* [PATCH v2 0/2] vhost-user-blk-test and vdagent Coverity fixes
@ 2021-06-01 15:57 Stefan Hajnoczi
2021-06-01 15:57 ` [PATCH v2 1/2] vhost-user-blk-test: fix Coverity open(2) false positives Stefan Hajnoczi
2021-06-01 15:57 ` [PATCH v2 2/2] ui/vdagent: fix clipboard info memory leak in error path Stefan Hajnoczi
0 siblings, 2 replies; 7+ messages in thread
From: Stefan Hajnoczi @ 2021-06-01 15:57 UTC (permalink / raw)
To: qemu-devel
Cc: Laurent Vivier, Kevin Wolf, Thomas Huth, qemu-block,
Peter Maydell, Coiby Xu, Gerd Hoffmann, Stefan Hajnoczi,
Paolo Bonzini
v2:
* Drop Patch 2 since the mkstemp(3) umask warning is archaic and hasn't
applied for a long time [Peter]
* Fix inconsistent g_assert_cmpint()/assert(3) usage in Patch 1 [Peter]
This patch series addresses recent Coverity reports. Please see the individual
patches for details.
Stefan Hajnoczi (2):
vhost-user-blk-test: fix Coverity open(2) false positives
ui/vdagent: fix clipboard info memory leak in error path
tests/qtest/vhost-user-blk-test.c | 8 ++++++--
ui/vdagent.c | 2 +-
2 files changed, 7 insertions(+), 3 deletions(-)
--
2.31.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2 1/2] vhost-user-blk-test: fix Coverity open(2) false positives
2021-06-01 15:57 [PATCH v2 0/2] vhost-user-blk-test and vdagent Coverity fixes Stefan Hajnoczi
@ 2021-06-01 15:57 ` Stefan Hajnoczi
2021-06-01 16:27 ` Philippe Mathieu-Daudé
2021-06-02 3:41 ` Thomas Huth
2021-06-01 15:57 ` [PATCH v2 2/2] ui/vdagent: fix clipboard info memory leak in error path Stefan Hajnoczi
1 sibling, 2 replies; 7+ messages in thread
From: Stefan Hajnoczi @ 2021-06-01 15:57 UTC (permalink / raw)
To: qemu-devel
Cc: Laurent Vivier, Kevin Wolf, Thomas Huth, qemu-block,
Peter Maydell, Coiby Xu, Gerd Hoffmann, Stefan Hajnoczi,
Paolo Bonzini
Coverity checks that the file descriptor return value of open(2) is
checked and used. Normally this is helpful in identifying real bugs but
vhost-user-blk-test opens /dev/null as stdin and stdout after fork.
In this case we don't need to look at the return value because these
open(2) calls cannot fail in any reasonable environment. We already know
their return values ahead of time since we closed stdin and stdout
previously. open(2) is guaranteed to pick the lowest available fd
number.
Silence Coverity by introducing code that checks what we already know to
be true.
** CID 1453270: Resource leaks (RESOURCE_LEAK)
/qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk()
________________________________________________________________________________________________________
*** CID 1453270: Resource leaks (RESOURCE_LEAK)
/qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk()
914 * Close standard file descriptors so tap-driver.pl pipe detects when
915 * our parent terminates.
916 */
917 close(0);
918 close(1);
919 open("/dev/null", O_RDONLY);
>>> CID 1453270: Resource leaks (RESOURCE_LEAK)
>>> Ignoring handle opened by "open("/dev/null", 1)" leaks it.
920 open("/dev/null", O_WRONLY);
921
922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL);
923 exit(1);
924 }
925 g_string_free(storage_daemon_command, true);
** CID 1453269: Error handling issues (NEGATIVE_RETURNS)
/qemu/tests/qtest/vhost-user-blk-test.c: 829 in create_listen_socket()
________________________________________________________________________________________________________
*** CID 1453269: Error handling issues (NEGATIVE_RETURNS)
/qemu/tests/qtest/vhost-user-blk-test.c: 829 in create_listen_socket()
823 char *path;
824
825 /* No race because our pid makes the path unique */
826 path = g_strdup_printf("/tmp/qtest-%d-sock.XXXXXX", getpid());
827 tmp_fd = mkstemp(path);
828 g_assert_cmpint(tmp_fd, >=, 0);
>>> CID 1453269: Error handling issues (NEGATIVE_RETURNS)
>>> "tmp_fd" is passed to a parameter that cannot be negative.
