mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
a7485cdca7
qemu/hw
History
Carlos López a7485cdca7 vhost: avoid a potential use of an uninitialized variable in vhost_svq_poll() 
In vhost_svq_poll(), if vhost_svq_get_buf() fails due to a device
providing invalid descriptors, len is left uninitialized and returned
to the caller, potentally leaking stack data or causing undefined
behavior.

Fix this by initializing len to 0.

Found with GCC 13 and -fanalyzer (abridged):

../hw/virtio/vhost-shadow-virtqueue.c: In function ‘vhost_svq_poll’:
../hw/virtio/vhost-shadow-virtqueue.c:538:12: warning: use of uninitialized value ‘len’ [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
  538 |     return len;
      |            ^~~
  ‘vhost_svq_poll’: events 1-4
    |
    |  522 | size_t vhost_svq_poll(VhostShadowVirtqueue *svq)
    |      |        ^~~~~~~~~~~~~~
    |      |        |
    |      |        (1) entry to ‘vhost_svq_poll’
    |......
    |  525 |     uint32_t len;
    |      |              ~~~
    |      |              |
    |      |              (2) region created on stack here
    |      |              (3) capacity: 4 bytes
    |......
    |  528 |         if (vhost_svq_more_used(svq)) {
    |      |             ~
    |      |             |
    |      |             (4) inlined call to ‘vhost_svq_more_used’ from ‘vhost_svq_poll’

    (...)

    |  528 |         if (vhost_svq_more_used(svq)) {
    |      |            ^~~~~~~~~~~~~~~~~~~~~~~~~
    |      |            ||
    |      |            |(8) ...to here
    |      |            (7) following ‘true’ branch...
    |......
    |  537 |     vhost_svq_get_buf(svq, &len);
    |      |     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |     |
    |      |     (9) calling ‘vhost_svq_get_buf’ from ‘vhost_svq_poll’
    |
    +--> ‘vhost_svq_get_buf’: events 10-11
           |
           |  416 | static VirtQueueElement *vhost_svq_get_buf(VhostShadowVirtqueue *svq,
           |      |                          ^~~~~~~~~~~~~~~~~
           |      |                          |
           |      |                          (10) entry to ‘vhost_svq_get_buf’
           |......
           |  423 |     if (!vhost_svq_more_used(svq)) {
           |      |          ~
           |      |          |
           |      |          (11) inlined call to ‘vhost_svq_more_used’ from ‘vhost_svq_get_buf’
           |

           (...)

           |
         ‘vhost_svq_get_buf’: event 14
           |
           |  423 |     if (!vhost_svq_more_used(svq)) {
           |      |        ^
           |      |        |
           |      |        (14) following ‘false’ branch...
           |
         ‘vhost_svq_get_buf’: event 15
           |
           |cc1:
           | (15): ...to here
           |
    <------+
    |
  ‘vhost_svq_poll’: events 16-17
    |
    |  537 |     vhost_svq_get_buf(svq, &len);
    |      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |     |
    |      |     (16) returning to ‘vhost_svq_poll’ from ‘vhost_svq_get_buf’
    |  538 |     return len;
    |      |            ~~~
    |      |            |
    |      |            (17) use of uninitialized value ‘len’ here

Note by  Laurent Vivier <lvivier@redhat.com>:

    The return value is only used to detect an error:

    vhost_svq_poll
        vhost_vdpa_net_cvq_add
            vhost_vdpa_net_load_cmd
                vhost_vdpa_net_load_mac
                  -> a negative return is only used to detect error
                vhost_vdpa_net_load_mq
                  -> a negative return is only used to detect error
            vhost_vdpa_net_handle_ctrl_avail
              -> a negative return is only used to detect error

