qemu/hw
Carlos López e4dd39c699 vhost: avoid a potential use of an uninitialized variable in vhost_svq_poll()
In vhost_svq_poll(), if vhost_svq_get_buf() fails due to a device
providing invalid descriptors, len is left uninitialized and returned
to the caller, potentally leaking stack data or causing undefined
behavior.

Fix this by initializing len to 0.

Found with GCC 13 and -fanalyzer (abridged):

../hw/virtio/vhost-shadow-virtqueue.c: In function ‘vhost_svq_poll’:
../hw/virtio/vhost-shadow-virtqueue.c:538:12: warning: use of uninitialized value ‘len’ [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
  538 |     return len;
      |            ^~~
  ‘vhost_svq_poll’: events 1-4
    |
    |  522 | size_t vhost_svq_poll(VhostShadowVirtqueue *svq)
    |      |        ^~~~~~~~~~~~~~
    |      |        |
    |      |        (1) entry to ‘vhost_svq_poll’
    |......
    |  525 |     uint32_t len;
    |      |              ~~~
    |      |              |
    |      |              (2) region created on stack here
    |      |              (3) capacity: 4 bytes
    |......
    |  528 |         if (vhost_svq_more_used(svq)) {
    |      |             ~
    |      |             |
    |      |             (4) inlined call to ‘vhost_svq_more_used’ from ‘vhost_svq_poll’

    (...)

    |  528 |         if (vhost_svq_more_used(svq)) {
    |      |            ^~~~~~~~~~~~~~~~~~~~~~~~~
    |      |            ||
    |      |            |(8) ...to here
    |      |            (7) following ‘true’ branch...
    |......
    |  537 |     vhost_svq_get_buf(svq, &len);
    |      |     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |     |
    |      |     (9) calling ‘vhost_svq_get_buf’ from ‘vhost_svq_poll’
    |
    +--> ‘vhost_svq_get_buf’: events 10-11
           |
           |  416 | static VirtQueueElement *vhost_svq_get_buf(VhostShadowVirtqueue *svq,
           |      |                          ^~~~~~~~~~~~~~~~~
           |      |                          |
           |      |                          (10) entry to ‘vhost_svq_get_buf’
           |......
           |  423 |     if (!vhost_svq_more_used(svq)) {
           |      |          ~
           |      |          |
           |      |          (11) inlined call to ‘vhost_svq_more_used’ from ‘vhost_svq_get_buf’
           |

           (...)

           |
         ‘vhost_svq_get_buf’: event 14
           |
           |  423 |     if (!vhost_svq_more_used(svq)) {
           |      |        ^
           |      |        |
           |      |        (14) following ‘false’ branch...
           |
         ‘vhost_svq_get_buf’: event 15
           |
           |cc1:
           | (15): ...to here
           |
    <------+
    |
  ‘vhost_svq_poll’: events 16-17
    |
    |  537 |     vhost_svq_get_buf(svq, &len);
    |      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |     |
    |      |     (16) returning to ‘vhost_svq_poll’ from ‘vhost_svq_get_buf’
    |  538 |     return len;
    |      |            ~~~
    |      |            |
    |      |            (17) use of uninitialized value ‘len’ here

Note by  Laurent Vivier <lvivier@redhat.com>:

    The return value is only used to detect an error:

    vhost_svq_poll
        vhost_vdpa_net_cvq_add
            vhost_vdpa_net_load_cmd
                vhost_vdpa_net_load_mac
                  -> a negative return is only used to detect error
                vhost_vdpa_net_load_mq
                  -> a negative return is only used to detect error
            vhost_vdpa_net_handle_ctrl_avail
              -> a negative return is only used to detect error

