qemu/hw/virtio
Carlos López e4dd39c699 vhost: avoid a potential use of an uninitialized variable in vhost_svq_poll()
In vhost_svq_poll(), if vhost_svq_get_buf() fails due to a device
providing invalid descriptors, len is left uninitialized and returned
to the caller, potentally leaking stack data or causing undefined
behavior.

Fix this by initializing len to 0.

Found with GCC 13 and -fanalyzer (abridged):

../hw/virtio/vhost-shadow-virtqueue.c: In function ‘vhost_svq_poll’:
../hw/virtio/vhost-shadow-virtqueue.c:538:12: warning: use of uninitialized value ‘len’ [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
  538 |     return len;
      |            ^~~
  ‘vhost_svq_poll’: events 1-4
    |
    |  522 | size_t vhost_svq_poll(VhostShadowVirtqueue *svq)
    |      |        ^~~~~~~~~~~~~~
    |      |        |
    |      |        (1) entry to ‘vhost_svq_poll’
    |......
    |  525 |     uint32_t len;
    |      |              ~~~
    |      |              |
    |      |              (2) region created on stack here
    |      |              (3) capacity: 4 bytes
    |......
    |  528 |         if (vhost_svq_more_used(svq)) {
    |      |             ~
    |      |             |
    |      |             (4) inlined call to ‘vhost_svq_more_used’ from ‘vhost_svq_poll’

    (...)

    |  528 |         if (vhost_svq_more_used(svq)) {
    |      |            ^~~~~~~~~~~~~~~~~~~~~~~~~
    |      |            ||
    |      |            |(8) ...to here
    |      |            (7) following ‘true’ branch...
    |......
    |  537 |     vhost_svq_get_buf(svq, &len);
    |      |     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |     |
    |      |     (9) calling ‘vhost_svq_get_buf’ from ‘vhost_svq_poll’
    |
    +--> ‘vhost_svq_get_buf’: events 10-11
           |
           |  416 | static VirtQueueElement *vhost_svq_get_buf(VhostShadowVirtqueue *svq,
           |      |                          ^~~~~~~~~~~~~~~~~
           |      |                          |
           |      |                          (10) entry to ‘vhost_svq_get_buf’
           |......
           |  423 |     if (!vhost_svq_more_used(svq)) {
           |      |          ~
           |      |          |
           |      |          (11) inlined call to ‘vhost_svq_more_used’ from ‘vhost_svq_get_buf’
           |

           (...)

           |
         ‘vhost_svq_get_buf’: event 14
           |
           |  423 |     if (!vhost_svq_more_used(svq)) {
           |      |        ^
           |      |        |
           |      |        (14) following ‘false’ branch...
           |
         ‘vhost_svq_get_buf’: event 15
           |
           |cc1:
           | (15): ...to here
           |
    <------+
    |
  ‘vhost_svq_poll’: events 16-17
    |
    |  537 |     vhost_svq_get_buf(svq, &len);
    |      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |     |
    |      |     (16) returning to ‘vhost_svq_poll’ from ‘vhost_svq_get_buf’
    |  538 |     return len;
    |      |            ~~~
    |      |            |
    |      |            (17) use of uninitialized value ‘len’ here

Note by  Laurent Vivier <lvivier@redhat.com>:

    The return value is only used to detect an error:

    vhost_svq_poll
        vhost_vdpa_net_cvq_add
            vhost_vdpa_net_load_cmd
                vhost_vdpa_net_load_mac
                  -> a negative return is only used to detect error
                vhost_vdpa_net_load_mq
                  -> a negative return is only used to detect error
            vhost_vdpa_net_handle_ctrl_avail
              -> a negative return is only used to detect error

