[PATCH v2 0/4] migration: A few fixes on coverity reports

[PATCH v2 0/4] migration: A few fixes on coverity reports

[Peter Xu]

v2:
- Added tags for Fabiano
- Patch 1: dump the %d too along with %s [Fabiano]
- Patch 2: make the error returned to the caller, with some refactoring
- Added new patch 4 to fix a crash on cpr-exec when args==NULL

A small series that fixes three coverity reported issues.  Please review,
thanks.

Peter Xu (4):
  migration: Fix error leak in postcopy_ram_listen_thread()
  migration/cpr: Fix coverity report in cpr_exec_persist_state()
  migration/cpr: Fix UAF in cpr_exec_cb() when execvp() fails
  migration/cpr: Avoid crashing QEMU when cpr-exec runs with no args

 include/migration/cpr.h |  4 ++--
 migration/cpr-exec.c    | 14 ++++++++++----
 migration/cpr.c         | 15 +++++++++------
 migration/migration.c   |  8 +++++++-
 migration/savevm.c      |  7 ++++---
 5 files changed, 32 insertions(+), 16 deletions(-)

-- 
2.50.1

[PATCH v2 1/4] migration: Fix error leak in postcopy_ram_listen_thread()

[Peter Xu]

As reported and analyzed by Peter:

https://lore.kernel.org/r/CAFEAcA9otBWtR7rPQ0Y9aBm+7ZWJzd4VWpXrAmGr8XspPn+zpw@mail.gmail.com

Fix it by freeing the error.  When at it, always reset the local_err
pointer in both paths.

Cc: Arun Menon <armenon@redhat.com>
Resolves: Coverity CID 1641390
Fixes: 94272d9b45 ("migration: Capture error in postcopy_ram_listen_thread()")
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 migration/savevm.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/migration/savevm.c b/migration/savevm.c
index aafa40d779..232cae090b 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -2136,17 +2136,18 @@ static void *postcopy_ram_listen_thread(void *opaque)
         if (postcopy_state_get() == POSTCOPY_INCOMING_RUNNING &&
             !migrate_postcopy_ram() && migrate_dirty_bitmaps())
         {
-            error_report("%s: loadvm failed during postcopy: %d. All states "
+            error_report("%s: loadvm failed during postcopy: %d: %s. All states "
                          "are migrated except dirty bitmaps. Some dirty "
                          "bitmaps may be lost, and present migrated dirty "
                          "bitmaps are correctly migrated and valid.",
-                         __func__, load_res);
+                         __func__, load_res, error_get_pretty(local_err));
+            g_clear_pointer(&local_err, error_free);
             load_res = 0; /* prevent further exit() */
         } else {
             error_prepend(&local_err,
                           "loadvm failed during postcopy: %d: ", load_res);
             migrate_set_error(migr, local_err);
-            error_report_err(local_err);
+            g_clear_pointer(&local_err, error_report_err);
             migrate_set_state(&mis->state, MIGRATION_STATUS_POSTCOPY_ACTIVE,
                                            MIGRATION_STATUS_FAILED);
         }
-- 
2.50.1

[PATCH v2 2/4] migration/cpr: Fix coverity report in cpr_exec_persist_state()

[Peter Xu]

Per reported and analyzed by Peter:

https://lore.kernel.org/r/CAFEAcA_mUQ2NeoguR5efrhw7XYGofnriWEA=+Dg+Ocvyam1wAw@mail.gmail.com

mfd leak is a false positive, try to use a coverity annotation (which I
didn't find manual myself, but still give it a shot).

Fix the other one by capture error if setenv() failed.  When at it, pass
the error to the top (cpr_state_save()).  Along the way, changing all
retval to bool when errp is around.

