* [PATCH v2 0/2] vhost-user-blk-test and vdagent Coverity fixes @ 2021-06-01 15:57 Stefan Hajnoczi 2021-06-01 15:57 ` [PATCH v2 1/2] vhost-user-blk-test: fix Coverity open(2) false positives Stefan Hajnoczi 2021-06-01 15:57 ` [PATCH v2 2/2] ui/vdagent: fix clipboard info memory leak in error path Stefan Hajnoczi 0 siblings, 2 replies; 7+ messages in thread From: Stefan Hajnoczi @ 2021-06-01 15:57 UTC (permalink / raw) To: qemu-devel Cc: Laurent Vivier, Kevin Wolf, Thomas Huth, qemu-block, Peter Maydell, Coiby Xu, Gerd Hoffmann, Stefan Hajnoczi, Paolo Bonzini v2: * Drop Patch 2 since the mkstemp(3) umask warning is archaic and hasn't applied for a long time [Peter] * Fix inconsistent g_assert_cmpint()/assert(3) usage in Patch 1 [Peter] This patch series addresses recent Coverity reports. Please see the individual patches for details. Stefan Hajnoczi (2): vhost-user-blk-test: fix Coverity open(2) false positives ui/vdagent: fix clipboard info memory leak in error path tests/qtest/vhost-user-blk-test.c | 8 ++++++-- ui/vdagent.c | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) -- 2.31.1 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2 1/2] vhost-user-blk-test: fix Coverity open(2) false positives 2021-06-01 15:57 [PATCH v2 0/2] vhost-user-blk-test and vdagent Coverity fixes Stefan Hajnoczi @ 2021-06-01 15:57 ` Stefan Hajnoczi 2021-06-01 16:27 ` Philippe Mathieu-Daudé 2021-06-02 3:41 ` Thomas Huth 2021-06-01 15:57 ` [PATCH v2 2/2] ui/vdagent: fix clipboard info memory leak in error path Stefan Hajnoczi 1 sibling, 2 replies; 7+ messages in thread From: Stefan Hajnoczi @ 2021-06-01 15:57 UTC (permalink / raw) To: qemu-devel Cc: Laurent Vivier, Kevin Wolf, Thomas Huth, qemu-block, Peter Maydell, Coiby Xu, Gerd Hoffmann, Stefan Hajnoczi, Paolo Bonzini Coverity checks that the file descriptor return value of open(2) is checked and used. Normally this is helpful in identifying real bugs but vhost-user-blk-test opens /dev/null as stdin and stdout after fork. In this case we don't need to look at the return value because these open(2) calls cannot fail in any reasonable environment. We already know their return values ahead of time since we closed stdin and stdout previously. open(2) is guaranteed to pick the lowest available fd number. Silence Coverity by introducing code that checks what we already know to be true. ** CID 1453270: Resource leaks (RESOURCE_LEAK) /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk() ________________________________________________________________________________________________________ *** CID 1453270: Resource leaks (RESOURCE_LEAK) /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk() 914 * Close standard file descriptors so tap-driver.pl pipe detects when 915 * our parent terminates. 916 */ 917 close(0); 918 close(1); 919 open("/dev/null", O_RDONLY); >>> CID 1453270: Resource leaks (RESOURCE_LEAK) >>> Ignoring handle opened by "open("/dev/null", 1)" leaks it. 920 open("/dev/null", O_WRONLY); 921 922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL); 923 exit(1); 924 } 925 g_string_free(storage_daemon_command, true); ** CID 1453269: Error handling issues (NEGATIVE_RETURNS) /qemu/tests/qtest/vhost-user-blk-test.c: 829 in create_listen_socket() ________________________________________________________________________________________________________ *** CID 1453269: Error handling issues (NEGATIVE_RETURNS) /qemu/tests/qtest/vhost-user-blk-test.c: 829 in create_listen_socket() 823 char *path; 824 825 /* No race because our pid makes the path unique */ 826 path = g_strdup_printf("/tmp/qtest-%d-sock.XXXXXX", getpid()); 827 tmp_fd = mkstemp(path); 828 g_assert_cmpint(tmp_fd, >=, 0); >>> CID 1453269: Error handling issues (NEGATIVE_RETURNS) >>> "tmp_fd" is passed to a parameter that cannot be negative. 