Fixes: d368c0b052 ("vhost: Do not depend on !NULL VirtQueueElement on vhost_svq_flush")
Signed-off-by: Carlos López <clopez@suse.de>
Message-Id: <20230213085747.19956-1-clopez@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2023-03-02 19:13:51 -05:00
..
9pfs Don't include headers already included by qemu/osdep.h 2023-02-08 07:28:05 +01:00
acpi hw: Move ich9.h to southbridge/ 2023-02-27 22:29:01 +01:00
adc
alpha Drop duplicate #include 2023-02-08 07:28:05 +01:00
arm hw/ide: Rename ide_create_drive() -> ide_bus_create_drive() 2023-02-27 22:29:02 +01:00
audio hw/audio/ac97: Split off some definitions to a header 2023-02-27 22:29:02 +01:00
avr
block hw: Replace isa_get_irq() by isa_bus_get_irq() when ISABus is available 2023-02-27 22:29:02 +01:00
char hw/char/xilinx_uartlite: Expose XILINX_UARTLITE QOM type 2023-02-27 13:27:05 +00:00
core virtio-rng-pci: fix transitional migration compat for vectors 2023-03-02 03:10:47 -05:00
cpu hw/cpu: Mark arm11 and realview mpcore as target-independent code 2023-01-16 17:51:20 +01:00
cris
cxl hw/cxl/cxl-host: Fix an error message typo 2023-01-17 10:02:37 +01:00
display hw/display/sm501: Add fallbacks to pixman routines 2023-02-27 22:29:02 +01:00
dma hw/isa: Rename isa_get_dma() -> isa_bus_get_dma() 2023-02-27 22:29:02 +01:00
gpio hw/gpio/max7310: Simplify max7310_realize() 2023-02-27 13:27:04 +00:00
hppa hw/isa: Rename isa_bus_irqs() -> isa_bus_register_input_irqs() 2023-02-27 22:29:02 +01:00
hyperv Fix non-first inclusions of qemu/osdep.h 2023-02-08 07:28:05 +01:00
i2c hw: Move ich9.h to southbridge/ 2023-02-27 22:29:01 +01:00
i386 Revert "hw/i386: pass RNG seed via setup_data entry" 2023-03-02 03:10:46 -05:00
ide hw/ide/via: Replace magic 2 value by ARRAY_SIZE / MAX_IDE_DEVS 2023-02-27 22:29:02 +01:00
input hw/input: Clean up includes 2023-02-08 07:16:23 +01:00
intc hw/intc/i8259: Document i8259_init() 2023-02-27 22:29:01 +01:00
ipack include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
ipmi include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
isa hw/rtc/mc146818rtc: Rename RTCState -> MC146818RtcState 2023-02-27 22:29:02 +01:00
loongarch Drop duplicate #include 2023-02-08 07:28:05 +01:00
m68k hw: Add compat machines for 8.0 2022-12-21 06:35:28 -05:00
mem hw/sparse-mem: clear memory on reset 2023-02-16 22:05:46 -05:00
microblaze hw/char/xilinx_uartlite: Open-code xilinx_uartlite_create() 2023-02-27 13:27:05 +00:00
mips hw/isa: Rename isa_bus_irqs() -> isa_bus_register_input_irqs() 2023-02-27 22:29:02 +01:00
misc hw/ide: Un-inline ide_set_irq() 2023-02-27 22:29:02 +01:00
net virtio-net: clear guest_announce feature if no cvq backend 2023-03-02 03:10:46 -05:00
nios2 hw/nios2: set machine->fdt in nios2_load_dtb() 2022-10-17 16:15:10 -03:00
nubus hw/nubus/nubus-device: Fix memory leak in nubus_device_realize 2023-02-27 22:29:01 +01:00
nvme hw/nvme updates 2023-01-11 16:41:13 +00:00
nvram Revert "x86: return modified setup_data only if read as memory, not as file" 2023-03-02 03:10:46 -05:00
openrisc openrisc: re-randomize rng-seed on reboot 2022-10-27 11:34:31 +01:00
pci pcie: set power indicator to off on reset by default 2023-03-02 19:13:41 -05:00
pci-bridge hw: Move ich9.h to southbridge/ 2023-02-27 22:29:01 +01:00
pci-host target-arm queue: 2023-02-27 14:46:00 +00:00
pcmcia
ppc hw/ppc/sam460ex: Correctly set MAL properties 2023-02-27 22:29:02 +01:00
rdma Drop duplicate #include 2023-02-08 07:28:05 +01:00
remote Drop duplicate #include 2023-02-08 07:28:05 +01:00
riscv hw/riscv/boot.c: make riscv_load_initrd() static 2023-02-16 07:55:37 -08:00
rtc hw/rtc: Rename rtc_[get|set]_memory -> mc146818rtc_[get|set]_cmos_data 2023-02-27 22:29:02 +01:00
rx rx: re-randomize rng-seed on reboot 2022-10-27 11:34:31 +01:00
s390x s390x/pv: Add support for asynchronous teardown for reboot 2023-02-27 09:15:39 +01:00
scsi Updated the FSF address to <https://www.gnu.org/licenses/> 2023-02-27 09:15:39 +01:00
sd hw/arm/omap: Drop useless casts from void * to pointer 2023-01-12 17:15:09 +00:00
sensor Do not include hw/hw.h if it is not necessary 2023-02-27 09:15:38 +01:00
sh4 hw/ide/mmio: Extract TYPE_MMIO_IDE declarations to 'hw/ide/mmio.h' 2023-02-27 22:29:02 +01:00
smbios hw/smbios: fix field corruption in type 4 table 2023-03-02 03:10:46 -05:00
sparc
sparc64 hw/ide: Un-inline ide_set_irq() 2023-02-27 22:29:02 +01:00
ssi hw/ssi: Add Nuvoton PSPI Module 2023-02-16 16:00:48 +00:00
timer hw/timer/hpet: Fix expiration time overflow 2023-03-02 03:10:47 -05:00
tpm hw/tpm: Move tpm_ppi.c out of target-specific source set 2023-01-16 17:51:20 +01:00
tricore
usb hw/usb/xhci-nec: Replace container_of() by NEC_XHCI() QOM cast macro 2023-02-27 22:29:02 +01:00
vfio hw/vfio/ccw: Replace DO_UPCAST(VFIOCCWDevice) by VFIO_CCW() 2023-02-27 09:15:38 +01:00
virtio vhost: avoid a potential use of an uninitialized variable in vhost_svq_poll() 2023-03-02 19:13:51 -05:00
watchdog hw/watchdog/wdt_aspeed: Log unimplemented registers as UNIMP level 2023-02-07 09:02:05 +01:00
xen bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
xenpv
xtensa
Kconfig
meson.build