tests/9p: fix potential leak in v9fs_rreaddir()

Message ID	E1psh5T-0002XN-1C@lizzy.crudebyte.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org> From: Christian Schoenebeck <qemu_oss@crudebyte.com> Date: Sat, 29 Apr 2023 11:25:33 +0200 Subject: [PATCH] tests/9p: fix potential leak in v9fs_rreaddir() To: qemu-devel@nongnu.org Cc: Greg Kurz <groug@kaod.org>, Paolo Bonzini <pbonzini@redhat.com> Message-Id: <E1psh5T-0002XN-1C@lizzy.crudebyte.com> Received-SPF: none client-ip=91.194.90.13; envelope-from=429af9531f2802072c18c982ceb477db579e2167@lizzy.crudebyte.com; helo=lizzy.crudebyte.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Series	tests/9p: fix potential leak in v9fs_rreaddir() \| expand tests/9p: fix potential leak in v9fs_rreaddir()

Message ID

E1psh5T-0002XN-1C@lizzy.crudebyte.com (mailing list archive)

State

New, archived

Headers

From: Christian Schoenebeck <qemu_oss@crudebyte.com>
Date: Sat, 29 Apr 2023 11:25:33 +0200
Subject: [PATCH] tests/9p: fix potential leak in v9fs_rreaddir()
To: qemu-devel@nongnu.org
Cc: Greg Kurz <groug@kaod.org>,
    Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <E1psh5T-0002XN-1C@lizzy.crudebyte.com>
Received-SPF: none client-ip=91.194.90.13;
 envelope-from=429af9531f2802072c18c982ceb477db579e2167@lizzy.crudebyte.com;
 helo=lizzy.crudebyte.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org

Series

tests/9p: fix potential leak in v9fs_rreaddir() | expand

Commit Message

Christian Schoenebeck April 29, 2023, 9:25 a.m. UTC

Free allocated directory entries in v9fs_rreaddir() if argument
`entries` was passed as NULL, to avoid a memory leak. It is
explicitly allowed by design for `entries` to be NULL. [1]

[1] https://lore.kernel.org/all/1690923.g4PEXVpXuU@silver

Reported-by: Coverity (CID 1487558)
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
---
 tests/qtest/libqos/virtio-9p-client.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Greg Kurz April 29, 2023, 12:04 p.m. UTC | #1

Hi Christian !

On Sat, 29 Apr 2023 11:25:33 +0200
Christian Schoenebeck <qemu_oss@crudebyte.com> wrote:

> Free allocated directory entries in v9fs_rreaddir() if argument
> `entries` was passed as NULL, to avoid a memory leak. It is
> explicitly allowed by design for `entries` to be NULL. [1]
> 
> [1] https://lore.kernel.org/all/1690923.g4PEXVpXuU@silver
> 
> Reported-by: Coverity (CID 1487558)
> Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
> ---

Good catch Coverity ! :-)

Reviewed-by: Greg Kurz <groug@kaod.org>

I still have a suggestion. See below.

>  tests/qtest/libqos/virtio-9p-client.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/tests/qtest/libqos/virtio-9p-client.c b/tests/qtest/libqos/virtio-9p-client.c
> index e4a368e036..b8adc8d4b9 100644
> --- a/tests/qtest/libqos/virtio-9p-client.c
> +++ b/tests/qtest/libqos/virtio-9p-client.c
> @@ -594,6 +594,8 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
>  {
>      uint32_t local_count;
>      struct V9fsDirent *e = NULL;
> +    /* only used to avoid a leak if entries was NULL */
> +    struct V9fsDirent *unused_entries = NULL;
>      uint16_t slen;
>      uint32_t n = 0;
>  
> @@ -612,6 +614,8 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
>              e = g_new(struct V9fsDirent, 1);
>              if (entries) {
>                  *entries = e;
> +            } else {
> +                unused_entries = e;
>              }
>          } else {
>              e = e->next = g_new(struct V9fsDirent, 1);

This is always allocating and chaining a new entry even
though it isn't needed in the entries == NULL case.

> @@ -628,6 +632,7 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
>          *nentries = n;
>      }
>  
> +    v9fs_free_dirents(unused_entries);

This is going to loop again on all entries to free them.

>      v9fs_req_free(req);
>  }
>  

If this function is to be called one day with an enormous
number of entries and entries == NULL case, this might
not scale well.