829 close(tmp_fd); 830 unlink(path); 831 832 *fd = qtest_socket_server(path); 833 g_test_queue_destroy(destroy_file, path); 834 return path; ** CID 1453268: (CHECKED_RETURN) /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk() /qemu/tests/qtest/vhost-user-blk-test.c: 919 in start_vhost_user_blk() ________________________________________________________________________________________________________ *** CID 1453268: (CHECKED_RETURN) /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk() 914 * Close standard file descriptors so tap-driver.pl pipe detects when 915 * our parent terminates. 916 */ 917 close(0); 918 close(1); 919 open("/dev/null", O_RDONLY); >>> CID 1453268: (CHECKED_RETURN) >>> Calling "open("/dev/null", 1)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.] 920 open("/dev/null", O_WRONLY); 921 922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL); 923 exit(1); 924 } 925 g_string_free(storage_daemon_command, true); /qemu/tests/qtest/vhost-user-blk-test.c: 919 in start_vhost_user_blk() 913 /* 914 * Close standard file descriptors so tap-driver.pl pipe detects when 915 * our parent terminates. 916 */ 917 close(0); 918 close(1); >>> CID 1453268: (CHECKED_RETURN) >>> Calling "open("/dev/null", 0)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.] 919 open("/dev/null", O_RDONLY); 920 open("/dev/null", O_WRONLY); 921 922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL); 923 exit(1); 924 } Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> --- tests/qtest/vhost-user-blk-test.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/qtest/vhost-user-blk-test.c b/tests/qtest/vhost-user-blk-test.c index 8796c74ca4..c5c4667759 100644 --- a/tests/qtest/vhost-user-blk-test.c +++ b/tests/qtest/vhost-user-blk-test.c @@ -910,14 +910,18 @@ static void start_vhost_user_blk(GString *cmd_line, int vus_instances, storage_daemon_command->str); pid_t pid = fork(); if (pid == 0) { + int fd; + /* * Close standard file descriptors so tap-driver.pl pipe detects when * our parent terminates. */ close(0); + fd = open("/dev/null", O_RDONLY); + g_assert_cmpint(fd, ==, 0); close(1); - open("/dev/null", O_RDONLY); - open("/dev/null", O_WRONLY); + fd = open("/dev/null", O_WRONLY); + g_assert_cmpint(fd, ==, 1); execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL); exit(1); -- 2.31.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2 1/2] vhost-user-blk-test: fix Coverity open(2) false positives 2021-06-01 15:57 ` [PATCH v2 1/2] vhost-user-blk-test: fix Coverity open(2) false positives Stefan Hajnoczi @ 2021-06-01 16:27 ` Philippe Mathieu-Daudé 2021-06-02 3:41 ` Thomas Huth 1 sibling, 0 replies; 7+ messages in thread From: Philippe Mathieu-Daudé @ 2021-06-01 16:27 UTC (permalink / raw) To: Stefan Hajnoczi, qemu-devel Cc: Laurent Vivier, Kevin Wolf, Thomas Huth, qemu-block, Peter Maydell, Coiby Xu, Gerd Hoffmann, Paolo Bonzini On 6/1/21 5:57 PM, Stefan Hajnoczi wrote: > Coverity checks that the file descriptor return value of open(2) is > checked and used. Normally this is helpful in identifying real bugs but > vhost-user-blk-test opens /dev/null as stdin and stdout after fork. > > In this case we don't need to look at the return value because these > open(2) calls cannot fail in any reasonable environment. We already know > their return values ahead of time since we closed stdin and stdout > previously. open(2) is guaranteed to pick the lowest available fd > number. > > Silence Coverity by introducing code that checks what we already know to > be true. > > ** CID 1453270: Resource leaks (RESOURCE_LEAK) > /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk() > > ________________________________________________________________________________________________________ > *** CID 1453270: