From: "Michael S. Tsirkin" <mst@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
"Carlos López" <clopez@suse.de>
Subject: [PULL 32/53] vhost: avoid a potential use of an uninitialized variable in vhost_svq_poll()
Date: Thu, 2 Mar 2023 03:26:07 -0500 [thread overview]
Message-ID: <20230302082343.560446-33-mst@redhat.com> (raw)
In-Reply-To: <20230302082343.560446-1-mst@redhat.com>
From: Carlos López <clopez@suse.de>
In vhost_svq_poll(), if vhost_svq_get_buf() fails due to a device
providing invalid descriptors, len is left uninitialized and returned
to the caller, potentally leaking stack data or causing undefined
behavior.
Fix this by initializing len to 0.
Found with GCC 13 and -fanalyzer (abridged):
../hw/virtio/vhost-shadow-virtqueue.c: In function ‘vhost_svq_poll’:
../hw/virtio/vhost-shadow-virtqueue.c:538:12: warning: use of uninitialized value ‘len’ [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
538 | return len;
| ^~~
‘vhost_svq_poll’: events 1-4
|
| 522 | size_t vhost_svq_poll(VhostShadowVirtqueue *svq)
| | ^~~~~~~~~~~~~~
| | |
| | (1) entry to ‘vhost_svq_poll’
|......
| 525 | uint32_t len;
| | ~~~
| | |
| | (2) region created on stack here
| | (3) capacity: 4 bytes
|......
| 528 | if (vhost_svq_more_used(svq)) {
| | ~
| | |
| | (4) inlined call to ‘vhost_svq_more_used’ from ‘vhost_svq_poll’
(...)
| 528 | if (vhost_svq_more_used(svq)) {
| | ^~~~~~~~~~~~~~~~~~~~~~~~~
| | ||
| | |(8) ...to here
| | (7) following ‘true’ branch...
|......
| 537 | vhost_svq_get_buf(svq, &len);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (9) calling ‘vhost_svq_get_buf’ from ‘vhost_svq_poll’
|
+--> ‘vhost_svq_get_buf’: events 10-11
|
| 416 | static VirtQueueElement *vhost_svq_get_buf(VhostShadowVirtqueue *svq,
| | ^~~~~~~~~~~~~~~~~
| | |
| | (10) entry to ‘vhost_svq_get_buf’
|......
| 423 | if (!vhost_svq_more_used(svq)) {
| | ~
| | |
| | (11) inlined call to ‘vhost_svq_more_used’ from ‘vhost_svq_get_buf’
|
(...)
|
‘vhost_svq_get_buf’: event 14
|
| 423 | if (!vhost_svq_more_used(svq)) {
| | ^
| | |
| | (14) following ‘false’ branch...
|
‘vhost_svq_get_buf’: event 15
|
|cc1:
| (15): ...to here
|
<------+
|
‘vhost_svq_poll’: events 16-17
|
| 537 | vhost_svq_get_buf(svq, &len);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (16) returning to ‘vhost_svq_poll’ from ‘vhost_svq_get_buf’
| 538 | return len;
| | ~~~
| | |
| | (17) use of uninitialized value ‘len’ here
Note by Laurent Vivier <lvivier@redhat.com>:
The return value is only used to detect an error:
vhost_svq_poll
vhost_vdpa_net_cvq_add
vhost_vdpa_net_load_cmd
vhost_vdpa_net_load_mac
-> a negative return is only used to detect error
vhost_vdpa_net_load_mq
-> a negative return is only used to detect error
vhost_vdpa_net_handle_ctrl_avail
-> a negative return is only used to detect error
Fixes: d368c0b052ad ("vhost: Do not depend on !NULL VirtQueueElement on vhost_svq_flush")
Signed-off-by: Carlos López <clopez@suse.de>
Message-Id: <20230213085747.19956-1-clopez@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/virtio/vhost-shadow-virtqueue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/virtio/vhost-shadow-virtqueue.c b/hw/virtio/vhost-shadow-virtqueue.c
index 4307296358..515ccf870d 100644
--- a/hw/virtio/vhost-shadow-virtqueue.c
+++ b/hw/virtio/vhost-shadow-virtqueue.c
@@ -522,7 +522,7 @@ static void vhost_svq_flush(VhostShadowVirtqueue *svq,