What about only allocating a single entry in this case ?

E.g.

@@ -593,7 +593,7 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
                    struct V9fsDirent **entries)
 {
     uint32_t local_count;
-    struct V9fsDirent *e = NULL;
+    g_autofree struct V9fsDirent *e = NULL;
     uint16_t slen;
     uint32_t n = 0;
 
@@ -611,10 +611,12 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
         if (!e) {
             e = g_new(struct V9fsDirent, 1);
             if (entries) {
-                *entries = e;
+                *entries = g_steal_pointer(e);
             }
         } else {
-            e = e->next = g_new(struct V9fsDirent, 1);
+            if (entries) {
+                e = e->next = g_new(struct V9fsDirent, 1);
+            }
         }
         e->next = NULL;
         /* qid[13] offset[8] type[1] name[s] */

Christian Schoenebeck April 29, 2023, 1:20 p.m. UTC | #2

On Saturday, April 29, 2023 2:04:30 PM CEST Greg Kurz wrote:
> Hi Christian !

Hi there, it's been a while! :)

> On Sat, 29 Apr 2023 11:25:33 +0200
> Christian Schoenebeck <qemu_oss@crudebyte.com> wrote:
> 
> > Free allocated directory entries in v9fs_rreaddir() if argument
> > `entries` was passed as NULL, to avoid a memory leak. It is
> > explicitly allowed by design for `entries` to be NULL. [1]
> > 
> > [1] https://lore.kernel.org/all/1690923.g4PEXVpXuU@silver
> > 
> > Reported-by: Coverity (CID 1487558)
> > Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
> > ---
> 
> Good catch Coverity ! :-)

Yeah, this Coverity report is actually from March and I ignored it so far,
because the reported leak could never happen with current test code. But Paolo
brought it up this week, so ...

> Reviewed-by: Greg Kurz <groug@kaod.org>
> 
> I still have a suggestion. See below.
> 
> >  tests/qtest/libqos/virtio-9p-client.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> > 
> > diff --git a/tests/qtest/libqos/virtio-9p-client.c b/tests/qtest/libqos/virtio-9p-client.c
> > index e4a368e036..b8adc8d4b9 100644
> > --- a/tests/qtest/libqos/virtio-9p-client.c
> > +++ b/tests/qtest/libqos/virtio-9p-client.c
> > @@ -594,6 +594,8 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
> >  {
> >      uint32_t local_count;
> >      struct V9fsDirent *e = NULL;
> > +    /* only used to avoid a leak if entries was NULL */
> > +    struct V9fsDirent *unused_entries = NULL;
> >      uint16_t slen;
> >      uint32_t n = 0;
> >  
> > @@ -612,6 +614,8 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
> >              e = g_new(struct V9fsDirent, 1);
> >              if (entries) {
> >                  *entries = e;
> > +            } else {
> > +                unused_entries = e;
> >              }
> >          } else {
> >              e = e->next = g_new(struct V9fsDirent, 1);
> 
> This is always allocating and chaining a new entry even
> though it isn't needed in the entries == NULL case.
> 
> > @@ -628,6 +632,7 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
> >          *nentries = n;
> >      }
> >  
> > +    v9fs_free_dirents(unused_entries);
> 
> This is going to loop again on all entries to free them.
> 
> >      v9fs_req_free(req);
> >  }
> >  
> 
> If this function is to be called one day with an enormous
> number of entries and entries == NULL case, this might
> not scale well.
> 
> What about only allocating a single entry in this case ?
> 
> E.g.
> 
> @@ -593,7 +593,7 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
>                     struct V9fsDirent **entries)
>  {
>      uint32_t local_count;
> -    struct V9fsDirent *e = NULL;
> +    g_autofree struct V9fsDirent *e = NULL;
>      uint16_t slen;
>      uint32_t n = 0;
>  
> @@ -611,10 +611,12 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
>          if (!e) {
>              e = g_new(struct V9fsDirent, 1);
>              if (entries) {
> -                *entries = e;
> +                *entries = g_steal_pointer(e);

g_steal_pointer(e) just sets `e` to NULL and returns its old value, so ...

>              }
>          } else {
> -            e = e->next = g_new(struct V9fsDirent, 1);
> +            if (entries) {
> +                e = e->next = g_new(struct V9fsDirent, 1);
> +            }

... this `else` block would never be reached and no list assembled.