Resource leaks (RESOURCE_LEAK) > /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk() > 914 * Close standard file descriptors so tap-driver.pl pipe detects when > 915 * our parent terminates. > 916 */ > 917 close(0); > 918 close(1); > 919 open("/dev/null", O_RDONLY); >>>> CID 1453270: Resource leaks (RESOURCE_LEAK) >>>> Ignoring handle opened by "open("/dev/null", 1)" leaks it. > 920 open("/dev/null", O_WRONLY); > 921 > 922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL); > 923 exit(1); > 924 } > 925 g_string_free(storage_daemon_command, true); > > ** CID 1453269: Error handling issues (NEGATIVE_RETURNS) > /qemu/tests/qtest/vhost-user-blk-test.c: 829 in create_listen_socket() > > ________________________________________________________________________________________________________ > *** CID 1453269: Error handling issues (NEGATIVE_RETURNS) > /qemu/tests/qtest/vhost-user-blk-test.c: 829 in create_listen_socket() > 823 char *path; > 824 > 825 /* No race because our pid makes the path unique */ > 826 path = g_strdup_printf("/tmp/qtest-%d-sock.XXXXXX", getpid()); > 827 tmp_fd = mkstemp(path); > 828 g_assert_cmpint(tmp_fd, >=, 0); >>>> CID 1453269: Error handling issues (NEGATIVE_RETURNS) >>>> "tmp_fd" is passed to a parameter that cannot be negative. > 829 close(tmp_fd); > 830 unlink(path); > 831 > 832 *fd = qtest_socket_server(path); > 833 g_test_queue_destroy(destroy_file, path); > 834 return path; > > ** CID 1453268: (CHECKED_RETURN) > /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk() > /qemu/tests/qtest/vhost-user-blk-test.c: 919 in start_vhost_user_blk() > > ________________________________________________________________________________________________________ > *** CID 1453268: (CHECKED_RETURN) > /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk() > 914 * Close standard file descriptors so tap-driver.pl pipe detects when > 915 * our parent terminates. > 916 */ > 917 close(0); > 918 close(1); > 919 open("/dev/null", O_RDONLY); >>>> CID 1453268: (CHECKED_RETURN) >>>> Calling "open("/dev/null", 1)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.] > 920 open("/dev/null", O_WRONLY); > 921 > 922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL); > 923 exit(1); > 924 } > 925 g_string_free(storage_daemon_command, true); > /qemu/tests/qtest/vhost-user-blk-test.c: 919 in start_vhost_user_blk() > 913 /* > 914 * Close standard file descriptors so tap-driver.pl pipe detects when > 915 * our parent terminates. > 916 */ > 917 close(0); > 918 close(1); >>>> CID 1453268: (CHECKED_RETURN) >>>> Calling "open("/dev/null", 0)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.] > 919 open("/dev/null", O_RDONLY); > 920 open("/dev/null", O_WRONLY); > 921 > 922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL); > 923 exit(1); > 924 } > > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> > --- > tests/qtest/vhost-user-blk-test.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2 1/2] vhost-user-blk-test: fix Coverity open(2) false positives 2021-06-01 15:57 ` [PATCH v2 1/2] vhost-user-blk-test: fix Coverity open(2) false positives Stefan Hajnoczi 2021-06-01 16:27 ` Philippe Mathieu-Daudé @ 2021-06-02 3:41 ` Thomas Huth 1 sibling, 0 replies; 7+ messages in thread From: Thomas Huth @ 2021-06-02 3:41 UTC (permalink / raw) To: Stefan Hajnoczi, qemu-devel Cc: Laurent Vivier, Kevin Wolf, qemu-block, Peter Maydell, Coiby Xu, Gerd Hoffmann, Paolo Bonzini On 01/06/2021 17.57, Stefan Hajnoczi wrote: > Coverity checks that the file descriptor return value of open(2) is > checked and used. Normally this is helpful in identifying real bugs but > vhost-user-blk-test opens /dev/null as stdin and stdout after fork. > > In this case we don't need to look at the return value because these > open(2) calls