From: Laurent Vivier <laurent@vivier.eu>
To: qemu-devel@nongnu.org
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
qemu-trivial@nongnu.org, "Michael Tokarev" <mjt@tls.msk.ru>,
"Laurent Vivier" <laurent@vivier.eu>,
"Randy Yates" <yates@ieee.org>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Stefano Garzarella" <sgarzare@redhat.com>
Subject: [PULL 08/20] elf_ops: Don't try to g_mapped_file_unref(NULL)
Date: Mon, 4 May 2020 13:57:46 +0200 [thread overview]
Message-ID: <20200504115758.283914-9-laurent@vivier.eu> (raw)
In-Reply-To: <20200504115758.283914-1-laurent@vivier.eu>
From: Peter Maydell <peter.maydell@linaro.org>
Calling g_mapped_file_unref() on a NULL pointer is not valid, and
glib will assert if you try it.
$ qemu-system-arm -M virt -display none -device loader,file=/tmp/bad.elf
qemu-system-arm: -device loader,file=/tmp/bad.elf: GLib: g_mapped_file_unref: assertion 'file != NULL' failed
(One way to produce an ELF file that fails like this is to copy just
the first 16 bytes of a valid ELF file; this is sufficient to fool
the code in load_elf_ram_sym() into thinking it's an ELF file and
calling load_elf32() or load_elf64().)
The failure-exit path in load_elf can be reached from various points
in execution, and for some of those we haven't yet called
g_mapped_file_new_from_fd(). Add a condition to the unref call so we
only call it if we successfully created the GMappedFile to start with.
This will fix the assertion; for the specific case of the generic
loader it will then fall back from "guess this is an ELF file" to
"maybe it's a uImage or a hex file" and eventually to "just load as
a raw data file".
Reported-by: Randy Yates <yates@ieee.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20200423202011.32686-1-peter.maydell@linaro.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
---
include/hw/elf_ops.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/hw/elf_ops.h b/include/hw/elf_ops.h
index e0bb47bb678d..398a4a2c85bb 100644
--- a/include/hw/elf_ops.h
+++ b/include/hw/elf_ops.h
@@ -606,7 +606,9 @@ static int glue(load_elf, SZ)(const char *name, int fd,
*highaddr = (uint64_t)(elf_sword)high;
ret = total_size;
fail:
- g_mapped_file_unref(mapped_file);
+ if (mapped_file) {
+ g_mapped_file_unref(mapped_file);
+ }
g_free(phdr);
return ret;
}
--
2.26.2
next prev parent reply other threads:[~2020-05-04 12:10 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-04 11:57 [PULL 00/20] Trivial branch for 5.1 patches Laurent Vivier
2020-05-04 11:57 ` [PULL 01/20] scsi/esp-pci: add g_assert() for fix clang analyzer warning in esp_pci_io_write() Laurent Vivier
2020-05-04 11:57 ` [PULL 02/20] display/blizzard: use extract16() for fix clang analyzer warning in blizzard_draw_line16_32() Laurent Vivier
2020-05-04 11:57 ` [PULL 03/20] timer/exynos4210_mct: Remove redundant statement in exynos4210_mct_write() Laurent Vivier
2020-05-04 11:57 ` [PULL 04/20] crypto: Redundant type conversion for AES_KEY pointer Laurent Vivier
2020-05-04 12:58 ` Daniel P. Berrangé
2020-05-05 7:20 ` Chenqun (kuhn)
2020-05-04 11:57 ` [PULL 05/20] MAINTAINERS: Mark the LatticeMico32 target as orphan Laurent Vivier
2020-05-04 11:57 ` [PULL 06/20] hw/mem/pc-dimm: Print slot number on error at pc_dimm_pre_plug() Laurent Vivier
2020-05-04 11:57 ` [PULL 07/20] hw/mem/pc-dimm: Fix line over 80 characters warning Laurent Vivier
2020-05-04 11:57 ` Laurent Vivier [this message]
2020-05-04 11:57 ` [PULL 09/20] MAINTAINERS: Update Keith Busch's email address Laurent Vivier
2020-05-04 11:57 ` [PULL 10/20] chardev: Add macOS to list of OSes that support -chardev serial Laurent Vivier
2020-05-04 11:57 ` [PULL 11/20] Compress lines for immediate return Laurent Vivier
2020-05-04 11:57 ` [PULL 12/20] block: Avoid dead assignment Laurent Vivier
2020-05-04 11:57 ` [PULL 13/20] blockdev: Remove " Laurent Vivier
2020-05-04 11:57 ` [PULL 14/20] hw/i2c/pm_smbus: " Laurent Vivier
2020-05-04 11:57 ` [PULL 15/20] hw/input/adb-kbd: " Laurent Vivier
2020-05-04 11:57 ` [PULL 16/20] hw/ide/sii3112: " Laurent Vivier
2020-05-04 11:57 ` [PULL 17/20] hw/isa/i82378: " Laurent Vivier
2020-05-04 11:57 ` [PULL 18/20] hw/gpio/aspeed_gpio: " Laurent Vivier
2020-05-04 11:57 ` [PULL 19/20] hw/timer/stm32f2xx_timer: " Laurent Vivier
2020-05-04 11:57 ` [PULL 20/20] hw/timer/pxa2xx_timer: Add assertion to silent static analyzer warning Laurent Vivier
2020-05-04 12:17 ` [PULL 00/20] Trivial branch for 5.1 patches Peter Maydell
2020-05-04 12:32 ` Laurent Vivier
2020-05-04 12:34 ` Daniel P. Berrangé
2020-05-04 12:34 ` Peter Maydell
2020-05-04 12:40 ` Laurent Vivier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200504115758.283914-9-laurent@vivier.eu \
--to=laurent@vivier.eu \
--cc=mjt@tls.msk.ru \
--cc=peter.maydell@linaro.org \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-trivial@nongnu.org \
--cc=sgarzare@redhat.com \
--cc=yates@ieee.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).