Resolves: Coverity CID 1641391
Resolves: Coverity CID 1641392
Fixes: efc6587313 ("migration: cpr-exec save and load")
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 include/migration/cpr.h |  4 ++--
 migration/cpr-exec.c    | 10 ++++++++--
 migration/cpr.c         | 15 +++++++++------
 migration/migration.c   |  2 +-
 4 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/include/migration/cpr.h b/include/migration/cpr.h
index a412d6663c..027cb98073 100644
--- a/include/migration/cpr.h
+++ b/include/migration/cpr.h
@@ -41,7 +41,7 @@ MigMode cpr_get_incoming_mode(void);
 void cpr_set_incoming_mode(MigMode mode);
 bool cpr_is_incoming(void);
 
-int cpr_state_save(MigrationChannel *channel, Error **errp);
+bool cpr_state_save(MigrationChannel *channel, Error **errp);
 int cpr_state_load(MigrationChannel *channel, Error **errp);
 void cpr_state_close(void);
 struct QIOChannel *cpr_state_ioc(void);
@@ -56,7 +56,7 @@ QEMUFile *cpr_transfer_input(MigrationChannel *channel, Error **errp);
 void cpr_exec_init(void);
 QEMUFile *cpr_exec_output(Error **errp);
 QEMUFile *cpr_exec_input(Error **errp);
-void cpr_exec_persist_state(QEMUFile *f);
+bool cpr_exec_persist_state(QEMUFile *f, Error **errp);
 bool cpr_exec_has_state(void);
 void cpr_exec_unpersist_state(void);
 void cpr_exec_unpreserve_fds(void);
diff --git a/migration/cpr-exec.c b/migration/cpr-exec.c
index d57714bc5d..087ca94c87 100644
--- a/migration/cpr-exec.c
+++ b/migration/cpr-exec.c
@@ -40,16 +40,22 @@ static QEMUFile *qemu_file_new_fd_output(int fd, const char *name)
     return qemu_file_new_output(ioc);
 }
 
-void cpr_exec_persist_state(QEMUFile *f)
+bool cpr_exec_persist_state(QEMUFile *f, Error **errp)
 {
     QIOChannelFile *fioc = QIO_CHANNEL_FILE(qemu_file_get_ioc(f));
+    /* coverity[leaked_storage] - mfd intentionally kept open across exec() */
     int mfd = dup(fioc->fd);
     char val[16];
 
     /* Remember mfd in environment for post-exec load */
     qemu_clear_cloexec(mfd);
     snprintf(val, sizeof(val), "%d", mfd);
-    g_setenv(CPR_EXEC_STATE_NAME, val, 1);
+    if (!g_setenv(CPR_EXEC_STATE_NAME, val, 1)) {
+        error_setg(errp, "Setting env %s = %s failed", CPR_EXEC_STATE_NAME, val);
+        return false;
+    }
+
+    return true;
 }
 
 static int cpr_exec_find_state(void)
diff --git a/migration/cpr.c b/migration/cpr.c
index 22dbac7c72..adee2a919a 100644
--- a/migration/cpr.c
+++ b/migration/cpr.c
@@ -176,7 +176,7 @@ bool cpr_is_incoming(void)
     return incoming_mode != MIG_MODE_NONE;
 }
 
-int cpr_state_save(MigrationChannel *channel, Error **errp)
+bool cpr_state_save(MigrationChannel *channel, Error **errp)
 {
     int ret;
     QEMUFile *f;
@@ -190,10 +190,10 @@ int cpr_state_save(MigrationChannel *channel, Error **errp)
     } else if (mode == MIG_MODE_CPR_EXEC) {
         f = cpr_exec_output(errp);
     } else {
-        return 0;
+        return true;
     }
     if (!f) {
-        return -1;
+        return false;
     }
 
     qemu_put_be32(f, QEMU_CPR_FILE_MAGIC);
@@ -202,11 +202,14 @@ int cpr_state_save(MigrationChannel *channel, Error **errp)
     ret = vmstate_save_state(f, &vmstate_cpr_state, &cpr_state, 0, errp);
     if (ret) {
         qemu_fclose(f);
-        return ret;
+        return false;
     }
 
     if (migrate_mode() == MIG_MODE_CPR_EXEC) {
-        cpr_exec_persist_state(f);
+        if (!cpr_exec_persist_state(f, errp)) {
+            qemu_fclose(f);
+            return false;
+        }
     }
 
     /*
@@ -217,7 +220,7 @@ int cpr_state_save(MigrationChannel *channel, Error **errp)
     qio_channel_shutdown(qemu_file_get_ioc(f), QIO_CHANNEL_SHUTDOWN_WRITE,
                          NULL);
     cpr_state_file = f;
-    return 0;
+    return true;
 }
 
 int cpr_state_load(MigrationChannel *channel, Error **errp)
diff --git a/migration/migration.c b/migration/migration.c
index a63b46bbef..c8a5712993 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -2301,7 +2301,7 @@ void qmp_migrate(const char *uri, bool has_channels,
         return;
     }
 