cannot fail in any reasonable environment. We already know > their return values ahead of time since we closed stdin and stdout > previously. open(2) is guaranteed to pick the lowest available fd > number. > > Silence Coverity by introducing code that checks what we already know to > be true. > > ** CID 1453270: Resource leaks (RESOURCE_LEAK) > /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk() > > ________________________________________________________________________________________________________ > *** CID 1453270: Resource leaks (RESOURCE_LEAK) > /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk() > 914 * Close standard file descriptors so tap-driver.pl pipe detects when > 915 * our parent terminates. > 916 */ > 917 close(0); > 918 close(1); > 919 open("/dev/null", O_RDONLY); >>>> CID 1453270: Resource leaks (RESOURCE_LEAK) >>>> Ignoring handle opened by "open("/dev/null", 1)" leaks it. > 920 open("/dev/null", O_WRONLY); > 921 > 922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL); > 923 exit(1); > 924 } > 925 g_string_free(storage_daemon_command, true); > > ** CID 1453269: Error handling issues (NEGATIVE_RETURNS) > /qemu/tests/qtest/vhost-user-blk-test.c: 829 in create_listen_socket() > > ________________________________________________________________________________________________________ > *** CID 1453269: Error handling issues (NEGATIVE_RETURNS) > /qemu/tests/qtest/vhost-user-blk-test.c: 829 in create_listen_socket() > 823 char *path; > 824 > 825 /* No race because our pid makes the path unique */ > 826 path = g_strdup_printf("/tmp/qtest-%d-sock.XXXXXX", getpid()); > 827 tmp_fd = mkstemp(path); > 828 g_assert_cmpint(tmp_fd, >=, 0); >>>> CID 1453269: Error handling issues (NEGATIVE_RETURNS) >>>> "tmp_fd" is passed to a parameter that cannot be negative. > 829 close(tmp_fd); > 830 unlink(path); > 831 > 832 *fd = qtest_socket_server(path); > 833 g_test_queue_destroy(destroy_file, path); > 834 return path; > > ** CID 1453268: (CHECKED_RETURN) > /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk() > /qemu/tests/qtest/vhost-user-blk-test.c: 919 in start_vhost_user_blk() > > ________________________________________________________________________________________________________ > *** CID 1453268: (CHECKED_RETURN) > /qemu/tests/qtest/vhost-user-blk-test.c: 920 in start_vhost_user_blk() > 914 * Close standard file descriptors so tap-driver.pl pipe detects when > 915 * our parent terminates. > 916 */ > 917 close(0); > 918 close(1); > 919 open("/dev/null", O_RDONLY); >>>> CID 1453268: (CHECKED_RETURN) >>>> Calling "open("/dev/null", 1)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.] > 920 open("/dev/null", O_WRONLY); > 921 > 922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL); > 923 exit(1); > 924 } > 925 g_string_free(storage_daemon_command, true); > /qemu/tests/qtest/vhost-user-blk-test.c: 919 in start_vhost_user_blk() > 913 /* > 914 * Close standard file descriptors so tap-driver.pl pipe detects when > 915 * our parent terminates. > 916 */ > 917 close(0); > 918 close(1); >>>> CID 1453268: (CHECKED_RETURN) >>>> Calling "open("/dev/null", 0)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.] > 919 open("/dev/null", O_RDONLY); > 920 open("/dev/null", O_WRONLY); > 921 > 922 execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL); > 923 exit(1); > 924 } > > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> > --- > tests/qtest/vhost-user-blk-test.