>          }
>          e->next = NULL;
>          /* qid[13] offset[8] type[1] name[s] */

And even if above's issue was fixed, then it would cause a use-after-free for
the last element in the list if entries != NULL and caller trying to access
the last element afterwards. So you would still need a separate g_autofree
pointer instead of tagging `e` directly, or something like this after loop
end:

  if (entries)
    g_steal_pointer(e);

Which would somehow defeat the purpose of using g_autofree though.

I mean, yes this could be addressed, but is it worth it? I don't know. Even
this reported leak is a purely theoretical one, but I understand if people
want to silence a warning.

Best regards,
Christian Schoenebeck

Greg Kurz May 2, 2023, 5:46 a.m. UTC | #3

On Sat, 29 Apr 2023 15:20:12 +0200
Christian Schoenebeck <qemu_oss@crudebyte.com> wrote:

> On Saturday, April 29, 2023 2:04:30 PM CEST Greg Kurz wrote:
> > Hi Christian !
> 
> Hi there, it's been a while! :)
> 
> > On Sat, 29 Apr 2023 11:25:33 +0200
> > Christian Schoenebeck <qemu_oss@crudebyte.com> wrote:
> > 
> > > Free allocated directory entries in v9fs_rreaddir() if argument
> > > `entries` was passed as NULL, to avoid a memory leak. It is
> > > explicitly allowed by design for `entries` to be NULL. [1]
> > > 
> > > [1] https://lore.kernel.org/all/1690923.g4PEXVpXuU@silver
> > > 
> > > Reported-by: Coverity (CID 1487558)
> > > Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
> > > ---
> > 
> > Good catch Coverity ! :-)
> 
> Yeah, this Coverity report is actually from March and I ignored it so far,
> because the reported leak could never happen with current test code. But Paolo
> brought it up this week, so ...
> 
> > Reviewed-by: Greg Kurz <groug@kaod.org>
> > 
> > I still have a suggestion. See below.
> > 
> > >  tests/qtest/libqos/virtio-9p-client.c | 5 +++++
> > >  1 file changed, 5 insertions(+)
> > > 
> > > diff --git a/tests/qtest/libqos/virtio-9p-client.c b/tests/qtest/libqos/virtio-9p-client.c
> > > index e4a368e036..b8adc8d4b9 100644
> > > --- a/tests/qtest/libqos/virtio-9p-client.c
> > > +++ b/tests/qtest/libqos/virtio-9p-client.c
> > > @@ -594,6 +594,8 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
> > >  {
> > >      uint32_t local_count;
> > >      struct V9fsDirent *e = NULL;
> > > +    /* only used to avoid a leak if entries was NULL */
> > > +    struct V9fsDirent *unused_entries = NULL;
> > >      uint16_t slen;
> > >      uint32_t n = 0;
> > >  
> > > @@ -612,6 +614,8 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
> > >              e = g_new(struct V9fsDirent, 1);
> > >              if (entries) {
> > >                  *entries = e;
> > > +            } else {
> > > +                unused_entries = e;
> > >              }
> > >          } else {
> > >              e = e->next = g_new(struct V9fsDirent, 1);
> > 
> > This is always allocating and chaining a new entry even
> > though it isn't needed in the entries == NULL case.
> > 
> > > @@ -628,6 +632,7 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
> > >          *nentries = n;
> > >      }
> > >  
> > > +    v9fs_free_dirents(unused_entries);
> > 
> > This is going to loop again on all entries to free them.
> > 
> > >      v9fs_req_free(req);
> > >  }
> > >  
> > 
> > If this function is to be called one day with an enormous
> > number of entries and entries == NULL case, this might
> > not scale well.
> > 
> > What about only allocating a single entry in this case ?
> > 
> > E.g.
> > 
> > @@ -593,7 +593,7 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
> >                     struct V9fsDirent **entries)
> >  {
> >      uint32_t local_count;
> > -    struct V9fsDirent *e = NULL;
> > +    g_autofree struct V9fsDirent *e = NULL;
> >      uint16_t slen;
> >      uint32_t n = 0;
> >  
> > @@ -611,10 +611,12 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
> >          if (!e) {
> >              e = g_new(struct V9fsDirent, 1);
> >              if (entries) {
> > -                *entries = e;
> > +                *entries = g_steal_pointer(e);
> 
> g_steal_pointer(e) just sets `e` to NULL and returns its old value, so ...
> 
> >              }
> >          } else {
> > -            e = e->next = g_new(struct V9fsDirent, 1);
> > +            if (entries) {
> > +                e = e->next = g_new(struct V9fsDirent, 1);
> > +            }
> 
> ... this `else` block would never be reached and no list assembled.
> 
> >          }
> >          e->next = NULL;
> >          /* qid[13] offset[8] type[1] name[s] */
> 
> And even if above's issue was fixed, then it would cause a use-after-free for
> the last element in the list if entries != NULL and caller trying to access
> the last element afterwards. So you would still need a separate g_autofree
> pointer instead of tagging `e` directly, or something like this after loop
> end:
> 
>   if (entries)
>     g_steal_pointer(e);
> 
> Which would somehow defeat the purpose of using g_autofree though.
> 
> I mean, yes this could be addressed, but is it worth it? I don't know. Even
> this reported leak is a purely theoretical one, but I understand if people
> want to silence a warning.
> 