Fixes: d368c0b052 ("vhost: Do not depend on !NULL VirtQueueElement on vhost_svq_flush")
Signed-off-by: Carlos López <clopez@suse.de>
Message-Id: <20230213085747.19956-1-clopez@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit e4dd39c699)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-03-29 10:20:04 +03:00
..
9pfs Pull request 2022-10-25 11:37:17 -04:00
acpi acpi: cpuhp: fix guest-visible maximum access size to the legacy reg block 2023-03-29 10:20:04 +03:00
adc hw/adc: Make adci[*] R/W in NPCM7XX ADC 2022-07-18 13:20:14 +01:00
alpha hw: Remove unused MAX_IDE_BUS define 2022-10-31 11:32:07 +01:00
arm pci,pc,virtio: features, tests, fixes, cleanups 2022-11-07 18:43:56 -05:00
audio hw/audio/intel-hda: Drop unnecessary prototype 2022-11-23 12:30:45 +01:00
avr Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
block hw/virtio: generalise CHR_EVENT_CLOSED handling 2022-12-01 02:30:13 -05:00
char Drop useless casts from g_malloc() & friends to pointer 2022-10-22 23:15:40 +02:00
core virtio-rng-pci: fix transitional migration compat for vectors 2023-03-29 10:20:04 +03:00
cpu cpu/core: Fix "help" of CPU core device types 2021-04-09 16:05:16 -04:00
cris Do not include exec/address-spaces.h if it's not really necessary 2021-05-02 17:24:51 +02:00
cxl hw/cxl/cdat: CXL CDAT Data Object Exchange implementation 2022-11-07 13:12:19 -05:00
display hw/display/next-fb: Fix comment typo 2022-12-03 22:07:07 +01:00
dma treewide: Remove the unnecessary space before semicolon 2022-10-24 13:41:10 +02:00
gpio hw/gpio/meson: Introduce dedicated config switch for hw/gpio/mpc8xxx 2022-10-17 16:15:09 -03:00
hppa hw: Remove unused MAX_IDE_BUS define 2022-10-31 11:32:07 +01:00
hyperv hw/hyperv/hyperv.c: Use device_cold_reset() instead of device_legacy_reset() 2022-10-27 10:27:23 +01:00
i2c hw/i2c/aspeed: Fix old reg slave receive 2022-10-24 11:20:15 +02:00
i386 Revert "hw/i386: pass RNG seed via setup_data entry" 2023-03-29 10:20:04 +03:00
ide hw/ppc/mac.h: Rename to include/hw/nvram/mac_nvram.h 2022-10-31 18:48:23 +00:00
input pckbd: remove legacy i8042_mm_init() function 2022-07-18 19:28:46 +01:00
intc hw/intc: add implementation of GICD_IIDR to Arm GIC 2022-11-21 11:45:13 +00:00
ipack qbus: Rename qbus_create_inplace() to qbus_init() 2021-09-30 13:42:10 +01:00
ipmi ipmi:smbus: Add a check around a memcpy 2022-08-01 06:40:50 -05:00
isa acpi: x86: move RPQx field back to _SB scope 2022-11-22 05:19:00 -05:00
loongarch Revert "hw/loongarch/virt: Add cfi01 pflash device" 2022-12-05 11:24:35 -05:00
m68k m68k/q800: do not re-randomize RNG seed on snapshot load 2022-10-27 11:34:31 +01:00
mem hw/mem/cxl-type3: Add CXL CDAT Data Object Exchange 2022-11-07 13:12:19 -05:00
microblaze hw/microblaze: pass random seed to fdt 2022-09-21 19:59:56 +02:00
mips hw/mips/malta: Use bootloader helper to set BAR registers 2022-10-31 11:32:56 +01:00
misc mac_nvram: Use NVRAM_SIZE constant 2022-10-31 18:48:23 +00:00
net virtio: regression fix 2022-12-04 11:00:26 -05:00
nios2 hw/nios2: set machine->fdt in nios2_load_dtb() 2022-10-17 16:15:10 -03:00
nubus qbus: Rename qbus_create_inplace() to qbus_init() 2021-09-30 13:42:10 +01:00
nvme hw/nvme: fix missing cq eventidx update 2023-03-29 10:20:04 +03:00
nvram Revert "x86: return modified setup_data only if read as memory, not as file" 2023-03-29 10:20:04 +03:00
openrisc openrisc: re-randomize rng-seed on reboot 2022-10-27 11:34:31 +01:00
pci msix: Assert that specified vector is in range 2022-11-07 14:08:17 -05:00
pci-bridge hw/pci-bridge/cxl-upstream: Add a CDAT table access DOE 2022-11-07 13:12:19 -05:00
pci-host hw/pci-host/pnv_phb: Avoid quitting QEMU if hotplug of pnv-phb-root-port fails 2022-11-10 18:22:10 -03:00
pcmcia hw/pcmcia: Do not register PCMCIA type if not required 2021-05-02 17:24:50 +02:00
ppc mac_newworld: Turn CORE99_VIA_CONFIG defines into an enum 2022-10-31 18:48:23 +00:00
rdma msix: Assert that specified vector is in range 2022-11-07 14:08:17 -05:00
remote msix: Assert that specified vector is in range 2022-11-07 14:08:17 -05:00
riscv riscv: re-randomize rng-seed on reboot 2022-10-27 11:34:31 +01:00
rtc goldfish_rtc: Add big-endian property 2022-09-04 07:02:56 +01:00
rx rx: re-randomize rng-seed on reboot 2022-10-27 11:34:31 +01:00
s390x s390x: Fix spelling errors 2022-11-16 10:15:26 +01:00
scsi vhost: enable vrings in vhost_dev_start() for vhost-user devices 2022-12-01 02:30:04 -05:00
sd hw/sd: Fix sun4i allwinner-sdhost for U-Boot 2022-11-21 11:45:12 +00:00
sensor hw/sensor: Add Renesas ISL69259 device model 2022-07-14 16:24:38 +02:00
sh4 Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
smbios hw/smbios: fix field corruption in type 4 table 2023-03-29 10:20:04 +03:00
sparc machine: make memory-backend a link property 2022-05-12 12:29:44 +02:00
sparc64 hw: Remove unused MAX_IDE_BUS define 2022-10-31 11:32:07 +01:00
ssi aspeed/smc: Cache AspeedSMCClass 2022-10-24 11:20:15 +02:00
timer hw/timer/hpet: Fix expiration time overflow 2023-03-29 10:20:04 +03:00
tpm tpm_crb: Avoid backend startup just before shutdown under Xen 2022-09-09 17:55:59 -04:00
tricore hw/tricore: fix inclusion of tricore_testboard 2021-07-20 20:10:21 +02:00
usb hw/usb/hcd-xhci: Reset the XHCIState with device_cold_reset() 2022-11-23 12:28:51 +01:00
vfio pci,pc,virtio: features, tests, fixes, cleanups 2022-11-07 18:43:56 -05:00
virtio vhost: avoid a potential use of an uninitialized variable in vhost_svq_poll() 2023-03-29 10:20:04 +03:00
watchdog watchdog: remove -watchdog option 2022-09-29 11:40:28 +02:00
xen xen/pt: fix syntax error that causes FTBFS in some configurations 2022-11-05 20:35:45 +01:00
xenpv Warn user if the vga flag is passed but no vga device is created 2022-05-09 08:21:14 +02:00
xtensa hw/xtensa: fix reset value of MIROUT register of MX PIC 2022-05-06 15:27:40 -07:00
Kconfig hw/loongarch: Add support loongson3 virt machine type. 2022-06-06 18:09:03 +00:00
meson.build hw/loongarch: Add support loongson3 virt machine type. 2022-06-06 18:09:03 +00:00