From nobody Sat Jul 5 01:14:13 2025 Delivered-To: importer2@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1678295001698642.839995107464; Wed, 8 Mar 2023 09:03:21 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pZx8V-0004mb-E6; Wed, 08 Mar 2023 11:59:31 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZx8S-0004jF-TJ; Wed, 08 Mar 2023 11:59:28 -0500 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZx8N-00048h-Qq; Wed, 08 Mar 2023 11:59:28 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id A978D400EB; Wed, 8 Mar 2023 19:58:57 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 71E8013A; Wed, 8 Mar 2023 19:58:56 +0300 (MSK) Received: (nullmailer pid 2098377 invoked by uid 1000); Wed, 08 Mar 2023 16:58:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Carlos=20L=C3=B3pez?= , "Michael S . Tsirkin" , Michael Tokarev Subject: [PATCH 41/47] libvhost-user: check for NULL when allocating a virtqueue element Date: Wed, 8 Mar 2023 19:57:44 +0300 Message-Id: <20230308165815.2098148-41-mjt@msgid.tls.msk.ru> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230308165035.2097594-1-mjt@msgid.tls.msk.ru> References: <20230308165035.2097594-1-mjt@msgid.tls.msk.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer2=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer2=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer2=patchew.org@nongnu.org X-ZM-MESSAGEID: 1678295002842100001 From: Carlos L=C3=B3pez Check the return value for malloc(), avoiding a NULL pointer dereference, and propagate error in function callers. Found with GCC 13 and -fanalyzer: ../subprojects/libvhost-user/libvhost-user.c: In function =E2=80=98virtqueu= e_alloc_element=E2=80=99: ../subprojects/libvhost-user/libvhost-user.c:2556:19: error: dereference of= possibly-NULL =E2=80=98elem=E2=80=99 [CWE-690] [-Werror=3Danalyzer-possibl= e-null-dereference] 2556 | elem->out_num =3D out_num; | ~~~~~~~~~~~~~~^~~~~~~~~ =E2=80=98virtqueue_alloc_element=E2=80=99: event 1 | | 2554 | assert(sz >=3D sizeof(VuVirtqElement)); | | ^~~~~~ | | | | | (1) following =E2=80=98true=E2=80=99 branch (when =E2=80= =98sz > 31=E2=80=99)... | =E2=80=98virtqueue_alloc_element=E2=80=99: events 2-4 | | 2555 | elem =3D malloc(out_sg_end); | | ^~~~ ~~~~~~~~~~~~~~~~~~ | | | | | | | (3) this call could return NULL | | (2) ...to here | 2556 | elem->out_num =3D out_num; | | ~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (4) =E2=80=98elem=E2=80=99 could be NULL: un= checked value from (3) | Signed-off-by: Carlos L=C3=B3pez Message-Id: <20230210112514.16858-1-clopez@suse.de> Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin (cherry picked from commit 9c1916057a8b14411116106e5a5c0c33d551cfeb) Signed-off-by: Michael Tokarev --- subprojects/libvhost-user/libvhost-user.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/subprojects/libvhost-user/libvhost-user.c b/subprojects/libvho= st-user/libvhost-user.c index d6ee6e7d91..b17e82b2b0 100644 --- a/subprojects/libvhost-user/libvhost-user.c +++ b/subprojects/libvhost-user/libvhost-user.c @@ -2547,6 +2547,10 @@ virtqueue_alloc_element(size_t sz, =20 assert(sz >=3D sizeof(VuVirtqElement)); elem =3D malloc(out_sg_end); + if (!elem) { + DPRINT("%s: failed to malloc virtqueue element\n", __func__); + return NULL; + } elem->out_num =3D out_num; elem->in_num =3D in_num; elem->in_sg =3D (void *)elem + in_sg_ofs; @@ -2633,6 +2637,9 @@ vu_queue_map_desc(VuDev *dev, VuVirtq *vq, unsigned i= nt idx, size_t sz) =20 /* Now copy what we have collected and mapped */ elem =3D virtqueue_alloc_element(sz, out_num, in_num); + if (!elem) { + return NULL; + } elem->index =3D idx; for (i =3D 0; i < out_num; i++) { elem->out_sg[i] =3D iov[i]; --=20 2.30.2