Yeah you're right.

Cheers,

--
Greg

> Best regards,
> Christian Schoenebeck
> 
>

Christian Schoenebeck May 4, 2023, 10:53 a.m. UTC | #4

On Saturday, April 29, 2023 11:25:33 AM CEST Christian Schoenebeck wrote:
> Free allocated directory entries in v9fs_rreaddir() if argument
> `entries` was passed as NULL, to avoid a memory leak. It is
> explicitly allowed by design for `entries` to be NULL. [1]
> 
> [1] https://lore.kernel.org/all/1690923.g4PEXVpXuU@silver
> 
> Reported-by: Coverity (CID 1487558)
> Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
> ---

Queued on 9p.next:
https://github.com/cschoenebeck/qemu/commits/9p.next

Thanks!

Best regards,
Christian Schoenebeck

>  tests/qtest/libqos/virtio-9p-client.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/tests/qtest/libqos/virtio-9p-client.c b/tests/qtest/libqos/virtio-9p-client.c
> index e4a368e036..b8adc8d4b9 100644
> --- a/tests/qtest/libqos/virtio-9p-client.c
> +++ b/tests/qtest/libqos/virtio-9p-client.c
> @@ -594,6 +594,8 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
>  {
>      uint32_t local_count;
>      struct V9fsDirent *e = NULL;
> +    /* only used to avoid a leak if entries was NULL */
> +    struct V9fsDirent *unused_entries = NULL;
>      uint16_t slen;
>      uint32_t n = 0;
>  
> @@ -612,6 +614,8 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
>              e = g_new(struct V9fsDirent, 1);
>              if (entries) {
>                  *entries = e;
> +            } else {
> +                unused_entries = e;
>              }
>          } else {
>              e = e->next = g_new(struct V9fsDirent, 1);
> @@ -628,6 +632,7 @@ void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
>          *nentries = n;
>      }
>  
> +    v9fs_free_dirents(unused_entries);
>      v9fs_req_free(req);
>  }
>  
>

diff --git a/tests/qtest/libqos/virtio-9p-client.c b/tests/qtest/libqos/virtio-9p-client.c
index e4a368e036..b8adc8d4b9 100644
--- a/tests/qtest/libqos/virtio-9p-client.c
+++ b/tests/qtest/libqos/virtio-9p-client.c
@@ -594,6 +594,8 @@  void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
 {
     uint32_t local_count;
     struct V9fsDirent *e = NULL;
+    /* only used to avoid a leak if entries was NULL */
+    struct V9fsDirent *unused_entries = NULL;
     uint16_t slen;
     uint32_t n = 0;
 
@@ -612,6 +614,8 @@  void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
             e = g_new(struct V9fsDirent, 1);
             if (entries) {
                 *entries = e;
+            } else {
+                unused_entries = e;
             }
         } else {
             e = e->next = g_new(struct V9fsDirent, 1);
@@ -628,6 +632,7 @@  void v9fs_rreaddir(P9Req *req, uint32_t *count, uint32_t *nentries,
         *nentries = n;
     }
 
+    v9fs_free_dirents(unused_entries);
     v9fs_req_free(req);
 }

tests/9p: fix potential leak in v9fs_rreaddir()

Commit Message

Comments

Patch