[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v1 1/2] xc_core_arch_map_p2m_tree_rw: fix memory leak

  • To: Juergen Gross <jgross@xxxxxxxx>, Edwin Török <edvin.torok@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Mon, 27 Feb 2023 14:49:09 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iY4MRneShEdl09YptamtBOd+4nAdAUzUI3hqOx8TSnI=; b=N50nCkxifC2PiontIPc/q0qBzNSHTPNaNHnNve47LowRlM0tJUhW7I5GQah4EICSxSNVoRKmRqJVvWQikpNvqn3875sSvqXzSf8+dKGljiakKR9HKLXiwBBfPuCd5kR55QJnbB4AofGd70Uo2GWs65EF2mT6Vfs+kO8WdEqcFFsFRZIuod7d9khFoRL3hnAiucS4+a0ya+W8sMG8YgoZW1hXFNh52CKoEOg280wNqcFYOaVhm35Zt0AkyqRAf8jpAmWruImaxSUyGjSU61klcl+BE+nwnFn/3srxkBQMO1rTKs+L7Mcd55JSY13tFpTCFsc9vHwiQEMWTEdjUf1SEg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MKlC4Kz2GNlwcrVE0EzJk07NMm5b3vHM1Y1qzDy35f98vCKrh7pCY4A47cf7yWQajpZGs8s3QLsBXI2V2ueJeviS6i/xugbaTvAGXA8K3yJo4AMyCd0fBl3NlLjTds9QCP3ahEEunokQ5Wv6SiPxXedCpmYthRJKKA+As9ujIntRW/dpL5hI2FnY9NfoD3H5oyil1II9+VgIDySrEwBJD4y76ocytGUkta7om5Vbi7Ir60N+e1975zTgbYulKfG8a6JyY/VpLbZHn1XdbiQ5FnijV+8C6VxCbw6d6CylXpqOp9+XHafDb/xCbuJnKuo3gAF+B2Xr9Sl0PO45IdEWBQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Edwin Török <edwin.torok@xxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>
  • Delivery-date: Mon, 27 Feb 2023 14:49:58 +0000
  • Ironport-data: A9a23:9BTA8aI9x4F26OLAFE+R6pQlxSXFcZb7ZxGr2PjKsXjdYENSgTEGy GsZDGGCOvqCM2b3KYh2O4Sz80gH6sWGytJrTwVlqX01Q3x08seUXt7xwmUcnc+xBpaaEB84t ZV2hv3odp1coqr0/0/1WlTZhSAgk/rOHvykU7Ss1hlZHWdMUD0mhQ9oh9k3i4tphcnRKw6Ws Jb5rta31GWNglaYCUpJrfPTwP9TlK6q4mhA5AZhPasjUGL2zBH5MrpOfcldEFOgKmVkNrbSb /rOyri/4lTY838FYj9yuu+mGqGiaue60Tmm0hK6aYD76vRxjnVaPpIAHOgdcS9qZwChxLid/ jnvWauYEm/FNoWU8AgUvoIx/ytWZcWq85efSZSzXFD6I+QrvBIAzt03ZHzaM7H09c5RDD1S5 P01AQoLdzKq3KWEzKC6Ws1F05FLwMnDZOvzu1lG5BSAVbMKZM6GRK/Ho9hFwD03m8ZCW+7EY NYUYiZuaxKGZABTPlAQC9Q1m+LAanvXKmUE7g7K4/dnpTGLnGSd05C0WDbRUvWMSd9YgQCzo WXe8n6iKhobKMae2XyO9XfEaurnzHOlCd1JRezQGvhCgVKS+lY6LwYsaVqi+aCXmEK+R8tYJ BlBksYphe1onKCxdfH/UAe/u2WspQMHVpxbFOhSwBGAzO/Y7hiUAkAATyVdc5o2uckuXzso2 1SV2dTzClRHvbGKSHTb6rCOqjCaMiwSMGNEbigBJSMa5/HzrYd1iQjAJuuPC4awh9zxXD31n TaDqXFmg61J1JZbkaKm4VrAnjSg4IDTSRI47RnWWWTj6R5lYImiZMqj7l2zAet8Ebt1h2Kp5 BAs8/VyJshXVMzlePClKAnVIIyU2g==
  • Ironport-hdrordr: A9a23:/Q2e06lgUTnC7d2hrQ1l2HYVL7vpDfIp3DAbv31ZSRFFG/Fw5P re+cjztCWE7Ar5PUtKpTnuAtjnfZqiz+8X3WB8B9uftWrd1ldATrsSj7cKqgeIc0fDH4Vmup uIHZISNDQlNzlHZc2T2njeLz5XrePmzJyV
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 27/02/2023 2:42 pm, Juergen Gross wrote:
> On 24.02.23 15:56, Andrew Cooper wrote:
>> On 24/02/2023 1:36 pm, Edwin Török wrote:
>>> From: Edwin Török <edwin.torok@xxxxxxxxx>
>>>
>>> Prior to bd7a29c3d0 'out' would've always been executed and memory
>>> freed, but that commit changed it such that it returns early and leaks.