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/tests/qtest/vhost-user-blk-test.c b/tests/qtest/vhost-user-blk-test.c > index 8796c74ca4..c5c4667759 100644 > --- a/tests/qtest/vhost-user-blk-test.c > +++ b/tests/qtest/vhost-user-blk-test.c > @@ -910,14 +910,18 @@ static void start_vhost_user_blk(GString *cmd_line, int vus_instances, > storage_daemon_command->str); > pid_t pid = fork(); > if (pid == 0) { > + int fd; > + > /* > * Close standard file descriptors so tap-driver.pl pipe detects when > * our parent terminates. > */ > close(0); > + fd = open("/dev/null", O_RDONLY); > + g_assert_cmpint(fd, ==, 0); > close(1); > - open("/dev/null", O_RDONLY); > - open("/dev/null", O_WRONLY); > + fd = open("/dev/null", O_WRONLY); > + g_assert_cmpint(fd, ==, 1); > > execlp("/bin/sh", "sh", "-c", storage_daemon_command->str, NULL); > exit(1); > Reviewed-by: Thomas Huth <thuth@redhat.com> ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2 2/2] ui/vdagent: fix clipboard info memory leak in error path 2021-06-01 15:57 [PATCH v2 0/2] vhost-user-blk-test and vdagent Coverity fixes Stefan Hajnoczi 2021-06-01 15:57 ` [PATCH v2 1/2] vhost-user-blk-test: fix Coverity open(2) false positives Stefan Hajnoczi @ 2021-06-01 15:57 ` Stefan Hajnoczi 2021-06-01 16:28 ` Philippe Mathieu-Daudé 2021-06-02 3:44 ` Thomas Huth 1 sibling, 2 replies; 7+ messages in thread From: Stefan Hajnoczi @ 2021-06-01 15:57 UTC (permalink / raw) To: qemu-devel Cc: Laurent Vivier, Kevin Wolf, Thomas Huth, qemu-block, Peter Maydell, Coiby Xu, Gerd Hoffmann, Stefan Hajnoczi, Paolo Bonzini If the size of a VD_AGENT_CLIPBOARD_GRAB message is invalid we leak info when returning early. Thanks to Coverity for spotting this: *** CID 1453266: Resource leaks (RESOURCE_LEAK) /qemu/ui/vdagent.c: 465 in vdagent_chr_recv_clipboard() 459 info = qemu_clipboard_info_new(&vd->cbpeer, s); 460 if (size > sizeof(uint32_t) * 10) { 461 /* 462 * spice has 6 types as of 2021. Limiting to 10 entries 463 * so we we have some wiggle room. 464 */ >>> CID 1453266: Resource leaks (RESOURCE_LEAK) >>> Variable "info" going out of scope leaks the storage it points to. 465 return; 466 } 467 while (size >= sizeof(uint32_t)) { 468 trace_vdagent_cb_grab_type(GET_NAME(type_name, *(uint32_t *)data)); 469 switch (*(uint32_t *)data) { 470 case VD_AGENT_CLIPBOARD_UTF8_TEXT: Fixes: f0349f4d8947ad32d0fa4678cbf5dbb356fcbda1 ("ui/vdagent: add clipboard support") Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> --- ui/vdagent.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ui/vdagent.c b/ui/vdagent.c index a253a8fe63..8fc54d330e 100644 --- a/ui/vdagent.c +++ b/ui/vdagent.c @@ -456,7 +456,6 @@ static void vdagent_chr_recv_clipboard(VDAgentChardev *vd, VDAgentMessage *msg) switch (msg->type) { case VD_AGENT_CLIPBOARD_GRAB: trace_vdagent_cb_grab_selection(GET_NAME(sel_name, s)); - info = qemu_clipboard_info_new(&vd->cbpeer, s); if (size > sizeof(uint32_t) * 10) { /* * spice has 6 types as of 2021. Limiting to 10 entries @@ -464,6 +463,7 @@ static void vdagent_chr_recv_clipboard(VDAgentChardev *vd, VDAgentMessage *msg) */ return; } + info = qemu_clipboard_info_new(&vd->cbpeer, s); while (size >= sizeof(uint32_t)) { trace_vdagent_cb_grab_type(GET_NAME(type_name, *(uint32_t *)data)); switch (*(uint32_t *)data) { -- 2.31.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2 2/2] ui/vdagent: fix clipboard info memory leak in error path 2021-06-01 15:57 ` [PATCH v2 2/2] ui/vdagent: fix clipboard info memory leak in error path Stefan Hajnoczi @ 2021-06-01 16:28 ` Philippe Mathieu-Daudé 2021-06-02 3:44 ` Thomas Huth 1 sibling, 0 replies; 7+ messages in thread From: Philippe Mathieu-Daudé @ 2021-06-01 16:28 UTC (permalink / raw) To: Stefan Hajnoczi, qemu-devel Cc: Laurent Vivier, Kevin Wolf, Thomas Huth, qemu-block, Peter Maydell, Coiby Xu, Gerd Hoffmann, Paolo Bonzini On 6/1/21 5:57 PM, Stefan Hajnoczi wrote: > If the size of a VD_AGENT_CLIPBOARD_GRAB message is invalid we leak info > when returning early. > > Thanks to Coverity for spotting this: > > *** CID 1453266: Resource leaks (RESOURCE_LEAK) > /qemu/ui/vdagent.c: 465 in