From: Greg Kurz <groug@kaod.org>
To: Keno Fischer <keno@juliacomputing.com>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH v2 03/20] 9p: xattr: Fix crash due to free of uninitialized value
Date: Fri, 1 Jun 2018 11:19:29 +0200 [thread overview]
Message-ID: <20180601111929.18d58909@bahia.lan> (raw)
In-Reply-To: <d837331570879a9fe9e4f1e466905213099f7bf0.1527814874.git.keno@juliacomputing.com>
On Thu, 31 May 2018 21:25:58 -0400
Keno Fischer <keno@juliacomputing.com> wrote:
> If the size returned from llistxattr is 0, we skipped the malloc
> call, leaving xattr.value uninitialized. However, this value is
> later passed to `g_free` without any further checks, causing an
Ouch, good catch.
> error. Fix that by always calling g_malloc unconditionally. If
> `size` is 0, it will return a pointer that is safe to pass to g_free,
> likely NULL.
>
"Allocates n_bytes bytes of memory, initialized to 0's. If n_bytes is 0 it
returns NULL."
https://developer.gnome.org/glib/unstable/glib-Memory-Allocation.html#g-malloc
The fix is good, but it seems the same can also happen if v9fs_co_lgetxattr()
returns 0 a few lines below. Can you check this out and fix it if needed ?
> Signed-off-by: Keno Fischer <keno@juliacomputing.com>
> ---
>
> Changes since v1: New patch
>
> hw/9pfs/9p.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
> index d74302d..b80db65 100644
> --- a/hw/9pfs/9p.c
> +++ b/hw/9pfs/9p.c
> @@ -3256,8 +3256,8 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
> xattr_fidp->fs.xattr.len = size;
> xattr_fidp->fid_type = P9_FID_XATTR;
> xattr_fidp->fs.xattr.xattrwalk_fid = true;
> + xattr_fidp->fs.xattr.value = g_malloc0(size);
> if (size) {
> - xattr_fidp->fs.xattr.value = g_malloc0(size);
> err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
> xattr_fidp->fs.xattr.value,
> xattr_fidp->fs.xattr.len);
next prev parent reply other threads:[~2018-06-01 9:19 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-01 1:25 [Qemu-devel] [PATCH v2 00/20] 9p: Add support for Darwin Keno Fischer
2018-06-01 1:25 ` [Qemu-devel] [PATCH v2 01/20] cutils: Provide strchrnul Keno Fischer
2018-06-01 8:15 ` Greg Kurz
2018-06-01 8:46 ` Dr. David Alan Gilbert
2018-06-01 14:15 ` Eric Blake
2018-06-01 1:25 ` [Qemu-devel] [PATCH v2 02/20] 9p: proxy: Fix size passed to `connect` Keno Fischer
2018-06-01 9:09 ` Greg Kurz
2018-06-01 1:25 ` [Qemu-devel] [PATCH v2 03/20] 9p: xattr: Fix crash due to free of uninitialized value Keno Fischer
2018-06-01 9:19 ` Greg Kurz [this message]
2018-06-01 1:25 ` [Qemu-devel] [PATCH v2 04/20] 9p: linux: Fix a couple Linux assumptions Keno Fischer
2018-06-01 1:26 ` [Qemu-devel] [PATCH v2 05/20] 9p: Properly set errp in fstatfs error path Keno Fischer
2018-06-01 9:32 ` Greg Kurz
2018-06-01 1:26 ` [Qemu-devel] [PATCH v2 06/20] 9p: Avoid warning if FS_IOC_GETVERSION is not defined Keno Fischer
2018-06-01 9:57 ` Greg Kurz
2018-06-01 1:26 ` [Qemu-devel] [PATCH v2 07/20] 9p: Move a couple xattr functions to 9p-util Keno Fischer
2018-06-01 10:03 ` Greg Kurz
2018-06-01 1:26 ` [Qemu-devel] [PATCH v2 08/20] 9p: Rename 9p-util -> 9p-util-linux Keno Fischer
2018-06-01 10:07 ` Greg Kurz
2018-06-01 1:26 ` [Qemu-devel] [PATCH v2 09/20] 9p: Properly check/translate flags in unlinkat Keno Fischer
2018-06-01 10:13 ` Greg Kurz
2018-06-01 1:26 ` [Qemu-devel] [PATCH v2 10/20] 9p: darwin: Handle struct stat(fs) differences Keno Fischer
2018-06-01 1:26 ` [Qemu-devel] [PATCH v2 11/20] 9p: darwin: Handle struct dirent differences Keno Fischer
2018-06-01 1:26 ` [Qemu-devel] [PATCH v2 12/20] 9p: darwin: Explicitly cast comparisons of mode_t with -1 Keno Fischer
2018-06-29 20:32 ` Eric Blake
2018-06-01 1:26 ` [Qemu-devel] [PATCH v2 13/20] 9p: darwin: Ignore O_{NOATIME, DIRECT} Keno Fischer
2018-06-01 1:26 ` [Qemu-devel] [PATCH v2 14/20] 9p: darwin: Provide a compatibility definition for XATTR_SIZE_MAX Keno Fischer
2018-06-01 1:26 ` [Qemu-devel] [PATCH v2 15/20] 9p: darwin: *xattr_nofollow implementations Keno Fischer
2018-06-01 11:13 ` Greg Kurz
2018-06-02 20:01 ` Keno Fischer
2018-06-01 1:26 ` [Qemu-devel] [PATCH v2 16/20] 9p: darwin: Compatibility for f/l*xattr Keno Fischer
2018-06-01 1:26 ` [Qemu-devel] [PATCH v2 17/20] 9p: darwin: Provide a fallback implementation for utimensat Keno Fischer
2018-06-01 1:26 ` [Qemu-devel] [PATCH v2 18/20] 9p: darwin: Implement compatibility for mknodat Keno Fischer
2018-06-01 1:26 ` [Qemu-devel] [PATCH v2 19/20] 9p: darwin: virtfs-proxy: Implement setuid code for darwin Keno Fischer
2018-06-01 1:26 ` [Qemu-devel] [PATCH v2 20/20] 9p: darwin: configure: Allow VirtFS on Darwin Keno Fischer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180601111929.18d58909@bahia.lan \
--to=groug@kaod.org \
--cc=keno@juliacomputing.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.