size_t vhost_svq_poll(VhostShadowVirtqueue *svq)
{
int64_t start_us = g_get_monotonic_time();
- uint32_t len;
+ uint32_t len = 0;
do {
if (vhost_svq_more_used(svq)) {
--
MST
next prev parent reply other threads:[~2023-03-02 8:36 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-02 8:24 [PULL 00/53] virtio,pc,pci: features, cleanups, fixes Michael S. Tsirkin
2023-03-02 8:24 ` [PULL 01/53] hw/smbios: fix field corruption in type 4 table Michael S. Tsirkin
2023-03-02 8:24 ` [PULL 02/53] Revert "x86: don't let decompressed kernel image clobber setup_data" Michael S. Tsirkin
2023-03-02 8:24 ` [PULL 03/53] Revert "x86: do not re-randomize RNG seed on snapshot load" Michael S. Tsirkin
2023-03-02 8:24 ` [PULL 04/53] Revert "x86: re-initialize RNG seed when selecting kernel" Michael S. Tsirkin
2023-03-02 8:24 ` [PULL 05/53] Revert "x86: reinitialize RNG seed on system reboot" Michael S. Tsirkin
2023-03-02 8:24 ` [PULL 06/53] Revert "x86: use typedef for SetupData struct" Michael S. Tsirkin
2023-03-02 8:24 ` [PULL 07/53] Revert "x86: return modified setup_data only if read as memory, not as file" Michael S. Tsirkin
2023-03-02 8:24 ` [PULL 08/53] Revert "hw/i386: pass RNG seed via setup_data entry" Michael S. Tsirkin
2023-03-02 8:24 ` [PULL 09/53] virtio-net: clear guest_announce feature if no cvq backend Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 10/53] backends/vhost-user: remove the ioeventfd check Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 11/53] vhost-user-gpio: Configure vhost_dev when connecting Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 12/53] vhost-user-i2c: Back up vqs before cleaning up vhost_dev Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 13/53] vhost-user-rng: " Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 14/53] virtio-rng-pci: fix transitional migration compat for vectors Michael S. Tsirkin
2023-03-04 20:03 ` Michael Tokarev
2023-03-05 10:25 ` Michael S. Tsirkin
2023-03-06 12:12 ` Dr. David Alan Gilbert
2023-03-02 8:25 ` [PULL 15/53] hw/timer/hpet: Fix expiration time overflow Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 16/53] docs: vhost-user: replace _SLAVE_ with _BACKEND_ Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 17/53] libvhost-user: Adopt new backend naming Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 18/53] vhost-user: " Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 19/53] vdpa: stop all svq on device deletion Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 20/53] pci/shpc: set attention led to OFF on reset Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 21/53] pci/shpc: change shpc_get_status() return type to uint8_t Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 22/53] pci/shpc: shpc_slot_command(): handle PWRONLY -> ENABLED transition Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 23/53] pci/shpc: more generic handle hot-unplug in shpc_slot_command() Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 24/53] pci/shpc: pass PCIDevice pointer to shpc_slot_command() Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 25/53] pci/shpc: refactor shpc_device_plug_common() Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 26/53] pcie: pcie_cap_slot_write_config(): use correct macro Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 27/53] pcie_regs: drop duplicated indicator value macros Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 28/53] pcie: drop unused PCIExpressIndicator Michael S. Tsirkin
