[PULL 03/40] hw/cxl: cdat: Fix failure to free buffer in erorr paths

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Michael S. Tsirkin" <mst@redhat.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
	Jonathan Cameron <Jonathan.Cameron@huawei.com>,
	Fan Ni <fan.ni@samsung.com>,
	Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Subject: [PULL 03/40] hw/cxl: cdat: Fix failure to free buffer in erorr paths
Date: Fri, 19 May 2023 10:49:47 -0400	[thread overview]
Message-ID: <7b22a3218ad0b8388c8bf20d394e3220b2fc8798.1684507742.git.mst@redhat.com> (raw)
In-Reply-To: <cover.1684507742.git.mst@redhat.com>

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

The failure paths in CDAT file loading did not clear up properly.
Change to using g_auto_free and a local pointer for the buffer to
ensure this function has no side effects on error.
Also drop some unnecessary checks that can not fail.

Cleanup properly after a failure to load a CDAT file.

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20230421132020.7408-3-Jonathan.Cameron@huawei.com>
Reviewed-by: Fan Ni <fan.ni@samsung.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
 hw/cxl/cxl-cdat.c            | 33 ++++++++++++++++++---------------
 hw/mem/cxl_type3.c           |  4 ++++
 hw/pci-bridge/cxl_upstream.c |  3 +++
 3 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/hw/cxl/cxl-cdat.c b/hw/cxl/cxl-cdat.c
index 056711d63d..d246d6885b 100644
--- a/hw/cxl/cxl-cdat.c
+++ b/hw/cxl/cxl-cdat.c
@@ -108,6 +108,7 @@ static void ct3_build_cdat(CDATObject *cdat, Error **errp)
 static void ct3_load_cdat(CDATObject *cdat, Error **errp)
 {
     g_autofree CDATEntry *cdat_st = NULL;
+    g_autofree char *buf = NULL;
     uint8_t sum = 0;
     int num_ent;
     int i = 0, ent = 1;
@@ -116,7 +117,7 @@ static void ct3_load_cdat(CDATObject *cdat, Error **errp)
     GError *error = NULL;
 
     /* Read CDAT file and create its cache */
-    if (!g_file_get_contents(cdat->filename, (gchar **)&cdat->buf,
+    if (!g_file_get_contents(cdat->filename, (gchar **)&buf,
                              &file_size, &error)) {
         error_setg(errp, "CDAT: File read failed: %s", error->message);
         g_error_free(error);
@@ -129,9 +130,17 @@ static void ct3_load_cdat(CDATObject *cdat, Error **errp)
     i = sizeof(CDATTableHeader);
     num_ent = 1;
     while (i < file_size) {
-        hdr = (CDATSubHeader *)(cdat->buf + i);
+        hdr = (CDATSubHeader *)(buf + i);
+        if (i + sizeof(CDATSubHeader) > file_size) {
+            error_setg(errp, "CDAT: Truncated table");
+            return;
+        }
         cdat_len_check(hdr, errp);
         i += hdr->length;
+        if (i > file_size) {
+            error_setg(errp, "CDAT: Truncated table");
+            return;
+        }
         num_ent++;
     }
     if (i != file_size) {
@@ -139,33 +148,26 @@ static void ct3_load_cdat(CDATObject *cdat, Error **errp)
         return;
     }
 
-    cdat_st = g_malloc0(sizeof(*cdat_st) * num_ent);
-    if (!cdat_st) {
-        error_setg(errp, "CDAT: Failed to allocate entry array");
-        return;
-    }
+    cdat_st = g_new0(CDATEntry, num_ent);
 
     /* Set CDAT header, Entry = 0 */
-    cdat_st[0].base = cdat->buf;
+    cdat_st[0].base = buf;
     cdat_st[0].length = sizeof(CDATTableHeader);
     i = 0;
 
     while (i < cdat_st[0].length) {
-        sum += cdat->buf[i++];
+        sum += buf[i++];
     }
 
     /* Read CDAT structures */
     while (i < file_size) {
-        hdr = (CDATSubHeader *)(cdat->buf + i);
-        cdat_len_check(hdr, errp);
-
+        hdr = (CDATSubHeader *)(buf + i);
         cdat_st[ent].base = hdr;
         cdat_st[ent].length = hdr->length;
 
