[PATCH] qemu-config: never call the callback after an error, fix leak

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] qemu-config: never call the callback after an error, fix leak
@ 2021-07-07 12:15 Paolo Bonzini
  2021-07-08  9:24 ` Markus Armbruster
  0 siblings, 1 reply; 3+ messages in thread
From: Paolo Bonzini @ 2021-07-07 12:15 UTC (permalink / raw)
  To: qemu-devel; +Cc: Peter Maydell, armbru

Ensure that the callback to qemu_config_foreach is never called upon
an error, by moving the invocation before the "out" label and ensuring
all error cases jump to the label.  The qobject_unref however needs
to be done in all cases (which Coverity is already complaining about).

The leak is basically impossible to reach, since the only common way
to get ferror(fp) is by passing a directory to -readconfig.  In that
case, the error occurs before qdict is set to anything non-NULL.
However, it's theoretically possible to get there after an EIO.

Cc: armbru@redhat.com
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 util/qemu-config.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/util/qemu-config.c b/util/qemu-config.c
index 84ee6dc4ea..6c4373e8fb 100644
--- a/util/qemu-config.c
+++ b/util/qemu-config.c
@@ -412,16 +412,15 @@ static int qemu_config_foreach(FILE *fp, QEMUConfigCB *cb, void *opaque,
         goto out;
     }
     if (ferror(fp)) {
-        loc_pop(&loc);
         error_setg_errno(errp, errno, "Cannot read config file");
-        return res;
+        goto out;
     }
     res = count;
-out:
     if (qdict) {
         cb(group, qdict, opaque, errp);
-        qobject_unref(qdict);
     }
+out:
+    qobject_unref(qdict);
     loc_pop(&loc);
     return res;
 }
-- 
2.31.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] qemu-config: never call the callback after an error, fix leak
  2021-07-07 12:15 [PATCH] qemu-config: never call the callback after an error, fix leak Paolo Bonzini
@ 2021-07-08  9:24 ` Markus Armbruster
  2021-07-08 11:40   ` Paolo Bonzini
  0 siblings, 1 reply; 3+ messages in thread
From: Markus Armbruster @ 2021-07-08  9:24 UTC (permalink / raw)
  To: Paolo Bonzini; +Cc: Peter Maydell, qemu-devel

Paolo Bonzini <pbonzini@redhat.com> writes:

> Ensure that the callback to qemu_config_foreach is never called upon
> an error, by moving the invocation before the "out" label and ensuring
> all error cases jump to the label.  The qobject_unref however needs
> to be done in all cases (which Coverity is already complaining about).
>
> The leak is basically impossible to reach, since the only common way
> to get ferror(fp) is by passing a directory to -readconfig.  In that
> case, the error occurs before qdict is set to anything non-NULL.
> However, it's theoretically possible to get there after an EIO.
>
> Cc: armbru@redhat.com
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
>  util/qemu-config.c | 7 +++----
>  1 file changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/util/qemu-config.c b/util/qemu-config.c
> index 84ee6dc4ea..6c4373e8fb 100644
> --- a/util/qemu-config.c
> +++ b/util/qemu-config.c
> @@ -412,16 +412,15 @@ static int qemu_config_foreach(FILE *fp, QEMUConfigCB *cb, void *opaque,
>          goto out;
>      }
>      if (ferror(fp)) {
> -        loc_pop(&loc);
>          error_setg_errno(errp, errno, "Cannot read config file");

I'm afraid we now report the error with the wrong location when @errp is
&error-fatal.

> -        return res;
> +        goto out;
>      }
>      res = count;
> -out:
>      if (qdict) {
>          cb(group, qdict, opaque, errp);
> -        qobject_unref(qdict);
>      }
> +out:
> +    qobject_unref(qdict);
>      loc_pop(&loc);
>      return res;
>  }

Looks like the patch fixes two separate issues:

1. Memory leak on ferror()
   Fixes: f7544edcd32e602af1aae86714dc7c32350d5d7c

2. Callback can run on error.
   Fixes: 37701411397c7b7d709ae92abd347cc593940ee5

   I *think* this happens when the cb() further up fails, and when a
   line following the [...] section header cannot be parsed.

Worth fixing the separate bugs in separate patches?



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] qemu-config: never call the callback after an error, fix leak
  2021-07-08  9:24 ` Markus Armbruster
@ 2021-07-08 11:40   ` Paolo Bonzini
  0 siblings, 0 replies; 3+ messages in thread
From: Paolo Bonzini @ 2021-07-08 11:40 UTC (permalink / raw)
  To: Markus Armbruster; +Cc: Peter Maydell, qemu-devel

On 08/07/21 11:24, Markus Armbruster wrote:
> Looks like the patch fixes two separate issues:
> 
> 1. Memory leak on ferror()
>     Fixes: f7544edcd32e602af1aae86714dc7c32350d5d7c
> 
> 2. Callback can run on error.
>     Fixes: 37701411397c7b7d709ae92abd347cc593940ee5
> 
>     I*think*  this happens when the cb() further up fails, and when a
>     line following the [...] section header cannot be parsed.
> 
> Worth fixing the separate bugs in separate patches?

Yes, good idea.

Paolo



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-07-08 11:43 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-07-07 12:15 [PATCH] qemu-config: never call the callback after an error, fix leak Paolo Bonzini
2021-07-08  9:24 ` Markus Armbruster
2021-07-08 11:40   ` Paolo Bonzini

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).