829 close(tmp_fd);
830 unlink(path);
831
832 *fd = qtest_socket_server(path);
833 g_test_queue_destroy(destroy_file, path);
834 return path;
** CID 1453268: (CHECKED_RETURN)
/qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk()
/qemu/tests/qtest/vhost-user-blk-test.c: 919 in start_vhost_user_blk()
________________________________________________________________________________________________________
*** CID 1453268: (CHECKED_RETURN)
/qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk()
914 * Close standard file descriptors so tap-driver.pl pipe detects when
915 * our parent terminates.
916 */
917 close(0);
918 close(1);
919 open("/dev/null", O_RDONLY);
>>> CID 1453268: (CHECKED_RETURN)
>>> Calling "open("/dev/null", 1)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
920 open("/dev/null", O_WRONLY);
921
922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL);
923 exit(1);
924 }
925 g_string_free(storage_daemon_command, true);
/qemu/tests/qtest/vhost-user-blk-test.c: 919 in start_vhost_user_blk()
913 /*
914 * Close standard file descriptors so tap-driver.pl pipe detects when
915 * our parent terminates.
916 */
917 close(0);
918 close(1);
>>> CID 1453268: (CHECKED_RETURN)
>>> Calling "open("/dev/null", 0)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
919 open("/dev/null", O_RDONLY);
920 open("/dev/null", O_WRONLY);
921
922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL);
923 exit(1);
924 }
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
tests/qtest/vhost-user-blk-test.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/tests/qtest/vhost-user-blk-test.c b/tests/qtest/vhost-user-blk-test.c
index 8796c74ca4..c5c4667759 100644
--- a/tests/qtest/vhost-user-blk-test.c
+++ b/tests/qtest/vhost-user-blk-test.c
@@ -910,14 +910,18 @@ static void start_vhost_user_blk(GString *cmd_line, int vus_instances,
storage_daemon_command->str);
pid_t pid = fork();
if (pid == 0) {
+ int fd;
+
/*
* Close standard file descriptors so tap-driver.pl pipe detects when
* our parent terminates.
*/
close(0);
+ fd = open("/dev/null", O_RDONLY);
+ g_assert_cmpint(fd, ==, 0);
close(1);
- open("/dev/null", O_RDONLY);
- open("/dev/null", O_WRONLY);
+ fd = open("/dev/null", O_WRONLY);
+ g_assert_cmpint(fd, ==, 1);
execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL);
exit(1);
--
2.31.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 2/2] ui/vdagent: fix clipboard info memory leak in error path
2021-06-01 15:57 [PATCH v2 0/2] vhost-user-blk-test and vdagent Coverity fixes Stefan Hajnoczi
2021-06-01 15:57 ` [PATCH v2 1/2] vhost-user-blk-test: fix Coverity open(2) false positives Stefan Hajnoczi
@ 2021-06-01 15:57 ` Stefan Hajnoczi
2021-06-01 16:28 ` Philippe Mathieu-Daudé
2021-06-02 3:44 ` Thomas Huth
1 sibling, 2 replies; 7+ messages in thread
From: Stefan Hajnoczi @ 2021-06-01 15:57 UTC (permalink / raw)
To: qemu-devel
Cc: Laurent Vivier, Kevin Wolf, Thomas Huth, qemu-block,
Peter Maydell, Coiby Xu, Gerd Hoffmann, Stefan Hajnoczi,
Paolo Bonzini
If the size of a VD_AGENT_CLIPBOARD_GRAB message is invalid we leak info
when returning early.
Thanks to Coverity for spotting this:
*** CID 1453266: Resource leaks (RESOURCE_LEAK)
/qemu/ui/vdagent.c: 465 in vdagent_chr_recv_clipboard()
459 info = qemu_clipboard_info_new(&vd->cbpeer, s);
460 if (size > sizeof(uint32_t) * 10) {
461 /*
462 * spice has 6 types as of 2021. Limiting to 10 entries
463 * so we we have some wiggle room.
464 */
>>> CID 1453266: Resource leaks (RESOURCE_LEAK)
>>> Variable "info" going out of scope leaks the storage it points to.
