From patchwork Wed Feb 23 14:39:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wliang@stu.xidian.edu.cn X-Patchwork-Id: 12757132 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 13A31C433F5 for ; Wed, 23 Feb 2022 15:50:45 +0000 (UTC) Received: from localhost ([::1]:43360 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nMtue-0007c1-12 for qemu-devel@archiver.kernel.org; Wed, 23 Feb 2022 10:50:44 -0500 Received: from eggs.gnu.org ([209.51.188.92]:54968) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nMsnk-00075M-84 for qemu-devel@nongnu.org; Wed, 23 Feb 2022 09:39:32 -0500 Received: from azure-sdnproxy.icoremail.net ([52.237.72.81]:34503 helo=azure-sdnproxy-1.icoremail.net) by eggs.gnu.org with smtp (Exim 4.90_1) (envelope-from ) id 1nMsnh-0006QZ-0V for qemu-devel@nongnu.org; Wed, 23 Feb 2022 09:39:30 -0500 Received: by ajax-webmail-sr0414.icoremail.net (Coremail) ; Wed, 23 Feb 2022 22:39:23 +0800 (GMT+08:00) X-Originating-IP: [39.130.79.173] Date: Wed, 23 Feb 2022 22:39:23 +0800 (GMT+08:00) X-CM-HeaderCharset: UTF-8 From: wliang@stu.xidian.edu.cn To: "qemu-devel@nongnu.org" Subject: Fix a potential memory leak bug in write_boot_rom() (v6.2.0). X-Priority: 3 X-Mailer: Coremail Webmail Server Version XT5.0.13 build 20210401(fdb522e2) Copyright (c) 2002-2022 www.mailtech.cn mispb-ac60dc67-ddbe-4478-9127-1d3314495f10-icoremail.net MIME-Version: 1.0 Message-ID: <6e7748f1.25d8.17f2705c420.Coremail.wliang@stu.xidian.edu.cn> X-Coremail-Locale: zh_CN X-CM-TRANSID: AQAAfwBXSwIbRxZiPMsKAA--.4027W X-CM-SenderInfo: pzolt0vj6v33wo0lvxldqovvfxof0/1tbiAQMMA1wR-vU9jgADs7 X-Coremail-Antispam: 1Ur529EdanIXcx71UUUUU7IcSsGvfJ3iIAIbVAYjsxI4VWxJw CS07vEb4IE77IF4wCS07vE1I0E4x80FVAKz4kxMIAIbVAFxVCaYxvI4VCIwcAKzIAtYxBI daVFxhVjvjDU= Received-SPF: pass client-ip=52.237.72.81; envelope-from=wliang@stu.xidian.edu.cn; helo=azure-sdnproxy-1.icoremail.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Wed, 23 Feb 2022 10:48:08 -0500 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Hi all, I find a memory leak bug in QEMU 6.2.0, which is in write_boot_rom()(./hw/arm/aspeed.c). Specifically, at line 276, a memory chunk is allocated with g_new0() and assigned to the variable 'storage'. However, if the branch takes true at line 277, there will be only an error report at line 278 but not a free operation for 'storage' before function returns. As a result, a memory leak bug is triggered. 259 BlockBackend *blk = blk_by_legacy_dinfo(dinfo); ... 276 storage = g_new0(uint8_t, rom_size); 277 if (blk_pread(blk, 0, storage, rom_size) < 0) { 278 error_setg(errp, "failed to read the initial flash content"); 279 return; 280 } I believe that the problem can be fixed by adding a g_free() before the function returns. 277 if (blk_pread(blk, 0, storage, rom_size) < 0) { 278 error_setg(errp, "failed to read the initial flash content"); +++ g_free(storage); 279 return; 280 } I'm looking forward to your confirmation. Best, Wentao --- ./hw/arm/aspeed.c 2022-02-23 15:06:31.928708083 +0800 +++ ./hw/arm/aspeed-PATCH.c 2022-02-23 21:22:28.200802801 +0800 @@ -276,6 +276,7 @@ storage = g_new0(uint8_t, rom_size); if (blk_pread(blk, 0, storage, rom_size) < 0) { error_setg(errp, "failed to read the initial flash content"); + g_free(storage); return; }