2023-03-02 8:25 ` [PULL 29/53] pcie: pcie_cap_slot_enable_power() use correct helper Michael S. Tsirkin
2023-03-02 8:26 ` [PULL 30/53] pcie: introduce pcie_sltctl_powered_off() helper Michael S. Tsirkin
2023-03-02 8:26 ` [PULL 31/53] pcie: set power indicator to off on reset by default Michael S. Tsirkin
2023-03-02 11:34 ` Vladimir Sementsov-Ogievskiy
2023-03-02 11:42 ` Michael S. Tsirkin
2023-03-03 0:15 ` Michael S. Tsirkin
2023-03-02 8:26 ` Michael S. Tsirkin [this message]
2023-03-02 8:26 ` [PULL 33/53] libvhost-user: check for NULL when allocating a virtqueue element Michael S. Tsirkin
2023-03-02 8:26 ` [PULL 34/53] hw/pci: Trace IRQ routing on PCI topology Michael S. Tsirkin
2023-03-02 8:26 ` [PULL 35/53] chardev/char-socket: set s->listener = NULL in char_socket_finalize Michael S. Tsirkin
2023-03-02 11:49 ` Michael Tokarev
2023-03-03 0:15 ` Michael S. Tsirkin
2023-03-02 8:26 ` [PULL 36/53] memory: Optimize replay of guest mapping Michael S. Tsirkin
2023-04-04 18:00 ` Peter Maydell
2023-04-04 19:13 ` Michael S. Tsirkin
2023-04-04 20:23 ` Peter Maydell
2023-04-04 20:37 ` Peter Xu
2023-04-04 20:38 ` Michael S. Tsirkin
2023-04-06 3:46 ` Duan, Zhenzhong
2023-03-02 8:26 ` [PULL 37/53] intel-iommu: fail MAP notifier without caching mode Michael S. Tsirkin
2023-03-02 8:26 ` [PULL 38/53] intel-iommu: fail DEVIOTLB_UNMAP without dt mode Michael S. Tsirkin
2023-03-02 8:26 ` [PULL 39/53] memory: introduce memory_region_unmap_iommu_notifier_range() Michael S. Tsirkin
2023-03-02 8:26 ` [PULL 40/53] smmu: switch to use memory_region_unmap_iommu_notifier_range() Michael S. Tsirkin
2023-03-02 8:26 ` [PULL 41/53] intel-iommu: send UNMAP notifications for domain or global inv desc Michael S. Tsirkin
2023-03-02 8:26 ` [PULL 42/53] MAINTAINERS: Add Fan Ni as Compute eXpress Link QEMU reviewer Michael S. Tsirkin
2023-03-02 8:26 ` [PULL 43/53] hw/mem/cxl_type3: Improve error handling in realize() Michael S. Tsirkin
2023-03-02 8:26 ` [PULL 44/53] hw/pci-bridge/cxl_downstream: Fix type naming mismatch Michael S. Tsirkin
2023-03-02 8:26 ` [PULL 45/53] hw/cxl: set cxl-type3 device type to PCI_CLASS_MEMORY_CXL Michael S. Tsirkin
2023-03-02 8:26 ` [PULL 46/53] hw/cxl: Add CXL_CAPACITY_MULTIPLIER definition Michael S. Tsirkin
2023-03-02 8:26 ` [PULL 47/53] tests/acpi: Allow update of q35/DSDT.cxl Michael S. Tsirkin
2023-03-02 8:27 ` [PULL 48/53] hw/i386/acpi: Drop duplicate _UID entry for CXL root bridge Michael S. Tsirkin
2023-03-02 8:27 ` [PULL 49/53] tests: acpi: Update q35/DSDT.cxl for removed duplicate UID Michael S. Tsirkin
2023-03-02 8:27 ` [PULL 50/53] qemu/bswap: Add const_le64() Michael S. Tsirkin
2023-03-02 8:27 ` [PULL 51/53] qemu/uuid: Add UUID static initializer Michael S. Tsirkin
2023-03-02 8:27 ` [PULL 52/53] hw/cxl/mailbox: Use new UUID network order define for cel_uuid Michael S. Tsirkin
2023-03-02 8:27 ` [PULL 53/53] tests/data/acpi/virt: drop (most) duplicate files Michael S. Tsirkin
2023-03-02 12:16 ` [PULL 00/53] virtio,pc,pci: features, cleanups, fixes Michael Tokarev
2023-03-02 23:23 ` Michael S. Tsirkin
2023-03-03 0:15 ` Michael S. Tsirkin
2023-03-03 17:09 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230302082343.560446-33-mst@redhat.com \
--to=mst@redhat.com \
--cc=clopez@suse.de \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).