[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220104024729.GA26952@louislifei-OptiPlex-7050>
Date: Tue, 4 Jan 2022 10:47:29 +0800
From: Li Fei1 <fei1.li@...el.com>
To: Zhou Qingyang <zhou1615@....edu>
Cc: kjlu@....edu, reinette.chatre@...el.com, zhi.a.wang@...el.com,
gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org,
fei1.li@...el.com
Subject: Re: [PATCH] virt: acrn: fix a memory leak bug in acrn_dev_ioctl()
On Tue, Jan 04, 2022 at 10:34:39AM +0800, Zhou Qingyang wrote:
> In acrn_dev_ioctl(), vm_param is not released or passed out on the
> error path of "if ((vm_param->reserved0 | vm_param->reserved1) != 0)",
> which could lead to a memory leak.
>
> Fix this bug by adding a kfree of vm_param on the error path.
>
> This bug was found by a static analyzer.
>
> Builds with CONFIG_ACRN_GUEST=y, CONFIG_ACRN_HSM=y show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 9c5137aedd11 (“9c5137aedd11 virt: acrn: Introduce VM management interfaces”)
> Signed-off-by: Zhou Qingyang <zhou1615@....edu>
> ---
> The analysis employs differential checking to identify inconsistent
> security operations (e.g., checks or kfrees) between two code paths
> and confirms that the inconsistent operations are not recovered in
> the current function or the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
Hi Qingyang
Thanks a lot to fix this issue. Would you please to help to fix the same issue
in ACRN_IOCTL_SET_VCPU_REGS case ?
> drivers/virt/acrn/hsm.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/virt/acrn/hsm.c b/drivers/virt/acrn/hsm.c
> index 5419794fccf1..205f4c637556 100644
> --- a/drivers/virt/acrn/hsm.c
> +++ b/drivers/virt/acrn/hsm.c
> @@ -136,9 +136,11 @@ static long acrn_dev_ioctl(struct file *filp, unsigned int cmd,
> if (IS_ERR(vm_param))
> return PTR_ERR(vm_param);
>
> - if ((vm_param->reserved0 | vm_param->reserved1) != 0)
> - return -EINVAL;
> -
> + if ((vm_param->reserved0 | vm_param->reserved1) != 0) {
> + ret = -EINVAL;
> + kfree(vm_param);
> + break;
> + }
> vm = acrn_vm_create(vm, vm_param);
> if (!vm) {
> ret = -EINVAL;
> --
> 2.25.1
>
Powered by blists - more mailing lists