From patchwork Tue Nov 3 14:53:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alex Chen X-Patchwork-Id: 11878019 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DFB306A2 for ; Tue, 3 Nov 2020 15:20:40 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B0C1C20735 for ; Tue, 3 Nov 2020 15:20:40 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B0C1C20735 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=huawei.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Received: from localhost ([::1]:58306 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kZy6x-0000KT-FF for patchwork-qemu-devel@patchwork.kernel.org; Tue, 03 Nov 2020 10:20:39 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:38282) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kZxgh-0003gu-3h for qemu-devel@nongnu.org; Tue, 03 Nov 2020 09:53:31 -0500 Received: from szxga06-in.huawei.com ([45.249.212.32]:2073) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kZxgd-00048x-R1 for qemu-devel@nongnu.org; Tue, 03 Nov 2020 09:53:30 -0500 Received: from DGGEMS408-HUB.china.huawei.com (unknown [172.30.72.60]) by szxga06-in.huawei.com (SkyGuard) with ESMTP id 4CQXpM4WNkzhbGt; Tue, 3 Nov 2020 22:53:15 +0800 (CST) Received: from [10.174.187.138] (10.174.187.138) by DGGEMS408-HUB.china.huawei.com (10.3.19.208) with Microsoft SMTP Server id 14.3.487.0; Tue, 3 Nov 2020 22:53:10 +0800 Message-ID: <5FA16ED5.4000203@huawei.com> Date: Tue, 3 Nov 2020 22:53:09 +0800 From: AlexChen User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 MIME-Version: 1.0 To: , Paolo Bonzini , , , , Subject: [PATCH] tests/qtest: Fix potential NULL pointer dereference in qos_build_main_args() X-Originating-IP: [10.174.187.138] X-CFilter-Loop: Reflected Received-SPF: pass client-ip=45.249.212.32; envelope-from=alex.chen@huawei.com; helo=szxga06-in.huawei.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/03 09:53:19 X-ACL-Warn: Detected OS = Linux 3.1-3.10 [fuzzy] X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: QEMU , zhang.zhanghailiang@huawei.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" In qos_build_main_args(), the pointer 'path' is dereferenced before checking it is valid, which may lead to NULL pointer dereference. So move the assignment to 'cmd_line' after checking 'path' is valid. Reported-by: Euler Robot Signed-off-by: Alex Chen Reviewed-by: Alexander Bulekov --- tests/qtest/fuzz/qos_fuzz.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/qtest/fuzz/qos_fuzz.c b/tests/qtest/fuzz/qos_fuzz.c index b943577b8c..cee1a2a60f 100644 --- a/tests/qtest/fuzz/qos_fuzz.c +++ b/tests/qtest/fuzz/qos_fuzz.c @@ -70,7 +70,7 @@ static GString *qos_build_main_args(void) { char **path = fuzz_path_vec; QOSGraphNode *test_node; - GString *cmd_line = g_string_new(path[0]); + GString *cmd_line; void *test_arg; if (!path) { @@ -79,6 +79,7 @@ static GString *qos_build_main_args(void) } /* Before test */ + cmd_line = g_string_new(path[0]); current_path = path; test_node = qos_graph_get_node(path[(g_strv_length(path) - 1)]); test_arg = test_node->u.test.arg;