465 return;
466 }
467 while (size >= sizeof(uint32_t)) {
468 trace_vdagent_cb_grab_type(GET_NAME(type_name, *(uint32_t *)data));
469 switch (*(uint32_t *)data) {
470 case VD_AGENT_CLIPBOARD_UTF8_TEXT:
Fixes: f0349f4d8947ad32d0fa4678cbf5dbb356fcbda1 ("ui/vdagent: add clipboard support")
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
ui/vdagent.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ui/vdagent.c b/ui/vdagent.c
index a253a8fe63..8fc54d330e 100644
--- a/ui/vdagent.c
+++ b/ui/vdagent.c
@@ -456,7 +456,6 @@ static void vdagent_chr_recv_clipboard(VDAgentChardev *vd, VDAgentMessage *msg)
switch (msg->type) {
case VD_AGENT_CLIPBOARD_GRAB:
trace_vdagent_cb_grab_selection(GET_NAME(sel_name, s));
- info = qemu_clipboard_info_new(&vd->cbpeer, s);
if (size > sizeof(uint32_t) * 10) {
/*
* spice has 6 types as of 2021. Limiting to 10 entries
@@ -464,6 +463,7 @@ static void vdagent_chr_recv_clipboard(VDAgentChardev *vd, VDAgentMessage *msg)
*/
return;
}
+ info = qemu_clipboard_info_new(&vd->cbpeer, s);
while (size >= sizeof(uint32_t)) {
trace_vdagent_cb_grab_type(GET_NAME(type_name, *(uint32_t *)data));
switch (*(uint32_t *)data) {
--
2.31.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2 1/2] vhost-user-blk-test: fix Coverity open(2) false positives
2021-06-01 15:57 ` [PATCH v2 1/2] vhost-user-blk-test: fix Coverity open(2) false positives Stefan Hajnoczi
@ 2021-06-01 16:27 ` Philippe Mathieu-Daudé
2021-06-02 3:41 ` Thomas Huth
1 sibling, 0 replies; 7+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-06-01 16:27 UTC (permalink / raw)
To: Stefan Hajnoczi, qemu-devel
Cc: Laurent Vivier, Kevin Wolf, Thomas Huth, qemu-block,
Peter Maydell, Coiby Xu, Gerd Hoffmann, Paolo Bonzini
On 6/1/21 5:57 PM, Stefan Hajnoczi wrote:
> Coverity checks that the file descriptor return value of open(2) is
> checked and used. Normally this is helpful in identifying real bugs but
> vhost-user-blk-test opens /dev/null as stdin and stdout after fork.
>
> In this case we don't need to look at the return value because these
> open(2) calls cannot fail in any reasonable environment. We already know
> their return values ahead of time since we closed stdin and stdout
> previously. open(2) is guaranteed to pick the lowest available fd
> number.
>
> Silence Coverity by introducing code that checks what we already know to
> be true.
>
> ** CID 1453270: Resource leaks (RESOURCE_LEAK)
> /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk()
>
> ________________________________________________________________________________________________________
> *** CID 1453270: Resource leaks (RESOURCE_LEAK)
> /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk()
> 914 * Close standard file descriptors so tap-driver.pl pipe detects when
> 915 * our parent terminates.
> 916 */
> 917 close(0);
> 918 close(1);
> 919 open("/dev/null", O_RDONLY);
>>>> CID 1453270: Resource leaks (RESOURCE_LEAK)
>>>> Ignoring handle opened by "open("/dev/null", 1)" leaks it.
> 920 open("/dev/null", O_WRONLY);
> 921
> 922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL);
> 923 exit(1);
> 924 }
> 925 g_string_free(storage_daemon_command, true);
>
> ** CID 1453269: Error handling issues (NEGATIVE_RETURNS)
> /qemu/tests/qtest/vhost-user-blk-test.c: 829 in create_listen_socket()
>
> ________________________________________________________________________________________________________
> *** CID 1453269: Error handling issues (NEGATIVE_RETURNS)
> /qemu/tests/qtest/vhost-user-blk-test.c: 829 in create_listen_socket()
> 823 char *path;
> 824
> 825 /* No race because our pid makes the path unique */
> 826 path = g_strdup_printf("/tmp/qtest-%d-sock.XXXXXX", getpid());
> 827 tmp_fd = mkstemp(path);
> 828 g_assert_cmpint(tmp_fd, >=, 0);
>>>> CID 1453269: Error handling issues (NEGATIVE_RETURNS)
>>>> "tmp_fd" is passed to a parameter that cannot be negative.
