* [Qemu-devel][PATCH] ppc/spapr_events: fix potential NULL pointer dereference in rtas_event_log_dequeue
@ 2019-11-18 1:50 pannengyuan
2019-11-19 2:50 ` David Gibson
0 siblings, 1 reply; 3+ messages in thread
From: pannengyuan @ 2019-11-18 1:50 UTC (permalink / raw)
To: david
Cc: zhang.zhanghailiang, PanNengyuan, kenny.zhangjun, qemu-devel,
qemu-arm, kuhn.chenqun
From: PanNengyuan <pannengyuan@huawei.com>
source is being dereferenced before it is null checked, hence there is a
potential null pointer dereference.
This fixes:
360
CID 68911917: (NULL_RETURNS)
361. dereference: Dereferencing "source", which is known to be
"NULL".
361 if (source->mask & event_mask) {
362 break;
363 }
Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: PanNengyuan <pannengyuan@huawei.com>
---
hw/ppc/spapr_events.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/ppc/spapr_events.c b/hw/ppc/spapr_events.c
index 0e4c195..febd2ef 100644
--- a/hw/ppc/spapr_events.c
+++ b/hw/ppc/spapr_events.c
@@ -358,7 +358,7 @@ static SpaprEventLogEntry *rtas_event_log_dequeue(SpaprMachineState *spapr,
rtas_event_log_to_source(spapr,
spapr_event_log_entry_type(entry));
- if (source->mask & event_mask) {
+ if (source && (source->mask & event_mask)) {
break;
}
}
--
2.7.2.windows.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Qemu-devel][PATCH] ppc/spapr_events: fix potential NULL pointer dereference in rtas_event_log_dequeue
2019-11-18 1:50 [Qemu-devel][PATCH] ppc/spapr_events: fix potential NULL pointer dereference in rtas_event_log_dequeue pannengyuan
@ 2019-11-19 2:50 ` David Gibson
2019-11-19 3:11 ` pannengyuan
0 siblings, 1 reply; 3+ messages in thread
From: David Gibson @ 2019-11-19 2:50 UTC (permalink / raw)
To: pannengyuan
Cc: kuhn.chenqun, qemu-arm, kenny.zhangjun, qemu-devel, zhang.zhanghailiang
[-- Attachment #1: Type: text/plain, Size: 1772 bytes --]
On Mon, Nov 18, 2019 at 09:50:13AM +0800, pannengyuan@huawei.com wrote:
> From: PanNengyuan <pannengyuan@huawei.com>
>
> source is being dereferenced before it is null checked, hence there is a
> potential null pointer dereference.
>
> This fixes:
> 360
> CID 68911917: (NULL_RETURNS)
> 361. dereference: Dereferencing "source", which is known to be
> "NULL".
> 361 if (source->mask & event_mask) {
> 362 break;
> 363 }
>
> Reported-by: Euler Robot <euler.robot@huawei.com>
> Signed-off-by: PanNengyuan <pannengyuan@huawei.com>
I don't think this is the right solution. The only events we ever
generated are LOG_TYPE_EPOW and LOG_TYPE_HOTPLUG, so in fact source
should never be NULL.
I think the correct way to satisfy Coverity here is to have
rtas_event_log_to_source() do an assert(), rather than returning NULL
for other event types.
> ---
> hw/ppc/spapr_events.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/ppc/spapr_events.c b/hw/ppc/spapr_events.c
> index 0e4c195..febd2ef 100644
> --- a/hw/ppc/spapr_events.c
> +++ b/hw/ppc/spapr_events.c
> @@ -358,7 +358,7 @@ static SpaprEventLogEntry *rtas_event_log_dequeue(SpaprMachineState *spapr,
> rtas_event_log_to_source(spapr,
> spapr_event_log_entry_type(entry));
>
> - if (source->mask & event_mask) {
> + if (source && (source->mask & event_mask)) {
> break;
> }
> }
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Qemu-devel][PATCH] ppc/spapr_events: fix potential NULL pointer dereference in rtas_event_log_dequeue
2019-11-19 2:50 ` David Gibson
@ 2019-11-19 3:11 ` pannengyuan
0 siblings, 0 replies; 3+ messages in thread
From: pannengyuan @ 2019-11-19 3:11 UTC (permalink / raw)
To: David Gibson
Cc: kuhn.chenqun, qemu-arm, kenny.zhangjun, qemu-devel, zhang.zhanghailiang
Thanks for you reply.
I think you are right, I will send a new version later.
On 2019/11/19 10:50, David Gibson wrote:
> On Mon, Nov 18, 2019 at 09:50:13AM +0800, pannengyuan@huawei.com wrote:
>> From: PanNengyuan <pannengyuan@huawei.com>
>>
>> source is being dereferenced before it is null checked, hence there is a
>> potential null pointer dereference.
>>
>> This fixes:
>> 360
>> CID 68911917: (NULL_RETURNS)
>> 361. dereference: Dereferencing "source", which is known to be
>> "NULL".
>> 361 if (source->mask & event_mask) {
>> 362 break;
>> 363 }
>>
>> Reported-by: Euler Robot <euler.robot@huawei.com>
>> Signed-off-by: PanNengyuan <pannengyuan@huawei.com>
>
> I don't think this is the right solution. The only events we ever
> generated are LOG_TYPE_EPOW and LOG_TYPE_HOTPLUG, so in fact source
> should never be NULL.
>
> I think the correct way to satisfy Coverity here is to have
> rtas_event_log_to_source() do an assert(), rather than returning NULL
> for other event types.
>
>> ---
>> hw/ppc/spapr_events.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/hw/ppc/spapr_events.c b/hw/ppc/spapr_events.c
>> index 0e4c195..febd2ef 100644
>> --- a/hw/ppc/spapr_events.c
>> +++ b/hw/ppc/spapr_events.c
>> @@ -358,7 +358,7 @@ static SpaprEventLogEntry *rtas_event_log_dequeue(SpaprMachineState *spapr,
>> rtas_event_log_to_source(spapr,
>> spapr_event_log_entry_type(entry));
>>
>> - if (source->mask & event_mask) {
>> + if (source && (source->mask & event_mask)) {
>> break;
>> }
>> }
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-11-19 3:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-18 1:50 [Qemu-devel][PATCH] ppc/spapr_events: fix potential NULL pointer dereference in rtas_event_log_dequeue pannengyuan
2019-11-19 2:50 ` David Gibson
2019-11-19 3:11 ` pannengyuan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).