>>>
>>> Found using gcc 12.2.1 `-fanalyzer`:
>>> ```
>>> xg_core_x86.c: In function ‘xc_core_arch_map_p2m_tree_rw’:
>>> xg_core_x86.c:300:5: error: leak of ‘p2m_frame_list_list’ [CWE-401]
>>> [-Werror=analyzer-malloc-leak]
>>>    300 |     return p2m_frame_list;
>>>        |     ^~~~~~
>>>    ‘xc_core_arch_map_p2m_writable’: events 1-2
>>>      |
>>>      |  378 | xc_core_arch_map_p2m_writable(xc_interface *xch,
>>> struct domain_info_context *dinfo, xc_dominfo_t *info,
>>>      |      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>      |      | |
>>>      |      | (1) entry to ‘xc_core_arch_map_p2m_writable’
>>>      |......
>>>      |  381 |     return xc_core_arch_map_p2m_rw(xch, dinfo, info,
>>> live_shinfo, live_p2m, 1);
>>>      |      |           
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>      |      |            |
>>>      |      |            (2) calling ‘xc_core_arch_map_p2m_rw’ from
>>> ‘xc_core_arch_map_p2m_writable’
>>>      |
>>>      +--> ‘xc_core_arch_map_p2m_rw’: events 3-10
>>>             |
>>>             |  319 | xc_core_arch_map_p2m_rw(xc_interface *xch,
>>> struct domain_info_context *dinfo, xc_dominfo_t *info,
>>>             |      | ^~~~~~~~~~~~~~~~~~~~~~~
>>>             |      | |
>>>             |      | (3) entry to ‘xc_core_arch_map_p2m_rw’
>>>             |......
>>>             |  328 |     if ( xc_domain_nr_gpfns(xch, info->domid,
>>> &dinfo->p2m_size) < 0 )
>>>             |      |        ~
>>>             |      |        |
>>>             |      |        (4) following ‘false’ branch...
>>>             |......
>>>             |  334 |     if ( dinfo->p2m_size < info->nr_pages  )
>>>             |      |     ~~ ~
>>>             |      |     |  |
>>>             |      |     |  (6) following ‘false’ branch...
>>>             |      |     (5) ...to here
>>>             |......
>>>             |  340 |     p2m_cr3 = GET_FIELD(live_shinfo,
>>> arch.p2m_cr3, dinfo->guest_width);
>>>             |      |     ~~~~~~~
>>>             |      |     |
>>>             |      |     (7) ...to here
>>>             |  341 |
>>>             |  342 |     p2m_frame_list = p2m_cr3 ?
>>> xc_core_arch_map_p2m_list_rw(xch, dinfo, dom, live_shinfo, p2m_cr3)
>>>             |      |                     
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>             |  343 |                              :
>>> xc_core_arch_map_p2m_tree_rw(xch, dinfo, dom, live_shinfo);
>>>             |      |                             
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>             |      |                              | |
>>>             |      |                              | (9) ...to here
>>>             |      |                              | (10) calling
>>> ‘xc_core_arch_map_p2m_tree_rw’ from ‘xc_core_arch_map_p2m_rw’
>>>             |      |                              (8) following
>>> ‘false’ branch...
>>>             |
>>>             +--> ‘xc_core_arch_map_p2m_tree_rw’: events 11-24
>>>                    |
>>>                    |  228 |
>>> xc_core_arch_map_p2m_tree_rw(xc_interface *xch, struct
>>> domain_info_context *dinfo,
>>>                    |      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>                    |      | |
>>>                    |      | (11) entry to
>>> ‘xc_core_arch_map_p2m_tree_rw’
>>>                    |......
>>>                    |  245 |     if ( !live_p2m_frame_list_list )
>>>                    |      |        ~
>>>                    |      |        |
>>>                    |      |        (12) following ‘false’ branch
>>> (when ‘live_p2m_frame_list_list’ is non-NULL)...
>>>                    |......
>>>                    |  252 |     if ( !(p2m_frame_list_list =
>>> malloc(PAGE_SIZE)) )
>>>                    |      |     ~~ ~                        
>>> ~~~~~~~~~~~~~~~~~
>>>                    |      |     |  |                         |
>>>                    |      |     |  |                         (14)
>>> allocated here
>>>                    |      |     |  (15) assuming
>>> ‘p2m_frame_list_list’ is non-NULL
>>>                    |      |     |  (16) following ‘false’ branch
>>> (when ‘p2m_frame_list_list’ is non-NULL)...
>>>                    |      |     (13) ...to here
>>>                    |......
>>>                    |  257 |     memcpy(p2m_frame_list_list,
>>> live_p2m_frame_list_list, PAGE_SIZE);
>>>                    |      |     ~~~~~~
>>>                    |      |     |
>>>                    |      |     (17) ...to here
>>>                    |......