> 829 close(tmp_fd);
> 830 unlink(path);
> 831
> 832 *fd = qtest_socket_server(path);
> 833 g_test_queue_destroy(destroy_file, path);
> 834 return path;
>
> ** CID 1453268: (CHECKED_RETURN)
> /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk()
> /qemu/tests/qtest/vhost-user-blk-test.c: 919 in start_vhost_user_blk()
>
> ________________________________________________________________________________________________________
> *** CID 1453268: (CHECKED_RETURN)
> /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk()
> 914 * Close standard file descriptors so tap-driver.pl pipe detects when
> 915 * our parent terminates.
> 916 */
> 917 close(0);
> 918 close(1);
> 919 open("/dev/null", O_RDONLY);
>>>> CID 1453268: (CHECKED_RETURN)
>>>> Calling "open("/dev/null", 1)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
> 920 open("/dev/null", O_WRONLY);
> 921
> 922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL);
> 923 exit(1);
> 924 }
> 925 g_string_free(storage_daemon_command, true);
> /qemu/tests/qtest/vhost-user-blk-test.c: 919 in start_vhost_user_blk()
> 913 /*
> 914 * Close standard file descriptors so tap-driver.pl pipe detects when
> 915 * our parent terminates.
> 916 */
> 917 close(0);
> 918 close(1);
>>>> CID 1453268: (CHECKED_RETURN)
>>>> Calling "open("/dev/null", 0)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
> 919 open("/dev/null", O_RDONLY);
> 920 open("/dev/null", O_WRONLY);
> 921
> 922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL);
> 923 exit(1);
> 924 }
>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> ---
> tests/qtest/vhost-user-blk-test.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2 2/2] ui/vdagent: fix clipboard info memory leak in error path
2021-06-01 15:57 ` [PATCH v2 2/2] ui/vdagent: fix clipboard info memory leak in error path Stefan Hajnoczi
@ 2021-06-01 16:28 ` Philippe Mathieu-Daudé
2021-06-02 3:44 ` Thomas Huth
1 sibling, 0 replies; 7+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-06-01 16:28 UTC (permalink / raw)
To: Stefan Hajnoczi, qemu-devel
Cc: Laurent Vivier, Kevin Wolf, Thomas Huth, qemu-block,
Peter Maydell, Coiby Xu, Gerd Hoffmann, Paolo Bonzini
On 6/1/21 5:57 PM, Stefan Hajnoczi wrote:
> If the size of a VD_AGENT_CLIPBOARD_GRAB message is invalid we leak info
> when returning early.
>
> Thanks to Coverity for spotting this:
>
> *** CID 1453266: Resource leaks (RESOURCE_LEAK)
> /qemu/ui/vdagent.c: 465 in vdagent_chr_recv_clipboard()
> 459 info = qemu_clipboard_info_new(&vd->cbpeer, s);
> 460 if (size > sizeof(uint32_t) * 10) {
> 461 /*
> 462 * spice has 6 types as of 2021. Limiting to 10 entries
> 463 * so we we have some wiggle room.
> 464 */
>>>> CID 1453266: Resource leaks (RESOURCE_LEAK)
>>>> Variable "info" going out of scope leaks the storage it points to.
> 465 return;
> 466 }
> 467 while (size >= sizeof(uint32_t)) {
> 468 trace_vdagent_cb_grab_type(GET_NAME(type_name, *(uint32_t *)data));
> 469 switch (*(uint32_t *)data) {
> 470 case VD_AGENT_CLIPBOARD_UTF8_TEXT:
>
> Fixes: f0349f4d8947ad32d0fa4678cbf5dbb356fcbda1 ("ui/vdagent: add clipboard support")
> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> ---
> ui/vdagent.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2 1/2] vhost-user-blk-test: fix Coverity open(2) false positives
2021-06-01 15:57 ` [PATCH v2 1/2] vhost-user-blk-test: fix Coverity open(2) false positives Stefan Hajnoczi
2021-06-01 16:27 ` Philippe Mathieu-Daudé
@ 2021-06-02 3:41 ` Thomas Huth
1 sibling, 0 replies; 7+ messages in thread
From: Thomas Huth @ 2021-06-02 3:41 UTC (permalink / raw)
To: Stefan Hajnoczi, qemu-devel
Cc: Laurent Vivier, Kevin Wolf, qemu-block, Peter Maydell, Coiby Xu,
Gerd Hoffmann, Paolo Bonzini
On 01/06/2021 17.57, Stefan Hajnoczi wrote:
> Coverity checks that the file descriptor return value of open(2) is
> checked and used. Normally this is helpful in identifying real bugs but
> vhost-user-blk-test opens /dev/null as stdin and stdout after fork.