-    if (cpr_state_save(cpr_channel, &local_err)) {
+    if (!cpr_state_save(cpr_channel, &local_err)) {
         goto out;
     }
 
-- 
2.50.1

[PATCH v2 3/4] migration/cpr: Fix UAF in cpr_exec_cb() when execvp() fails

[Peter Xu]

Per reported and analyzed by Peter:

https://lore.kernel.org/r/CAFEAcA82ih8RVCm-u1oxiS0V2K4rV4jMzNb13pAV=e2ivmiDRA@mail.gmail.com

Fix the issue by moving the error_setg_errno() earlier.  When at it, clear
argv variable after freed.

Resolves: Coverity CID 1641397
Fixes: a3eae205c6 ("migration: cpr-exec mode")
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 migration/cpr-exec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/migration/cpr-exec.c b/migration/cpr-exec.c
index 087ca94c87..d284f6e734 100644
--- a/migration/cpr-exec.c
+++ b/migration/cpr-exec.c
@@ -152,10 +152,10 @@ static void cpr_exec_cb(void *opaque)
      * exec should only fail if argv[0] is bogus, or has a permissions problem,
      * or the system is very short on resources.
      */
-    g_strfreev(argv);
+    error_setg_errno(&err, errno, "execvp %s failed", argv[0]);
+    g_clear_pointer(&argv, g_strfreev);
     cpr_exec_unpreserve_fds();
 
-    error_setg_errno(&err, errno, "execvp %s failed", argv[0]);
     error_report_err(error_copy(err));
     migrate_set_state(&s->state, s->state, MIGRATION_STATUS_FAILED);
     migrate_set_error(s, err);
-- 
2.50.1

[PATCH v2 4/4] migration/cpr: Avoid crashing QEMU when cpr-exec runs with no args

[Peter Xu]

If an user invokes cpr-exec without setting the exec args first, currently
it'll crash QEMU.

Avoid it, instead fail the QMP migrate command.

Signed-off-by: Peter Xu <peterx@redhat.com>
---
 migration/migration.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/migration/migration.c b/migration/migration.c
index c8a5712993..4ed2a2e881 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -2195,6 +2195,12 @@ static bool migrate_prepare(MigrationState *s, bool resume, Error **errp)
             error_setg(errp, "Cannot use %s with CPR", conflict);
             return false;
         }
+
+        if (s->parameters.mode == MIG_MODE_CPR_EXEC &&
+            !s->parameters.cpr_exec_command) {
+            error_setg(errp, "Parameter 'cpr-exec-command' required for cpr-exec");
+            return false;
+        }
     }
 
     if (migrate_init(s, errp)) {
-- 
2.50.1

Re: [PATCH v2 1/4] migration: Fix error leak in postcopy_ram_listen_thread()

[Fabiano Rosas]

Peter Xu <peterx@redhat.com> writes:

> As reported and analyzed by Peter:
>
> https://lore.kernel.org/r/CAFEAcA9otBWtR7rPQ0Y9aBm+7ZWJzd4VWpXrAmGr8XspPn+zpw@mail.gmail.com
>
> Fix it by freeing the error.  When at it, always reset the local_err
> pointer in both paths.
>
> Cc: Arun Menon <armenon@redhat.com>
> Resolves: Coverity CID 1641390
> Fixes: 94272d9b45 ("migration: Capture error in postcopy_ram_listen_thread()")
> Signed-off-by: Peter Xu <peterx@redhat.com>
> ---
>  migration/savevm.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/migration/savevm.c b/migration/savevm.c
> index aafa40d779..232cae090b 100644
> --- a/migration/savevm.c
> +++ b/migration/savevm.c
> @@ -2136,17 +2136,18 @@ static void *postcopy_ram_listen_thread(void *opaque)
>          if (postcopy_state_get() == POSTCOPY_INCOMING_RUNNING &&
>              !migrate_postcopy_ram() && migrate_dirty_bitmaps())
>          {
> -            error_report("%s: loadvm failed during postcopy: %d. All states "
> +            error_report("%s: loadvm failed during postcopy: %d: %s. All states "
>                           "are migrated except dirty bitmaps. Some dirty "
>                           "bitmaps may be lost, and present migrated dirty "
>                           "bitmaps are correctly migrated and valid.",
> -                         __func__, load_res);
> +                         __func__, load_res, error_get_pretty(local_err));
> +            g_clear_pointer(&local_err, error_free);
>              load_res = 0; /* prevent further exit() */
>          } else {
>              error_prepend(&local_err,
>                            "loadvm failed during postcopy: %d: ", load_res);
>              migrate_set_error(migr, local_err);
> -            error_report_err(local_err);
> +            g_clear_pointer(&local_err, error_report_err);
>              migrate_set_state(&mis->state, MIGRATION_STATUS_POSTCOPY_ACTIVE,
>                                             MIGRATION_STATUS_FAILED);
>          }

