From: Christian Schoenebeck <qemu_oss@crudebyte.com>
To: qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>, Greg Kurz <groug@kaod.org>
Subject: Re: [PATCH] tests/9p: fix potential leak in v9fs_rreaddir()
Date: Sat, 29 Apr 2023 15:20:12 +0200 [thread overview]
Message-ID: <2011937.24IBG10sf5@silver> (raw)
In-Reply-To: <20230429140430.05b286a1@bahia>
On Saturday, April 29, 2023 2:04:30 PM CEST Greg Kurz wrote:
> Hi Christian !
Hi there, it's been a while! :)
> On Sat, 29 Apr 2023 11:25:33 +0200
> Christian Schoenebeck <qemu_oss@crudebyte.com> wrote:
>
> > Free allocated directory entries in v9fs_rreaddir() if argument
> > `entries` was passed as NULL, to avoid a memory leak. It is
> > explicitly allowed by design for `entries` to be NULL. [1]
> >
> > [1] https://lore.kernel.org/all/1690923.g4PEXVpXuU@silver
> >
> > Reported-by: Coverity (CID 1487558)
> > Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
> > ---
>
> Good catch Coverity ! :-)
Yeah, this Coverity report is actually from March and I ignored it so far,
because the reported leak could never happen with current test code. But Paolo
brought it up this week, so ...
> Reviewed-by: Greg Kurz <groug@kaod.org>
>
> I still have a suggestion. See below.
>
> > tests/qtest/libqos/virtio-9p-client.c | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git a/tests/qtest/libqos/virtio-9p-client.c b/tests/qtest/libqos/virtio-9p-client.c
> > index e4a368e036..b8adc8d4b9 100644
> > --- a/tests/qtest/libqos/virtio-9p-client.c
> > +++ b/tests/qtest/libqos/virtio-9p-client.c
> > @@ -594,6 +594,8 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
> > {
> > uint32_t local_count;
> > struct V9fsDirent *e = NULL;
> > + /* only used to avoid a leak if entries was NULL */
> > + struct V9fsDirent *unused_entries = NULL;
> > uint16_t slen;
> > uint32_t n = 0;
> >
> > @@ -612,6 +614,8 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
> > e = g_new(struct V9fsDirent, 1);
> > if (entries) {
> > *entries = e;
> > + } else {
> > + unused_entries = e;
> > }
> > } else {
> > e = e->next = g_new(struct V9fsDirent, 1);
>
> This is always allocating and chaining a new entry even
> though it isn't needed in the entries == NULL case.
>
> > @@ -628,6 +632,7 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
> > *nentries = n;
> > }
> >
> > + v9fs_free_dirents(unused_entries);
>
> This is going to loop again on all entries to free them.
>
> > v9fs_req_free(req);
> > }
> >
>
> If this function is to be called one day with an enormous
> number of entries and entries == NULL case, this might
> not scale well.
>
> What about only allocating a single entry in this case ?
>
> E.g.
>
> @@ -593,7 +593,7 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
> struct V9fsDirent **entries)
> {
> uint32_t local_count;
> - struct V9fsDirent *e = NULL;
> + g_autofree struct V9fsDirent *e = NULL;
> uint16_t slen;
> uint32_t n = 0;
>
> @@ -611,10 +611,12 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
> if (!e) {
> e = g_new(struct V9fsDirent, 1);
> if (entries) {
> - *entries = e;
> + *entries = g_steal_pointer(e);
g_steal_pointer(e) just sets `e` to NULL and returns its old value, so ...
> }
> } else {
> - e = e->next = g_new(struct V9fsDirent, 1);
> + if (entries) {
> + e = e->next = g_new(struct V9fsDirent, 1);
> + }
... this `else` block would never be reached and no list assembled.
> }
> e->next = NULL;
> /* qid[13] offset[8] type[1] name[s] */
And even if above's issue was fixed, then it would cause a use-after-free for
the last element in the list if entries != NULL and caller trying to access
the last element afterwards. So you would still need a separate g_autofree
pointer instead of tagging `e` directly, or something like this after loop
end:
if (entries)
g_steal_pointer(e);
Which would somehow defeat the purpose of using g_autofree though.
I mean, yes this could be addressed, but is it worth it? I don't know. Even
this reported leak is a purely theoretical one, but I understand if people
want to silence a warning.
Best regards,
Christian Schoenebeck
next prev parent reply other threads:[~2023-04-29 13:21 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-29 9:25 [PATCH] tests/9p: fix potential leak in v9fs_rreaddir() Christian Schoenebeck
2023-04-29 12:04 ` Greg Kurz
2023-04-29 13:20 ` Christian Schoenebeck [this message]
2023-05-02 5:46 ` Greg Kurz
2023-05-04 10:53 ` Christian Schoenebeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2011937.24IBG10sf5@silver \
--to=qemu_oss@crudebyte.com \
--cc=groug@kaod.org \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).