* [PATCH] util/qht: fix possible NULL pointer dereference in qht_bucket_remove_entry()
@ 2025-08-14 11:37 gerben
2025-08-15 8:51 ` Alex Bennée
0 siblings, 1 reply; 2+ messages in thread
From: gerben @ 2025-08-14 11:37 UTC (permalink / raw)
To: qemu-devel, richard.henderson, alex.bennee; +Cc: sdl.qemu
From: Denis Rastyogin <gerben@altlinux.org>
If b->pointers[i] is NULL on the first iteration and
prev has not yet been assigned (i.e., is still NULL),
calling qht_entry_move(orig, pos, prev, QHT_BUCKET_ENTRIES - 1)
can lead to a NULL pointer dereference.
The qht_debug_assert(prev) check does not prevent this issue
because QHT_DEBUG is currently disabled (the #define is commented out).
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Reported-by: Alexey Appolonov <alexey@altlinux.org>
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
---
util/qht.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/util/qht.c b/util/qht.c
index 92c6b78759..cb7e367ebb 100644
--- a/util/qht.c
+++ b/util/qht.c
@@ -768,6 +768,9 @@ static inline void qht_bucket_remove_entry(struct qht_bucket *orig, int pos)
return qht_entry_move(orig, pos, b, i - 1);
}
qht_debug_assert(prev);
+ if (!prev) {
+ continue;
+ }
return qht_entry_move(orig, pos, prev, QHT_BUCKET_ENTRIES - 1);
}
prev = b;
--
2.42.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] util/qht: fix possible NULL pointer dereference in qht_bucket_remove_entry()
2025-08-14 11:37 [PATCH] util/qht: fix possible NULL pointer dereference in qht_bucket_remove_entry() gerben
@ 2025-08-15 8:51 ` Alex Bennée
0 siblings, 0 replies; 2+ messages in thread
From: Alex Bennée @ 2025-08-15 8:51 UTC (permalink / raw)
To: gerben; +Cc: qemu-devel, richard.henderson, sdl.qemu
gerben@altlinux.org writes:
> From: Denis Rastyogin <gerben@altlinux.org>
>
> If b->pointers[i] is NULL on the first iteration and
> prev has not yet been assigned (i.e., is still NULL),
> calling qht_entry_move(orig, pos, prev, QHT_BUCKET_ENTRIES - 1)
> can lead to a NULL pointer dereference.
>
> The qht_debug_assert(prev) check does not prevent this issue
> because QHT_DEBUG is currently disabled (the #define is commented
> out).
The assert is saying you should never see prev as NULL so that would
indicate a bug so we shouldn't be just skipping.
I agree we should probably enable QHT debugging when --enable-debug-tcg
is true.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Reported-by: Alexey Appolonov <alexey@altlinux.org>
> Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
> ---
> util/qht.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/util/qht.c b/util/qht.c
> index 92c6b78759..cb7e367ebb 100644
> --- a/util/qht.c
> +++ b/util/qht.c
> @@ -768,6 +768,9 @@ static inline void qht_bucket_remove_entry(struct qht_bucket *orig, int pos)
> return qht_entry_move(orig, pos, b, i - 1);
> }
> qht_debug_assert(prev);
> + if (!prev) {
> + continue;
> + }
> return qht_entry_move(orig, pos, prev, QHT_BUCKET_ENTRIES - 1);
> }
> prev = b;
--
Alex Bennée
Virtualisation Tech Lead @ Linaro
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-08-15 8:52 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-14 11:37 [PATCH] util/qht: fix possible NULL pointer dereference in qht_bucket_remove_entry() gerben
2025-08-15 8:51 ` Alex Bennée
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).