Reviewed-by: Fabiano Rosas <farosas@suse.de>

Re: [PATCH v2 2/4] migration/cpr: Fix coverity report in cpr_exec_persist_state()

[Fabiano Rosas]

Peter Xu <peterx@redhat.com> writes:

> Per reported and analyzed by Peter:
>
> https://lore.kernel.org/r/CAFEAcA_mUQ2NeoguR5efrhw7XYGofnriWEA=+Dg+Ocvyam1wAw@mail.gmail.com
>
> mfd leak is a false positive, try to use a coverity annotation (which I
> didn't find manual myself, but still give it a shot).
>
> Fix the other one by capture error if setenv() failed.  When at it, pass
> the error to the top (cpr_state_save()).  Along the way, changing all
> retval to bool when errp is around.
>
> Resolves: Coverity CID 1641391
> Resolves: Coverity CID 1641392
> Fixes: efc6587313 ("migration: cpr-exec save and load")
> Signed-off-by: Peter Xu <peterx@redhat.com>
> ---
>  include/migration/cpr.h |  4 ++--
>  migration/cpr-exec.c    | 10 ++++++++--
>  migration/cpr.c         | 15 +++++++++------
>  migration/migration.c   |  2 +-
>  4 files changed, 20 insertions(+), 11 deletions(-)
>
> diff --git a/include/migration/cpr.h b/include/migration/cpr.h
> index a412d6663c..027cb98073 100644
> --- a/include/migration/cpr.h
> +++ b/include/migration/cpr.h
> @@ -41,7 +41,7 @@ MigMode cpr_get_incoming_mode(void);
>  void cpr_set_incoming_mode(MigMode mode);
>  bool cpr_is_incoming(void);
>  
> -int cpr_state_save(MigrationChannel *channel, Error **errp);
> +bool cpr_state_save(MigrationChannel *channel, Error **errp);
>  int cpr_state_load(MigrationChannel *channel, Error **errp);
>  void cpr_state_close(void);
>  struct QIOChannel *cpr_state_ioc(void);
> @@ -56,7 +56,7 @@ QEMUFile *cpr_transfer_input(MigrationChannel *channel, Error **errp);
>  void cpr_exec_init(void);
>  QEMUFile *cpr_exec_output(Error **errp);
>  QEMUFile *cpr_exec_input(Error **errp);
> -void cpr_exec_persist_state(QEMUFile *f);
> +bool cpr_exec_persist_state(QEMUFile *f, Error **errp);
>  bool cpr_exec_has_state(void);
>  void cpr_exec_unpersist_state(void);
>  void cpr_exec_unpreserve_fds(void);
> diff --git a/migration/cpr-exec.c b/migration/cpr-exec.c
> index d57714bc5d..087ca94c87 100644
> --- a/migration/cpr-exec.c
> +++ b/migration/cpr-exec.c
> @@ -40,16 +40,22 @@ static QEMUFile *qemu_file_new_fd_output(int fd, const char *name)
>      return qemu_file_new_output(ioc);
>  }
>  
> -void cpr_exec_persist_state(QEMUFile *f)
> +bool cpr_exec_persist_state(QEMUFile *f, Error **errp)
>  {
>      QIOChannelFile *fioc = QIO_CHANNEL_FILE(qemu_file_get_ioc(f));
> +    /* coverity[leaked_storage] - mfd intentionally kept open across exec() */
>      int mfd = dup(fioc->fd);
>      char val[16];
>  
>      /* Remember mfd in environment for post-exec load */
>      qemu_clear_cloexec(mfd);
>      snprintf(val, sizeof(val), "%d", mfd);
> -    g_setenv(CPR_EXEC_STATE_NAME, val, 1);
> +    if (!g_setenv(CPR_EXEC_STATE_NAME, val, 1)) {
> +        error_setg(errp, "Setting env %s = %s failed", CPR_EXEC_STATE_NAME, val);
> +        return false;
> +    }
> +
> +    return true;
>  }
>  
>  static int cpr_exec_find_state(void)
> diff --git a/migration/cpr.c b/migration/cpr.c
> index 22dbac7c72..adee2a919a 100644
> --- a/migration/cpr.c
> +++ b/migration/cpr.c
> @@ -176,7 +176,7 @@ bool cpr_is_incoming(void)
>      return incoming_mode != MIG_MODE_NONE;
>  }
>  
> -int cpr_state_save(MigrationChannel *channel, Error **errp)
> +bool cpr_state_save(MigrationChannel *channel, Error **errp)
>  {
>      int ret;
>      QEMUFile *f;
> @@ -190,10 +190,10 @@ int cpr_state_save(MigrationChannel *channel, Error **errp)
>      } else if (mode == MIG_MODE_CPR_EXEC) {
>          f = cpr_exec_output(errp);
>      } else {
> -        return 0;
> +        return true;
>      }
>      if (!f) {
> -        return -1;
> +        return false;
>      }
>  
>      qemu_put_be32(f, QEMU_CPR_FILE_MAGIC);
> @@ -202,11 +202,14 @@ int cpr_state_save(MigrationChannel *channel, Error **errp)
>      ret = vmstate_save_state(f, &vmstate_cpr_state, &cpr_state, 0, errp);
>      if (ret) {
>          qemu_fclose(f);
> -        return ret;
> +        return false;
>      }
>  
>      if (migrate_mode() == MIG_MODE_CPR_EXEC) {
> -        cpr_exec_persist_state(f);
> +        if (!cpr_exec_persist_state(f, errp)) {
> +            qemu_fclose(f);
> +            return false;
> +        }
>      }
>  
>      /*
> @@ -217,7 +220,7 @@ int cpr_state_save(MigrationChannel *channel, Error **errp)
>      qio_channel_shutdown(qemu_file_get_ioc(f), QIO_CHANNEL_SHUTDOWN_WRITE,
>                           NULL);
>      cpr_state_file = f;
> -    return 0;
> +    return true;
>  }
>  
>  int cpr_state_load(MigrationChannel *channel, Error **errp)
> diff --git a/migration/migration.c b/migration/migration.c
> index a63b46bbef..c8a5712993 100644
> --- a/migration/migration.c
> +++ b/migration/migration.c
> @@ -2301,7 +2301,7 @@ void qmp_migrate(const char *uri, bool has_channels,
>          return;
>      }
>  
> -    if (cpr_state_save(cpr_channel, &local_err)) {
> +    if (!cpr_state_save(cpr_channel, &local_err)) {
>          goto out;
>      }