>>>                    |  266 |     else if ( dinfo->guest_width <
>>> sizeof(unsigned long) )
>>>                    |      |             ~
>>>                    |      |             |
>>>                    |      |             (18) following ‘false’
>>> branch...
>>>                    |......
>>>                    |  270 |     live_p2m_frame_list =
>>>                    |      |     ~~~~~~~~~~~~~~~~~~~
>>>                    |      |     |
>>>                    |      |     (19) ...to here
>>>                    |......
>>>                    |  275 |     if ( !live_p2m_frame_list )
>>>                    |      |        ~
>>>                    |      |        |
>>>                    |      |        (20) following ‘false’ branch
>>> (when ‘live_p2m_frame_list’ is non-NULL)...
>>>                    |......
>>>                    |  282 |     if ( !(p2m_frame_list =
>>> malloc(P2M_TOOLS_FL_SIZE)) )
>>>                    |      |     ~~ ~
>>>                    |      |     |  |
>>>                    |      |     |  (22) following ‘false’ branch
>>> (when ‘p2m_frame_list’ is non-NULL)...
>>>                    |      |     (21) ...to here
>>>                    |......
>>>                    |  287 |     memset(p2m_frame_list, 0,
>>> P2M_TOOLS_FL_SIZE);
>>>                    |      |     ~~~~~~
>>>                    |      |     |
>>>                    |      |     (23) ...to here
>>>                    |......
>>>                    |  300 |     return p2m_frame_list;
>>>                    |      |     ~~~~~~
>>>                    |      |     |
>>>                    |      |     (24) ‘p2m_frame_list_list’ leaks
>>> here; was allocated at (14)
>>>                    |
>>> ```
>>> Fixes: bd7a29c3d0 ("tools/libs/ctrl: fix xc_core_arch_map_p2m() to
>>> support linear p2m table")
>>>
>>> Signed-off-by: Edwin Török <edwin.torok@xxxxxxxxx>
>>> ---
>>>   tools/libs/guest/xg_core_x86.c | 2 ++
>>>   1 file changed, 2 insertions(+)
>>>
>>> diff --git a/tools/libs/guest/xg_core_x86.c
>>> b/tools/libs/guest/xg_core_x86.c
>>> index 61106b98b8..69929879d7 100644
>>> --- a/tools/libs/guest/xg_core_x86.c
>>> +++ b/tools/libs/guest/xg_core_x86.c
>>> @@ -297,6 +297,8 @@ xc_core_arch_map_p2m_tree_rw(xc_interface *xch,
>>> struct domain_info_context *dinf
>>>         dinfo->p2m_frames = P2M_FL_ENTRIES;
>>>   +    free(p2m_frame_list_list);
>>> +
>>>       return p2m_frame_list;
>>>      out:
>>
>> I agree there are problems here, but I think they're larger still.  The
>> live_p2m_frame_list_list and live_p2m_frame_list foreign mappings are
>> leaked too on the success path.
>>
>> I think this is the necessary fix:
>
> Yes, I agree.
>
>>
>> ~Andrew
>>
>> ----8<----
>>
>> diff --git a/tools/libs/guest/xg_core_x86.c
>> b/tools/libs/guest/xg_core_x86.c
>> index 61106b98b877..c5e4542ccccc 100644
>> --- a/tools/libs/guest/xg_core_x86.c
>> +++ b/tools/libs/guest/xg_core_x86.c
>> @@ -229,11 +229,11 @@ xc_core_arch_map_p2m_tree_rw(xc_interface *xch,
>> struct domain_info_context *dinf
>>                                uint32_t dom, shared_info_any_t
>> *live_shinfo)
>>   {
>>       /* Double and single indirect references to the live P2M table */
>> -    xen_pfn_t *live_p2m_frame_list_list;
>> +    xen_pfn_t *live_p2m_frame_list_list = NULL;
>>       xen_pfn_t *live_p2m_frame_list = NULL;
>>       /* Copies of the above. */
>>       xen_pfn_t *p2m_frame_list_list = NULL;
>> -    xen_pfn_t *p2m_frame_list;
>> +    xen_pfn_t *p2m_frame_list = NULL;
>>         int err;
>>       int i;
>> @@ -297,8 +297,6 @@ xc_core_arch_map_p2m_tree_rw(xc_interface *xch,
>> struct domain_info_context *dinf
>>         dinfo->p2m_frames = P2M_FL_ENTRIES;
>>   -    return p2m_frame_list;
>> -
>>    out:
>>       err = errno;
>>   @@ -312,7 +310,7 @@ xc_core_arch_map_p2m_tree_rw(xc_interface *xch,
>> struct domain_info_context *dinf
>>         errno = err;
>>   -    return NULL;
>> +    return p2m_frame_list;
>>   }
>>     static int
>>
>
> In case this fix is taken, my
>
> Reviewed-by: Juergen Gross <jgross@xxxxxxxx>
>
> can be added.

Thanks.  I'll write a full patch and post it, with appropriate tags, and
also include it in my commit sweep.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.