Fixes: d368c0b052 ("vhost: Do not depend on !NULL VirtQueueElement on vhost_svq_flush")
Signed-off-by: Carlos López <clopez@suse.de>
Message-Id: <20230213085747.19956-1-clopez@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2023-03-02 19:13:51 -05:00
..
Kconfig vdpa: add vdpa-dev support 2022-12-21 06:35:28 -05:00
meson.build virtio: Move HMP commands from monitor/ to hw/virtio/ 2023-02-04 07:56:54 +01:00
trace-events vhost-vdpa: add support for config interrupt 2023-01-08 01:54:22 -05:00
trace.h
vdpa-dev-pci.c vdpa: add vdpa-dev-pci support 2022-12-21 06:35:28 -05:00
vdpa-dev.c vdpa-dev: get iova range explicitly 2023-01-08 01:54:22 -05:00
vhost-backend.c
vhost-iova-tree.c
vhost-iova-tree.h
vhost-scsi-pci.c
vhost-shadow-virtqueue.c vhost: avoid a potential use of an uninitialized variable in vhost_svq_poll() 2023-03-02 19:13:51 -05:00
vhost-shadow-virtqueue.h vhost: move iova_tree set to vhost_svq_start 2022-12-21 06:35:28 -05:00
vhost-stub.c
vhost-user-blk-pci.c
vhost-user-fs-pci.c
vhost-user-fs.c vhost-user-fs: Back up vqs before cleaning up vhost_dev 2023-02-09 10:21:11 -05:00
vhost-user-gpio-pci.c
vhost-user-gpio.c vhost-user-gpio: Configure vhost_dev when connecting 2023-03-02 03:10:47 -05:00
vhost-user-i2c-pci.c
vhost-user-i2c.c vhost-user-i2c: Back up vqs before cleaning up vhost_dev 2023-03-02 03:10:47 -05:00
vhost-user-input-pci.c
vhost-user-rng-pci.c
vhost-user-rng.c vhost-user-rng: Back up vqs before cleaning up vhost_dev 2023-03-02 03:10:47 -05:00
vhost-user-scsi-pci.c
vhost-user-vsock-pci.c
vhost-user-vsock.c hw/virtio: introduce virtio_device_should_start 2022-11-07 14:08:18 -05:00
vhost-user.c vhost-user: Adopt new backend naming 2023-03-02 03:10:48 -05:00
vhost-vdpa.c vdpa: stop all svq on device deletion 2023-03-02 03:10:48 -05:00
vhost-vsock-common.c virtio: introduce macro VIRTIO_CONFIG_IRQ_IDX 2023-01-08 01:54:22 -05:00
vhost-vsock-pci.c
vhost-vsock.c hw/virtio: introduce virtio_device_should_start 2022-11-07 14:08:18 -05:00
vhost.c vhost: configure all host notifiers in a single MR transaction 2023-01-08 01:54:23 -05:00
virtio-9p-pci.c
virtio-balloon-pci.c
virtio-balloon.c qapi: Use returned bool to check for failure (again) 2022-12-14 16:19:35 +01:00
virtio-blk-pci.c
virtio-bus.c
virtio-config-io.c hw/virtio: Extract config read/write accessors to virtio-config-io.c 2022-12-21 07:32:24 -05:00
virtio-crypto-pci.c
virtio-crypto.c virtio: introduce macro VIRTIO_CONFIG_IRQ_IDX 2023-01-08 01:54:22 -05:00
virtio-hmp-cmds.c virtio: Move HMP commands from monitor/ to hw/virtio/ 2023-02-04 07:56:54 +01:00
virtio-input-host-pci.c
virtio-input-pci.c
virtio-iommu-pci.c
virtio-iommu.c hw: Use TYPE_PCI_BUS definition where appropriate 2023-01-28 06:21:30 -05:00
virtio-mem-pci.c qapi machine: Elide redundant has_FOO in generated C 2022-12-14 20:04:47 +01:00
virtio-mem-pci.h
virtio-mem.c virtio-mem: Proper support for preallocation with migration 2023-02-06 19:22:56 +01:00
virtio-mmio.c bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
virtio-net-pci.c
virtio-pci.c virtio-pci: fix proxy->vector_irqfd leak in virtio_pci_set_guest_notifiers 2023-01-08 01:54:23 -05:00
virtio-pmem-pci.c qapi machine: Elide redundant has_FOO in generated C 2022-12-14 20:04:47 +01:00
virtio-pmem-pci.h
virtio-pmem.c include/block: Untangle inclusion loops 2023-01-20 07:24:28 +01:00
virtio-qmp.c vhost-user: Adopt new backend naming 2023-03-02 03:10:48 -05:00
virtio-qmp.h include/hw/virtio: Break inclusion loop 2023-01-08 01:54:22 -05:00
virtio-rng-pci.c virtio-rng-pci: Allow setting nvectors, so we can use MSI-X 2022-11-07 13:12:20 -05:00
virtio-rng.c
virtio-scsi-pci.c
virtio-serial-pci.c
virtio-stub.c
virtio.c include/hw/virtio: Break inclusion loop 2023-01-08 01:54:22 -05:00