovec), 1);
     if (target_vec == NULL) {
-        errno = EFAULT;
+        err = EFAULT;
         goto fail2;
     }
 
@@ -1740,7 +1741,7 @@ static struct iovec *lock_iovec(int type, abi_ulong target_addr,
         abi_long len = tswapal(target_vec[i].iov_len);
 
         if (len < 0) {
-            errno = EINVAL;
+            err = EINVAL;
             goto fail;
         } else if (len == 0) {
             /* Zero length pointer is ignored.  */
@@ -1748,7 +1749,7 @@ static struct iovec *lock_iovec(int type, abi_ulong target_addr,
         } else {
             vec[i].iov_base = lock_user(type, base, len, copy);
             if (!vec[i].iov_base) {
-                errno = EFAULT;
+                err = EFAULT;
                 goto fail;
             }
             if (len > max_len - total_len) {
@@ -1763,9 +1764,10 @@ static struct iovec *lock_iovec(int type, abi_ulong target_addr,
     return vec;
 
  fail:
-    free(vec);
- fail2:
     unlock_user(target_vec, target_addr, 0);
+ fail2:
+    free(vec);
+    errno = err;
     return NULL;
 }
 
-- 
1.8.5

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [Qemu-devel] [PATCH 4/4] linux-user: Fix error handling in target_to_host_semarray()
  2014-02-17 18:55 [Qemu-devel] [PATCH 0/4] linux-user: four patches for coverity errors Peter Maydell
                   ` (2 preceding siblings ...)
  2014-02-17 18:55 ` [Qemu-devel] [PATCH 3/4] linux-user: Fix error handling in lock_iovec() Peter Maydell
@ 2014-02-17 18:55 ` Peter Maydell
  2014-02-18 15:10   ` Riku Voipio
  3 siblings, 1 reply; 8+ messages in thread
From: Peter Maydell @ 2014-02-17 18:55 UTC (permalink / raw)
  To: qemu-devel; +Cc: Riku Voipio, patches

Fix two issues in error handling in target_to_host_semarray():
 * don't leak the host_array buffer if lock_user fails
 * return an error if malloc() fails

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/syscall.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index bb3e4b1..c92f026 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2429,10 +2429,15 @@ static inline abi_long target_to_host_semarray(int semid, unsigned short **host_
     nsems = semid_ds.sem_nsems;
 
     *host_array = malloc(nsems*sizeof(unsigned short));
+    if (!*host_array) {
+        return -TARGET_ENOMEM;
+    }
     array = lock_user(VERIFY_READ, target_addr,
                       nsems*sizeof(unsigned short), 1);
-    if (!array)
+    if (!array) {
+        free(host_array);
         return -TARGET_EFAULT;
+    }
 
     for(i=0; i<nsems; i++) {
         __get_user((*host_array)[i], &array[i]);
-- 
1.8.5

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [Qemu-devel] [PATCH 4/4] linux-user: Fix error handling in target_to_host_semarray()
  2014-02-17 18:55 ` [Qemu-devel] [PATCH 4/4] linux-user: Fix error handling in target_to_host_semarray() Peter Maydell
@ 2014-02-18 15:10   ` Riku Voipio
  2014-02-18 15:11     ` Peter Maydell
  0 siblings, 1 reply; 8+ messages in thread
From: Riku Voipio @ 2014-02-18 15:10 UTC (permalink / raw)
  To: Peter Maydell; +Cc: qemu-devel

On Mon, Feb 17, 2014 at 06:55:34PM +0000, Peter Maydell wrote:
> Fix two issues in error handling in target_to_host_semarray():
>  * don't leak the host_array buffer if lock_user fails
>  * return an error if malloc() fails

With this patch I get on ubuntu raring x86_64 (gcc 4.7):

In function ‘target_to_host_semarray’,
    inlined from ‘do_semctl’ at /home/voipio/linaro/qemu/linux-user/syscall.c:2502:17,
    inlined from ‘do_syscall’ at /home/voipio/linaro/qemu/linux-user/syscall.c:6917:13:
/home/voipio/linaro/qemu/linux-user/syscall.c:2439:13: error: attempt to free a non-heap object ‘array’ [-Werror=free-nonheap-object]
cc1: all warnings being treated as errors

Other patches in the set seem fine so far (still testing)

> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
>  linux-user/syscall.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index bb3e4b1..c92f026 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -2429,10 +2429,15 @@ static inline abi_long target_to_host_semarray(int semid, unsigned short **host_
>      nsems = semid_ds.sem_nsems;
>  
>      *host_array = malloc(nsems*sizeof(unsigned short));
> +    if (!*host_array) {
> +        return -TARGET_ENOMEM;
> +    }
>      array = lock_user(VERIFY_READ, target_addr,
>                        nsems*sizeof(unsigned short), 1);
> -    if (!array)
> +    if (!array) {
> +        free(host_array);
>          return -TARGET_EFAULT;
> +    }
>  
>      for(i=0; i<nsems; i++) {
>          __get_user((*host_array)[i], &array[i]);
> -- 
> 1.8.5
> 

