[PULL 0/1] Fix use-after-free errors in util/error.c

[PULL 0/1] Fix use-after-free errors in util/error.c

[Stefan Berger]

Hello!

   This PR fixes use-after-free errors in util/error.c as reported by Coverity.

Regards,
   Stefan


The following changes since commit 60ca584b8af0de525656f959991a440f8c191f12:

  Merge tag 'pull-for-8.0-220323-1' of https://gitlab.com/stsquad/qemu into staging (2023-03-22 17:58:12 +0000)

are available in the Git repository at:

  https://github.com/stefanberger/qemu-tpm.git tags/pull_error_handle_fix_use_after_free.v1

for you to fetch changes up to cc40b8b8448de351f0d15412f20d428712b2e207:

  util/error: Fix use-after-free errors reported by Coverity (2023-04-06 12:38:42 -0400)

----------------------------------------------------------------
Stefan Berger (1):
      util/error: Fix use-after-free errors reported by Coverity

 util/error.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

-- 
2.39.1

[PULL 1/1] util/error: Fix use-after-free errors reported by Coverity

[Stefan Berger]

Fix use-after-free errors in the code path that called error_handle(). A
call to error_handle() will now either free the passed Error 'err' or
assign it to '*errp' if '*errp' is currently NULL. This ensures that 'err'
either has been freed or is assigned to '*errp' if this function returns.
Adjust the two callers of this function to not assign the 'err' to '*errp'
themselves, since this is now handled by error_handle().

Fixes: commit 3ffef1a55ca3 ("error: add global &error_warn destination")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20230406154347.4100700-1-stefanb@linux.ibm.com
---
 util/error.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/util/error.c b/util/error.c
index 5537245da6..e5e247209a 100644
--- a/util/error.c
+++ b/util/error.c
@@ -46,6 +46,10 @@ static void error_handle(Error **errp, Error *err)
     }
     if (errp == &error_warn) {
         warn_report_err(err);
+    } else if (errp && !*errp) {
+        *errp = err;
+    } else {
+        error_free(err);
     }
 }
 
@@ -76,7 +80,6 @@ static void error_setv(Error **errp,
     err->func = func;
 
     error_handle(errp, err);
-    *errp = err;
 
     errno = saved_errno;
 }
@@ -289,11 +292,6 @@ void error_propagate(Error **dst_errp, Error *local_err)
         return;
     }
     error_handle(dst_errp, local_err);
-    if (dst_errp && !*dst_errp) {
-        *dst_errp = local_err;
-    } else {
-        error_free(local_err);
-    }
 }
 
 void error_propagate_prepend(Error **dst_errp, Error *err,
-- 
2.39.1

Re: [PULL 0/1] Fix use-after-free errors in util/error.c

[Peter Maydell]

On Thu, 6 Apr 2023 at 17:56, Stefan Berger <stefanb@linux.ibm.com> wrote:
>
> Hello!
>
>    This PR fixes use-after-free errors in util/error.c as reported by Coverity.
>
> Regards,
>    Stefan
>
>
> The following changes since commit 60ca584b8af0de525656f959991a440f8c191f12:
>
>   Merge tag 'pull-for-8.0-220323-1' of https://gitlab.com/stsquad/qemu into staging (2023-03-22 17:58:12 +0000)
>
> are available in the Git repository at:
>
>   https://github.com/stefanberger/qemu-tpm.git tags/pull_error_handle_fix_use_after_free.v1
>
> for you to fetch changes up to cc40b8b8448de351f0d15412f20d428712b2e207:
>
>   util/error: Fix use-after-free errors reported by Coverity (2023-04-06 12:38:42 -0400)
>
> ----------------------------------------------------------------
> Stefan Berger (1):
>       util/error: Fix use-after-free errors reported by Coverity


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/8.0
for any user-visible changes.

-- PMM