vdagent_chr_recv_clipboard() > 459 info = qemu_clipboard_info_new(&vd->cbpeer, s); > 460 if (size > sizeof(uint32_t) * 10) { > 461 /* > 462 * spice has 6 types as of 2021. Limiting to 10 entries > 463 * so we we have some wiggle room. > 464 */ >>>> CID 1453266: Resource leaks (RESOURCE_LEAK) >>>> Variable "info" going out of scope leaks the storage it points to. > 465 return; > 466 } > 467 while (size >= sizeof(uint32_t)) { > 468 trace_vdagent_cb_grab_type(GET_NAME(type_name, *(uint32_t *)data)); > 469 switch (*(uint32_t *)data) { > 470 case VD_AGENT_CLIPBOARD_UTF8_TEXT: > > Fixes: f0349f4d8947ad32d0fa4678cbf5dbb356fcbda1 ("ui/vdagent: add clipboard support") > Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> > --- > ui/vdagent.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2 2/2] ui/vdagent: fix clipboard info memory leak in error path 2021-06-01 15:57 ` [PATCH v2 2/2] ui/vdagent: fix clipboard info memory leak in error path Stefan Hajnoczi 2021-06-01 16:28 ` Philippe Mathieu-Daudé @ 2021-06-02 3:44 ` Thomas Huth 1 sibling, 0 replies; 7+ messages in thread From: Thomas Huth @ 2021-06-02 3:44 UTC (permalink / raw) To: Stefan Hajnoczi, qemu-devel Cc: Laurent Vivier, Kevin Wolf, qemu-block, Peter Maydell, Coiby Xu, Gerd Hoffmann, Paolo Bonzini On 01/06/2021 17.57, Stefan Hajnoczi wrote: > If the size of a VD_AGENT_CLIPBOARD_GRAB message is invalid we leak info > when returning early. > > Thanks to Coverity for spotting this: > > *** CID 1453266: Resource leaks (RESOURCE_LEAK) > /qemu/ui/vdagent.c: 465 in vdagent_chr_recv_clipboard() > 459 info = qemu_clipboard_info_new(&vd->cbpeer, s); > 460 if (size > sizeof(uint32_t) * 10) { > 461 /* > 462 * spice has 6 types as of 2021. Limiting to 10 entries > 463 * so we we have some wiggle room. > 464 */ >>>> CID 1453266: Resource leaks (RESOURCE_LEAK) >>>> Variable "info" going out of scope leaks the storage it points to. > 465 return; > 466 } > 467 while (size >= sizeof(uint32_t)) { > 468 trace_vdagent_cb_grab_type(GET_NAME(type_name, *(uint32_t *)data)); > 469 switch (*(uint32_t *)data) { > 470 case VD_AGENT_CLIPBOARD_UTF8_TEXT: > > Fixes: f0349f4d8947ad32d0fa4678cbf5dbb356fcbda1 ("ui/vdagent: add clipboard support") > Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> > --- > ui/vdagent.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/ui/vdagent.c b/ui/vdagent.c > index a253a8fe63..8fc54d330e 100644 > --- a/ui/vdagent.c > +++ b/ui/vdagent.c > @@ -456,7 +456,6 @@ static void vdagent_chr_recv_clipboard(VDAgentChardev *vd, VDAgentMessage *msg) > switch (msg->type) { > case VD_AGENT_CLIPBOARD_GRAB: > trace_vdagent_cb_grab_selection(GET_NAME(sel_name, s)); > - info = qemu_clipboard_info_new(&vd->cbpeer, s); > if (size > sizeof(uint32_t) * 10) { > /* > * spice has 6 types as of 2021. Limiting to 10 entries > @@ -464,6 +463,7 @@ static void vdagent_chr_recv_clipboard(VDAgentChardev *vd, VDAgentMessage *msg) > */ > return; > } > + info = qemu_clipboard_info_new(&vd->cbpeer, s); > while (size >= sizeof(uint32_t)) { > trace_vdagent_cb_grab_type(GET_NAME(type_name, *(uint32_t *)data)); > switch (*(uint32_t *)data) { > Reviewed-by: Thomas Huth <thuth@redhat.com> ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-06-02 3:45 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-06-01 15:57 [PATCH v2 0/2] vhost-user-blk-test and vdagent Coverity fixes Stefan Hajnoczi 2021-06-01 15:57 ` [PATCH v2 1/2] vhost-user-blk-test: fix Coverity open(2) false positives Stefan Hajnoczi 2021-06-01 16:27 ` Philippe Mathieu-Daudé 2021-06-02 3:41 ` Thomas Huth 2021-06-01 15:57 ` [PATCH v2 2/2] ui/vdagent: fix clipboard info memory leak in error path Stefan Hajnoczi 2021-06-01 16:28 ` Philippe Mathieu-Daudé 2021-06-02 3:44 ` Thomas Huth
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).