-        while (cdat->buf + i <
-               (uint8_t *)cdat_st[ent].base + cdat_st[ent].length) {
+        while (buf + i < (char *)cdat_st[ent].base + cdat_st[ent].length) {
             assert(i < file_size);
-            sum += cdat->buf[i++];
+            sum += buf[i++];
         }
 
         ent++;
@@ -176,6 +178,7 @@ static void ct3_load_cdat(CDATObject *cdat, Error **errp)
     }
     cdat->entry_len = num_ent;
     cdat->entry = g_steal_pointer(&cdat_st);
+    cdat->buf = g_steal_pointer(&buf);
 }
 
 void cxl_doe_cdat_init(CXLComponentState *cxl_cstate, Error **errp)
diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
index abe60b362c..7647122cc6 100644
--- a/hw/mem/cxl_type3.c
+++ b/hw/mem/cxl_type3.c
@@ -593,6 +593,9 @@ static void ct3_realize(PCIDevice *pci_dev, Error **errp)
     cxl_cstate->cdat.free_cdat_table = ct3_free_cdat_table;
     cxl_cstate->cdat.private = ct3d;
     cxl_doe_cdat_init(cxl_cstate, errp);
+    if (*errp) {
+        goto err_free_special_ops;
+    }
 
     pcie_cap_deverr_init(pci_dev);
     /* Leave a bit of room for expansion */
@@ -605,6 +608,7 @@ static void ct3_realize(PCIDevice *pci_dev, Error **errp)
 
 err_release_cdat:
     cxl_doe_cdat_release(cxl_cstate);
+err_free_special_ops:
     g_free(regs->special_ops);
 err_address_space_free:
     address_space_destroy(&ct3d->hostmem_as);
diff --git a/hw/pci-bridge/cxl_upstream.c b/hw/pci-bridge/cxl_upstream.c
index 9df436cb73..ef47e5d625 100644
--- a/hw/pci-bridge/cxl_upstream.c
+++ b/hw/pci-bridge/cxl_upstream.c
@@ -346,6 +346,9 @@ static void cxl_usp_realize(PCIDevice *d, Error **errp)
     cxl_cstate->cdat.free_cdat_table = free_default_cdat_table;
     cxl_cstate->cdat.private = d;
     cxl_doe_cdat_init(cxl_cstate, errp);
+    if (*errp) {
+        goto err_cap;
+    }
 
     return;
 