Thanks!

Reviewed-by: Fabiano Rosas <farosas@suse.de>

Re: [PATCH v2 4/4] migration/cpr: Avoid crashing QEMU when cpr-exec runs with no args

[Fabiano Rosas]

Peter Xu <peterx@redhat.com> writes:

> If an user invokes cpr-exec without setting the exec args first, currently
> it'll crash QEMU.
>
> Avoid it, instead fail the QMP migrate command.
>
> Signed-off-by: Peter Xu <peterx@redhat.com>
> ---
>  migration/migration.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/migration/migration.c b/migration/migration.c
> index c8a5712993..4ed2a2e881 100644
> --- a/migration/migration.c
> +++ b/migration/migration.c
> @@ -2195,6 +2195,12 @@ static bool migrate_prepare(MigrationState *s, bool resume, Error **errp)
>              error_setg(errp, "Cannot use %s with CPR", conflict);
>              return false;
>          }
> +
> +        if (s->parameters.mode == MIG_MODE_CPR_EXEC &&
> +            !s->parameters.cpr_exec_command) {
> +            error_setg(errp, "Parameter 'cpr-exec-command' required for cpr-exec");
> +            return false;
> +        }
>      }
>  
>      if (migrate_init(s, errp)) {

Reviewed-by: Fabiano Rosas <farosas@suse.de>