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [Qemu-devel] [PATCH 4/4] linux-user: Fix error handling in target_to_host_semarray()
  2014-02-18 15:10   ` Riku Voipio
@ 2014-02-18 15:11     ` Peter Maydell
  2014-02-18 15:53       ` Riku Voipio
  0 siblings, 1 reply; 8+ messages in thread
From: Peter Maydell @ 2014-02-18 15:11 UTC (permalink / raw)
  To: Riku Voipio; +Cc: QEMU Developers

On 18 February 2014 15:10, Riku Voipio <riku.voipio@iki.fi> wrote:
> On Mon, Feb 17, 2014 at 06:55:34PM +0000, Peter Maydell wrote:
>> Fix two issues in error handling in target_to_host_semarray():
>>  * don't leak the host_array buffer if lock_user fails
>>  * return an error if malloc() fails
>
> With this patch I get on ubuntu raring x86_64 (gcc 4.7):
>
> In function ‘target_to_host_semarray’,
>     inlined from ‘do_semctl’ at /home/voipio/linaro/qemu/linux-user/syscall.c:2502:17,
>     inlined from ‘do_syscall’ at /home/voipio/linaro/qemu/linux-user/syscall.c:6917:13:
> /home/voipio/linaro/qemu/linux-user/syscall.c:2439:13: error: attempt to free a non-heap object ‘array’ [-Werror=free-nonheap-object]
> cc1: all warnings being treated as errors

Doh. Missing '*':

>>
>>      *host_array = malloc(nsems*sizeof(unsigned short));
>> +    if (!*host_array) {
>> +        return -TARGET_ENOMEM;
>> +    }
>>      array = lock_user(VERIFY_READ, target_addr,
>>                        nsems*sizeof(unsigned short), 1);
>> -    if (!array)
>> +    if (!array) {
>> +        free(host_array);

...should be
    free(*host_array);

thanks
-- PMM

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [Qemu-devel] [PATCH 4/4] linux-user: Fix error handling in target_to_host_semarray()
  2014-02-18 15:11     ` Peter Maydell
@ 2014-02-18 15:53       ` Riku Voipio
  0 siblings, 0 replies; 8+ messages in thread
From: Riku Voipio @ 2014-02-18 15:53 UTC (permalink / raw)
  To: Peter Maydell; +Cc: Riku Voipio, QEMU Developers

On Tue, Feb 18, 2014 at 03:11:37PM +0000, Peter Maydell wrote:
> On 18 February 2014 15:10, Riku Voipio <riku.voipio@iki.fi> wrote:
> > On Mon, Feb 17, 2014 at 06:55:34PM +0000, Peter Maydell wrote:
> >> Fix two issues in error handling in target_to_host_semarray():
> >>  * don't leak the host_array buffer if lock_user fails
> >>  * return an error if malloc() fails
> >
> > With this patch I get on ubuntu raring x86_64 (gcc 4.7):
> >
> > In function ‘target_to_host_semarray’,
> >     inlined from ‘do_semctl’ at /home/voipio/linaro/qemu/linux-user/syscall.c:2502:17,
> >     inlined from ‘do_syscall’ at /home/voipio/linaro/qemu/linux-user/syscall.c:6917:13:
> > /home/voipio/linaro/qemu/linux-user/syscall.c:2439:13: error: attempt to free a non-heap object ‘array’ [-Werror=free-nonheap-object]
> > cc1: all warnings being treated as errors
> 
> Doh. Missing '*':
> 
> >>
> >>      *host_array = malloc(nsems*sizeof(unsigned short));
> >> +    if (!*host_array) {
> >> +        return -TARGET_ENOMEM;
> >> +    }
> >>      array = lock_user(VERIFY_READ, target_addr,
> >>                        nsems*sizeof(unsigned short), 1);
> >> -    if (!array)
> >> +    if (!array) {
> >> +        free(host_array);
> 
> ...should be
>     free(*host_array);

Edited and updated patch in my linux-user updates branch.

Riku

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2014-02-18 15:53 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-17 18:55 [Qemu-devel] [PATCH 0/4] linux-user: four patches for coverity errors Peter Maydell
2014-02-17 18:55 ` [Qemu-devel] [PATCH 1/4] linux-user/elfload.c: Avoid calling g_free() on uninitialized data Peter Maydell
2014-02-17 18:55 ` [Qemu-devel] [PATCH 2/4] linux-user/signal.c: Don't pass sigaction uninitialised sa_flags Peter Maydell
2014-02-17 18:55 ` [Qemu-devel] [PATCH 3/4] linux-user: Fix error handling in lock_iovec() Peter Maydell
2014-02-17 18:55 ` [Qemu-devel] [PATCH 4/4] linux-user: Fix error handling in target_to_host_semarray() Peter Maydell
2014-02-18 15:10   ` Riku Voipio
2014-02-18 15:11     ` Peter Maydell
2014-02-18 15:53       ` Riku Voipio

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).