-- 
MST

next prev parent reply	other threads:[~2023-05-19 14:51 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-19 14:49 [PULL 00/40] virtio,pc,pci: fixes, features, cleanups Michael S. Tsirkin
2023-05-19 14:49 ` [PULL 01/40] vhost: fix possible wrap in SVQ descriptor ring Michael S. Tsirkin
2023-05-19 14:49 ` [PULL 02/40] hw/cxl: cdat: Fix open file not closed in ct3_load_cdat() Michael S. Tsirkin
2023-05-19 14:49 ` Michael S. Tsirkin [this message]
2023-05-19 14:49 ` [PULL 04/40] docs/cxl: fix some typos Michael S. Tsirkin
2023-05-19 14:49 ` [PULL 05/40] docs/cxl: Remove incorrect CXL type 3 size parameter Michael S. Tsirkin
2023-05-19 14:50 ` [PULL 06/40] docs/cxl: Replace unsupported AARCH64 with x86_64 Michael S. Tsirkin
2023-05-19 14:50 ` [PULL 07/40] hw/cxl: drop pointless memory_region_transaction_guards Michael S. Tsirkin
2023-05-19 14:50 ` [PULL 08/40] hw/cxl: Fix endian handling for decoder commit Michael S. Tsirkin
2023-05-19 14:50 ` [PULL 09/40] hw/cxl: Fix incorrect reset of commit and associated clearing of committed Michael S. Tsirkin
2023-05-19 14:50 ` [PULL 10/40] tests/qtest/cxl-test: whitespace, line ending cleanup Michael S. Tsirkin
2023-05-19 14:50 ` [PULL 11/40] hw/mem: Use memory_region_size() in cxl_type3 Michael S. Tsirkin
2023-05-19 14:50 ` [PULL 12/40] hw/cxl: Multi-Region CXL Type-3 Devices (Volatile and Persistent) Michael S. Tsirkin
2023-05-19 14:50 ` [PULL 13/40] ACPI: bios-tables-test.c step 2 (allowed-diff entries) Michael S. Tsirkin
2023-05-19 14:50 ` [PULL 14/40] ACPI: i386: bump to MADT to revision 3 Michael S. Tsirkin
2023-05-19 14:50 ` [PULL 15/40] ACPI: bios-tables-test.c step 5 (update expected table binaries) Michael S. Tsirkin
2023-05-19 14:51 ` [PULL 16/40] pci: pci_add_option_rom(): improve style Michael S. Tsirkin
2023-05-19 14:51 ` [PULL 17/40] pci: pci_add_option_rom(): refactor: use g_autofree for path variable Michael S. Tsirkin
2023-05-19 14:51 ` [PULL 18/40] vhost-user: send SET_STATUS 0 after GET_VRING_BASE Michael S. Tsirkin
2023-05-19 14:51 ` [PULL 19/40] hw/pci: Disable PCI_ERR_UNCOR_MASK register for machine type < 8.0 Michael S. Tsirkin
2023-05-19 14:51 ` [PULL 20/40] virtio-mem: Default to "unplugged-inaccessible=on" with 8.1 on x86-64 Michael S. Tsirkin
2023-05-19 14:51 ` [PULL 21/40] vhost-user: Remove acpi-specific memslot limit Michael S. Tsirkin
2023-05-19 14:51 ` [PULL 22/40] virtio-net: not enable vq reset feature unconditionally Michael S. Tsirkin
2023-05-19 14:51 ` [PULL 23/40] virtio-crypto: fix NULL pointer dereference in virtio_crypto_free_request Michael S. Tsirkin
2023-05-19 14:51 ` [PULL 24/40] vhost: expose function vhost_dev_has_iommu() Michael S. Tsirkin
2023-05-19 14:51 ` [PULL 25/40] vhost_vdpa: fix the input in trace_vhost_vdpa_listener_region_del() Michael S. Tsirkin
2023-05-19 14:51 ` [PULL 26/40] vhost-vdpa: Add check for full 64-bit in region delete Michael S. Tsirkin
2023-05-19 14:51 ` [PULL 27/40] vhost-vdpa: Add support for vIOMMU Michael S. Tsirkin
2023-05-19 14:52 ` [PULL 28/40] hw/pci-host/i440fx: Inline sysbus_add_io() Michael S. Tsirkin
2023-05-19 14:52 ` [PULL 29/40] hw/pci-host/q35: " Michael S. Tsirkin
2023-05-19 14:52 ` [PULL 30/40] hw/i386/pc_q35: Reuse machine parameter Michael S. Tsirkin
2023-05-19 14:52 ` [PULL 31/40] hw/i386/pc_{q35,piix}: Reuse MachineClass::desc as SMB product name Michael S. Tsirkin
2023-05-19 14:52 ` [PULL 32/40] hw/i386/pc_{q35,piix}: Minimize usage of get_system_memory() Michael S. Tsirkin
2023-05-19 14:52 ` [PULL 33/40] hw/i386/pc: Initialize ram_memory variable directly Michael S. Tsirkin
2023-05-19 14:52 ` [PULL 34/40] hw/pci-host/pam: Make init_pam() usage more readable Michael S. Tsirkin
2023-05-19 14:52 ` [PULL 35/40] virtio-pci: add handling of PCI ATS and Device-TLB enable/disable Michael S. Tsirkin
2023-05-19 14:52 ` [PULL 36/40] hw/pci-bridge: make building pcie-to-pci bridge configurable Michael S. Tsirkin
2023-05-19 14:52 ` [PULL 37/40] hw/cxl: rename mailbox return code type from ret_code to CXLRetCode Michael S. Tsirkin
2023-05-19 14:52 ` [PULL 38/40] hw/cxl: Introduce cxl_device_get_timestamp() utility function Michael S. Tsirkin
2023-05-19 14:53 ` [PULL 39/40] hw/i386/pc: Create RTC controllers in south bridges Michael S. Tsirkin
2023-05-19 14:53 ` [PULL 40/40] hw/i386/pc: No need for rtc_state to be an out-parameter Michael S. Tsirkin
2023-05-20  3:34 ` [PULL 00/40] virtio,pc,pci: fixes, features, cleanups Richard Henderson

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:056711d63 dfblob:d246d6885 dfblob:abe60b362 dfblob:7647122cc
dfblob:9df436cb7 dfblob:ef47e5d62 )
 OR (
bs:"[PULL 03/40] hw/cxl: cdat: Fix failure to free buffer in erorr paths" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7b22a3218ad0b8388c8bf20d394e3220b2fc8798.1684507742.git.mst@redhat.com \
    --to=mst@redhat.com \
    --cc=Jonathan.Cameron@huawei.com \
    --cc=fan.ni@samsung.com \
    --cc=marcel.apfelbaum@gmail.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).