All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] target/s390x/translate: Do not leak stack address in translate_one()
@ 2020-01-23  7:05 Thomas Huth
  2020-01-23  7:49 ` David Hildenbrand
  2020-01-23 10:25 ` Cornelia Huck
  0 siblings, 2 replies; 3+ messages in thread
From: Thomas Huth @ 2020-01-23  7:05 UTC (permalink / raw)
  To: qemu-devel, Richard Henderson, David Hildenbrand
  Cc: qemu-s390x, Cornelia Huck

The code in translate_one() leaks a stack address via "s->field" parameter:

 static DisasJumpType translate_one(CPUS390XState *env, DisasContext *s)
 {
     DisasJumpType ret = DISAS_NEXT;
     DisasFields f;
     [...]
     s->fields = &f;
     [...]
     return ret;
 }

It's currently harmless since the caller does not seem to use "fields"
anymore, but let's better play safe (and please static code analyzers)
by setting the fields back to NULL before returning.

Buglink: https://bugs.launchpad.net/qemu/+bug/1661815
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 target/s390x/translate.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/target/s390x/translate.c b/target/s390x/translate.c
index 4292bb0dd0..9122fb36da 100644
--- a/target/s390x/translate.c
+++ b/target/s390x/translate.c
@@ -6435,6 +6435,8 @@ static DisasJumpType translate_one(CPUS390XState *env, DisasContext *s)
     }
 #endif
 
+    s->fields = NULL;
+
     /* Advance to the next instruction.  */
     s->base.pc_next = s->pc_tmp;
     return ret;
-- 
2.18.1



^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] target/s390x/translate: Do not leak stack address in translate_one()
  2020-01-23  7:05 [PATCH] target/s390x/translate: Do not leak stack address in translate_one() Thomas Huth
@ 2020-01-23  7:49 ` David Hildenbrand
  2020-01-23 10:25 ` Cornelia Huck
  1 sibling, 0 replies; 3+ messages in thread
From: David Hildenbrand @ 2020-01-23  7:49 UTC (permalink / raw)
  To: Thomas Huth
  Cc: Cornelia Huck, qemu-s390x, David Hildenbrand, qemu-devel,
	Richard Henderson



> Am 23.01.2020 um 08:05 schrieb Thomas Huth <thuth@redhat.com>:
> 
> The code in translate_one() leaks a stack address via "s->field" parameter:
> 
> static DisasJumpType translate_one(CPUS390XState *env, DisasContext *s)
> {
>     DisasJumpType ret = DISAS_NEXT;
>     DisasFields f;
>     [...]
>     s->fields = &f;
>     [...]
>     return ret;
> }
> 
> It's currently harmless since the caller does not seem to use "fields"
> anymore, but let's better play safe (and please static code analyzers)
> by setting the fields back to NULL before returning.
> 
> Buglink: https://bugs.launchpad.net/qemu/+bug/1661815
> Signed-off-by: Thomas Huth <thuth@redhat.com>

Reviewed-by: David Hildenbrand <david@redhat.com>

> ---
> target/s390x/translate.c | 2 ++
> 1 file changed, 2 insertions(+)
> 
> diff --git a/target/s390x/translate.c b/target/s390x/translate.c
> index 4292bb0dd0..9122fb36da 100644
> --- a/target/s390x/translate.c
> +++ b/target/s390x/translate.c
> @@ -6435,6 +6435,8 @@ static DisasJumpType translate_one(CPUS390XState *env, DisasContext *s)
>     }
> #endif
> 
> +    s->fields = NULL;
> +
>     /* Advance to the next instruction.  */
>     s->base.pc_next = s->pc_tmp;
>     return ret;
> -- 
> 2.18.1
> 



^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] target/s390x/translate: Do not leak stack address in translate_one()
  2020-01-23  7:05 [PATCH] target/s390x/translate: Do not leak stack address in translate_one() Thomas Huth
  2020-01-23  7:49 ` David Hildenbrand
@ 2020-01-23 10:25 ` Cornelia Huck
  1 sibling, 0 replies; 3+ messages in thread
From: Cornelia Huck @ 2020-01-23 10:25 UTC (permalink / raw)
  To: Thomas Huth; +Cc: qemu-s390x, David Hildenbrand, qemu-devel, Richard Henderson

On Thu, 23 Jan 2020 08:05:33 +0100
Thomas Huth <thuth@redhat.com> wrote:

> The code in translate_one() leaks a stack address via "s->field" parameter:
> 
>  static DisasJumpType translate_one(CPUS390XState *env, DisasContext *s)
>  {
>      DisasJumpType ret = DISAS_NEXT;
>      DisasFields f;
>      [...]
>      s->fields = &f;
>      [...]
>      return ret;
>  }
> 
> It's currently harmless since the caller does not seem to use "fields"
> anymore, but let's better play safe (and please static code analyzers)
> by setting the fields back to NULL before returning.
> 
> Buglink: https://bugs.launchpad.net/qemu/+bug/1661815
> Signed-off-by: Thomas Huth <thuth@redhat.com>
> ---
>  target/s390x/translate.c | 2 ++
>  1 file changed, 2 insertions(+)

Thanks, applied.



^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-01-23 10:26 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-23  7:05 [PATCH] target/s390x/translate: Do not leak stack address in translate_one() Thomas Huth
2020-01-23  7:49 ` David Hildenbrand
2020-01-23 10:25 ` Cornelia Huck

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.