>
> In this case we don't need to look at the return value because these
> open(2) calls cannot fail in any reasonable environment. We already know
> their return values ahead of time since we closed stdin and stdout
> previously. open(2) is guaranteed to pick the lowest available fd
> number.
>
> Silence Coverity by introducing code that checks what we already know to
> be true.
>
> ** CID 1453270: Resource leaks (RESOURCE_LEAK)
> /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk()
>
> ________________________________________________________________________________________________________
> *** CID 1453270: Resource leaks (RESOURCE_LEAK)
> /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk()
> 914 * Close standard file descriptors so tap-driver.pl pipe detects when
> 915 * our parent terminates.
> 916 */
> 917 close(0);
> 918 close(1);
> 919 open("/dev/null", O_RDONLY);
>>>> CID 1453270: Resource leaks (RESOURCE_LEAK)
>>>> Ignoring handle opened by "open("/dev/null", 1)" leaks it.
> 920 open("/dev/null", O_WRONLY);
> 921
> 922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL);
> 923 exit(1);
> 924 }
> 925 g_string_free(storage_daemon_command, true);
>
> ** CID 1453269: Error handling issues (NEGATIVE_RETURNS)
> /qemu/tests/qtest/vhost-user-blk-test.c: 829 in create_listen_socket()
>
> ________________________________________________________________________________________________________
> *** CID 1453269: Error handling issues (NEGATIVE_RETURNS)
> /qemu/tests/qtest/vhost-user-blk-test.c: 829 in create_listen_socket()
> 823 char *path;
> 824
> 825 /* No race because our pid makes the path unique */
> 826 path = g_strdup_printf("/tmp/qtest-%d-sock.XXXXXX", getpid());
> 827 tmp_fd = mkstemp(path);
> 828 g_assert_cmpint(tmp_fd, >=, 0);
>>>> CID 1453269: Error handling issues (NEGATIVE_RETURNS)
>>>> "tmp_fd" is passed to a parameter that cannot be negative.
> 829 close(tmp_fd);
> 830 unlink(path);
> 831
> 832 *fd = qtest_socket_server(path);
> 833 g_test_queue_destroy(destroy_file, path);
> 834 return path;
>
> ** CID 1453268: (CHECKED_RETURN)
> /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk()
> /qemu/tests/qtest/vhost-user-blk-test.c: 919 in start_vhost_user_blk()
>
> ________________________________________________________________________________________________________
> *** CID 1453268: (CHECKED_RETURN)
> /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk()
> 914 * Close standard file descriptors so tap-driver.pl pipe detects when
> 915 * our parent terminates.
> 916 */
> 917 close(0);
> 918 close(1);
> 919 open("/dev/null", O_RDONLY);
>>>> CID 1453268: (CHECKED_RETURN)
>>>> Calling "open("/dev/null", 1)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
> 920 open("/dev/null", O_WRONLY);
> 921
> 922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL);
> 923 exit(1);
> 924 }
> 925 g_string_free(storage_daemon_command, true);
> /qemu/tests/qtest/vhost-user-blk-test.c: 919 in start_vhost_user_blk()
> 913 /*
> 914 * Close standard file descriptors so tap-driver.pl pipe detects when
> 915 * our parent terminates.
> 916 */
> 917 close(0);
> 918 close(1);
>>>> CID 1453268: (CHECKED_RETURN)
>>>> Calling "open("/dev/null", 0)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
> 919 open("/dev/null", O_RDONLY);
> 920 open("/dev/null", O_WRONLY);
> 921
> 922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL);
> 923 exit(1);
> 924 }
>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> ---
> tests/qtest/vhost-user-blk-test.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/tests/qtest/vhost-user-blk-test.c b/tests/qtest/vhost-user-blk-test.c
> index 8796c74ca4..c5c4667759 100644
> --- a/tests/qtest/vhost-user-blk-test.c
> +++ b/tests/qtest/vhost-user-blk-test.c
> @@ -910,14 +910,18 @@ static void start_vhost_user_blk(GString *cmd_line, int vus_instances,
> storage_daemon_command->str);
> pid_t pid = fork();
> if (pid == 0) {
> + int fd;
> +
> /*
> * Close standard file descriptors so tap-driver.pl pipe detects when
> * our parent terminates.
