From nobody Sat Jul 5 01:20:13 2025 Delivered-To: importer2@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1678295002978218.87065326250934; Wed, 8 Mar 2023 09:03:22 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pZx8X-0004pD-CU; Wed, 08 Mar 2023 11:59:33 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZx8S-0004jJ-Uj; Wed, 08 Mar 2023 11:59:28 -0500 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZx8N-00048Z-Mt; Wed, 08 Mar 2023 11:59:28 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 8452D400EA; Wed, 8 Mar 2023 19:58:57 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 450F41FE; Wed, 8 Mar 2023 19:58:56 +0300 (MSK) Received: (nullmailer pid 2098375 invoked by uid 1000); Wed, 08 Mar 2023 16:58:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Carlos=20L=C3=B3pez?= , "Michael S . Tsirkin" , Michael Tokarev Subject: [PATCH 40/47] vhost: avoid a potential use of an uninitialized variable in vhost_svq_poll() Date: Wed, 8 Mar 2023 19:57:43 +0300 Message-Id: <20230308165815.2098148-40-mjt@msgid.tls.msk.ru> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230308165035.2097594-1-mjt@msgid.tls.msk.ru> References: <20230308165035.2097594-1-mjt@msgid.tls.msk.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer2=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer2=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer2=patchew.org@nongnu.org X-ZM-MESSAGEID: 1678295004883100008 From: Carlos L=C3=B3pez In vhost_svq_poll(), if vhost_svq_get_buf() fails due to a device providing invalid descriptors, len is left uninitialized and returned to the caller, potentally leaking stack data or causing undefined behavior. Fix this by initializing len to 0. Found with GCC 13 and -fanalyzer (abridged): ../hw/virtio/vhost-shadow-virtqueue.c: In function =E2=80=98vhost_svq_poll= =E2=80=99: ../hw/virtio/vhost-shadow-virtqueue.c:538:12: warning: use of uninitialized= value =E2=80=98len=E2=80=99 [CWE-457] [-Wanalyzer-use-of-uninitialized-val= ue] 538 | return len; | ^~~ =E2=80=98vhost_svq_poll=E2=80=99: events 1-4 | | 522 | size_t vhost_svq_poll(VhostShadowVirtqueue *svq) | | ^~~~~~~~~~~~~~ | | | | | (1) entry to =E2=80=98vhost_svq_poll=E2=80=99 |...... | 525 | uint32_t len; | | ~~~ | | | | | (2) region created on stack here | | (3) capacity: 4 bytes |...... | 528 | if (vhost_svq_more_used(svq)) { | | ~ | | | | | (4) inlined call to =E2=80=98vhost_svq_more_used= =E2=80=99 from =E2=80=98vhost_svq_poll=E2=80=99 (...) | 528 | if (vhost_svq_more_used(svq)) { | | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | || | | |(8) ...to here | | (7) following =E2=80=98true=E2=80=99 branch... |...... | 537 | vhost_svq_get_buf(svq, &len); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (9) calling =E2=80=98vhost_svq_get_buf=E2=80=99 from =E2= =80=98vhost_svq_poll=E2=80=99 | +--> =E2=80=98vhost_svq_get_buf=E2=80=99: events 10-11 | | 416 | static VirtQueueElement *vhost_svq_get_buf(VhostShadowV= irtqueue *svq, | | ^~~~~~~~~~~~~~~~~ | | | | | (10) entry to =E2=80=98vhost_s= vq_get_buf=E2=80=99 |...... | 423 | if (!vhost_svq_more_used(svq)) { | | ~ | | | | | (11) inlined call to =E2=80=98vhost_svq_more_u= sed=E2=80=99 from =E2=80=98vhost_svq_get_buf=E2=80=99 | (...) | =E2=80=98vhost_svq_get_buf=E2=80=99: event 14 | | 423 | if (!vhost_svq_more_used(svq)) { | | ^ | | | | | (14) following =E2=80=98false=E2=80=99 branch... | =E2=80=98vhost_svq_get_buf=E2=80=99: event 15 | |cc1: | (15): ...to here | <------+ | =E2=80=98vhost_svq_poll=E2=80=99: events 16-17 | | 537 | vhost_svq_get_buf(svq, &len); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (16) returning to =E2=80=98vhost_svq_poll=E2=80=99 from = =E2=80=98vhost_svq_get_buf=E2=80=99 | 538 | return len; | | ~~~ | | | | | (17) use of uninitialized value =E2=80=98len=E2=80= =99 here Note by Laurent Vivier : The return value is only used to detect an error: vhost_svq_poll vhost_vdpa_net_cvq_add vhost_vdpa_net_load_cmd vhost_vdpa_net_load_mac -> a negative return is only used to detect error vhost_vdpa_net_load_mq -> a negative return is only used to detect error vhost_vdpa_net_handle_ctrl_avail -> a negative return is only used to detect error Fixes: d368c0b052ad ("vhost: Do not depend on !NULL VirtQueueElement on vho= st_svq_flush") Signed-off-by: Carlos L=C3=B3pez Message-Id: <20230213085747.19956-1-clopez@suse.de> Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin (cherry picked from commit e4dd39c699b7d63a06f686ec06ded8adbee989c1) Signed-off-by: Michael Tokarev --- hw/virtio/vhost-shadow-virtqueue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/virtio/vhost-shadow-virtqueue.c b/hw/virtio/vhost-shadow-vi= rtqueue.c index 5bd14cad96..a723073747 100644 --- a/hw/virtio/vhost-shadow-virtqueue.c +++ b/hw/virtio/vhost-shadow-virtqueue.c @@ -522,7 +522,7 @@ static void vhost_svq_flush(VhostShadowVirtqueue *svq, size_t vhost_svq_poll(VhostShadowVirtqueue *svq) { int64_t start_us =3D g_get_monotonic_time(); - uint32_t len; + uint32_t len =3D 0; =20 do { if (vhost_svq_more_used(svq)) { --=20 2.30.2