> */
> close(0);
> + fd = open("/dev/null", O_RDONLY);
> + g_assert_cmpint(fd, ==, 0);
> close(1);
> - open("/dev/null", O_RDONLY);
> - open("/dev/null", O_WRONLY);
> + fd = open("/dev/null", O_WRONLY);
> + g_assert_cmpint(fd, ==, 1);
>
> execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL);
> exit(1);
>
Reviewed-by: Thomas Huth <thuth@redhat.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2 2/2] ui/vdagent: fix clipboard info memory leak in error path
2021-06-01 15:57 ` [PATCH v2 2/2] ui/vdagent: fix clipboard info memory leak in error path Stefan Hajnoczi
2021-06-01 16:28 ` Philippe Mathieu-Daudé
@ 2021-06-02 3:44 ` Thomas Huth
1 sibling, 0 replies; 7+ messages in thread
From: Thomas Huth @ 2021-06-02 3:44 UTC (permalink / raw)
To: Stefan Hajnoczi, qemu-devel
Cc: Laurent Vivier, Kevin Wolf, qemu-block, Peter Maydell, Coiby Xu,
Gerd Hoffmann, Paolo Bonzini
On 01/06/2021 17.57, Stefan Hajnoczi wrote:
> If the size of a VD_AGENT_CLIPBOARD_GRAB message is invalid we leak info
> when returning early.
>
> Thanks to Coverity for spotting this:
>
> *** CID 1453266: Resource leaks (RESOURCE_LEAK)
> /qemu/ui/vdagent.c: 465 in vdagent_chr_recv_clipboard()
> 459 info = qemu_clipboard_info_new(&vd->cbpeer, s);
> 460 if (size > sizeof(uint32_t) * 10) {
> 461 /*
> 462 * spice has 6 types as of 2021. Limiting to 10 entries
> 463 * so we we have some wiggle room.
> 464 */
>>>> CID 1453266: Resource leaks (RESOURCE_LEAK)
>>>> Variable "info" going out of scope leaks the storage it points to.
> 465 return;
> 466 }
> 467 while (size >= sizeof(uint32_t)) {
> 468 trace_vdagent_cb_grab_type(GET_NAME(type_name, *(uint32_t *)data));
> 469 switch (*(uint32_t *)data) {
> 470 case VD_AGENT_CLIPBOARD_UTF8_TEXT:
>
> Fixes: f0349f4d8947ad32d0fa4678cbf5dbb356fcbda1 ("ui/vdagent: add clipboard support")
> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> ---
> ui/vdagent.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/ui/vdagent.c b/ui/vdagent.c
> index a253a8fe63..8fc54d330e 100644
> --- a/ui/vdagent.c
> +++ b/ui/vdagent.c
> @@ -456,7 +456,6 @@ static void vdagent_chr_recv_clipboard(VDAgentChardev *vd, VDAgentMessage *msg)
> switch (msg->type) {
> case VD_AGENT_CLIPBOARD_GRAB:
> trace_vdagent_cb_grab_selection(GET_NAME(sel_name, s));
> - info = qemu_clipboard_info_new(&vd->cbpeer, s);
> if (size > sizeof(uint32_t) * 10) {
> /*
> * spice has 6 types as of 2021. Limiting to 10 entries
> @@ -464,6 +463,7 @@ static void vdagent_chr_recv_clipboard(VDAgentChardev *vd, VDAgentMessage *msg)
> */
> return;
> }
> + info = qemu_clipboard_info_new(&vd->cbpeer, s);
> while (size >= sizeof(uint32_t)) {
> trace_vdagent_cb_grab_type(GET_NAME(type_name, *(uint32_t *)data));
> switch (*(uint32_t *)data) {
>
Reviewed-by: Thomas Huth <thuth@redhat.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-06-02 3:45 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-06-01 15:57 [PATCH v2 0/2] vhost-user-blk-test and vdagent Coverity fixes Stefan Hajnoczi
2021-06-01 15:57 ` [PATCH v2 1/2] vhost-user-blk-test: fix Coverity open(2) false positives Stefan Hajnoczi
2021-06-01 16:27 ` Philippe Mathieu-Daudé
2021-06-02 3:41 ` Thomas Huth
2021-06-01 15:57 ` [PATCH v2 2/2] ui/vdagent: fix clipboard info memory leak in error path Stefan Hajnoczi
2021-06-01 16:28 ` Philippe Mathieu-Daudé
2021-06-02 3:44 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).