[libvirt] [PATCH 00/10] coverity cleanups, round 1
Coverity reported a number of bugs against libvirt. I ran out of time to get through them all today, but there are certainly some real doozies in here. I've blamed commits where non-trivial bugs were introduced, to help distros decide if things need back-porting (I think that leaks on OOM situations and coverity false positives are not serious enough to warrant a back-port). These patches are pretty much independent (can be applied in any order); I suppose I could have rebased it to order the series by severity, oh well. Eric Blake (10): command: avoid leak on failure libvirtd: avoid leak on failure storage: avoid memory leak storage: avoid memory leak on stat failure lock: avoid leak on failure remote: avoid leak on failure qemu: avoid memory leak on vcpupin event: avoid memory leak on cleanup build: silence coverity false positive build: silence coverity false positive daemon/libvirtd.c | 4 +++- daemon/remote.c | 1 + src/conf/domain_event.c | 3 ++- src/locking/lock_manager.c | 3 ++- src/qemu/qemu_process.c | 21 +++++++++++++-------- src/remote/remote_driver.c | 7 ++++++- src/storage/storage_backend_fs.c | 15 +-------------- src/util/command.c | 5 ++++- src/util/storage_file.c | 15 +++++++-------- 9 files changed, 39 insertions(+), 35 deletions(-) -- 1.7.4.4
Detected by Coverity. While it is possible on OOM condition, as well as with bad code that passes binary == NULL, it is unlikely to be encountered in the wild. * src/util/command.c (virCommandNewArgList): Don't leak memory. --- src/util/command.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/util/command.c b/src/util/command.c index 288958e..a2f7ff6 100644 --- a/src/util/command.c +++ b/src/util/command.c @@ -142,7 +142,7 @@ virCommandNewArgList(const char *binary, ...) const char *arg; if (!cmd || cmd->has_error) - return NULL; + return cmd; va_start(list, binary); while ((arg = va_arg(list, const char *)) != NULL) -- 1.7.4.4
On Thu, Jun 02, 2011 at 05:07:53PM -0600, Eric Blake wrote:
Detected by Coverity. While it is possible on OOM condition, as well as with bad code that passes binary == NULL, it is unlikely to be encountered in the wild.
* src/util/command.c (virCommandNewArgList): Don't leak memory. --- src/util/command.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/util/command.c b/src/util/command.c index 288958e..a2f7ff6 100644 --- a/src/util/command.c +++ b/src/util/command.c @@ -142,7 +142,7 @@ virCommandNewArgList(const char *binary, ...) const char *arg;
if (!cmd || cmd->has_error) - return NULL; + return cmd;
va_start(list, binary); while ((arg = va_arg(list, const char *)) != NULL)
ACK, Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
Spotted by Coverity. Only possible on an OOM condition, so unlikely to bite in the wild. * daemon/libvirtd.c (qemudSetLogging): Don't leak memory. --- daemon/libvirtd.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c index aec81cf..728031f 100644 --- a/daemon/libvirtd.c +++ b/daemon/libvirtd.c @@ -2779,8 +2779,10 @@ qemudSetLogging(struct qemud_server *server, virConfPtr conf, goto free_and_fail; if (virAsprintf(&tmp, "%d:file:%s/.libvirt/libvirtd.log", - virLogGetDefaultPriority(), userdir) == -1) + virLogGetDefaultPriority(), userdir) == -1) { + VIR_FREE(userdir); goto out_of_memory; + } } } else { if (virAsprintf(&tmp, "%d:stderr", virLogGetDefaultPriority()) < 0) -- 1.7.4.4
On Thu, Jun 02, 2011 at 05:07:54PM -0600, Eric Blake wrote:
Spotted by Coverity. Only possible on an OOM condition, so unlikely to bite in the wild.
* daemon/libvirtd.c (qemudSetLogging): Don't leak memory. --- daemon/libvirtd.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c index aec81cf..728031f 100644 --- a/daemon/libvirtd.c +++ b/daemon/libvirtd.c @@ -2779,8 +2779,10 @@ qemudSetLogging(struct qemud_server *server, virConfPtr conf, goto free_and_fail;
if (virAsprintf(&tmp, "%d:file:%s/.libvirt/libvirtd.log", - virLogGetDefaultPriority(), userdir) == -1) + virLogGetDefaultPriority(), userdir) == -1) { + VIR_FREE(userdir); goto out_of_memory; + } } } else { if (virAsprintf(&tmp, "%d:stderr", virLogGetDefaultPriority()) < 0)
ACK, userdir is defined only on the local scope, so that's the best way Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
Coverity detected that options was being set by strdup but never freed. But why even bother with an options variable? The options parameter never changes! Leak present since commit 44948f5b (0.7.0). This function could probably be rewritten to take better advantage of virCommand, but that is more invasive. * src/storage/storage_backend_fs.c (virStorageBackendFileSystemMount): Avoid wasted strdup, and guarantee proper cleanup on all paths. --- src/storage/storage_backend_fs.c | 15 +-------------- 1 files changed, 1 insertions(+), 14 deletions(-) diff --git a/src/storage/storage_backend_fs.c b/src/storage/storage_backend_fs.c index 3f4d978..207669a 100644 --- a/src/storage/storage_backend_fs.c +++ b/src/storage/storage_backend_fs.c @@ -317,7 +317,6 @@ virStorageBackendFileSystemIsMounted(virStoragePoolObjPtr pool) { static int virStorageBackendFileSystemMount(virStoragePoolObjPtr pool) { char *src; - char *options = NULL; const char **mntargv; /* 'mount -t auto' doesn't seem to auto determine nfs (or cifs), @@ -328,7 +327,6 @@ virStorageBackendFileSystemMount(virStoragePoolObjPtr pool) { int glusterfs = (pool->def->type == VIR_STORAGE_POOL_NETFS && pool->def->source.format == VIR_STORAGE_POOL_NETFS_GLUSTERFS); - int option_index; int source_index; const char *netfs_auto_argv[] = { @@ -358,7 +356,7 @@ virStorageBackendFileSystemMount(virStoragePoolObjPtr pool) { virStoragePoolFormatFileSystemNetTypeToString(pool->def->source.format), NULL, "-o", - NULL, + "direct-io-mode=1", pool->def->target.path, NULL, }; @@ -369,7 +367,6 @@ virStorageBackendFileSystemMount(virStoragePoolObjPtr pool) { } else if (glusterfs) { mntargv = glusterfs_argv; source_index = 3; - option_index = 5; } else { mntargv = fs_argv; source_index = 3; @@ -405,12 +402,6 @@ virStorageBackendFileSystemMount(virStoragePoolObjPtr pool) { } if (pool->def->type == VIR_STORAGE_POOL_NETFS) { - if (pool->def->source.format == VIR_STORAGE_POOL_NETFS_GLUSTERFS) { - if ((options = strdup("direct-io-mode=1")) == NULL) { - virReportOOMError(); - return -1; - } - } if (virAsprintf(&src, "%s:%s", pool->def->source.host.name, pool->def->source.dir) == -1) { @@ -426,10 +417,6 @@ virStorageBackendFileSystemMount(virStoragePoolObjPtr pool) { } mntargv[source_index] = src; - if (glusterfs) { - mntargv[option_index] = options; - } - if (virRun(mntargv, NULL) < 0) { VIR_FREE(src); return -1; -- 1.7.4.4
On Thu, Jun 02, 2011 at 05:07:55PM -0600, Eric Blake wrote:
Coverity detected that options was being set by strdup but never freed. But why even bother with an options variable? The options parameter never changes! Leak present since commit 44948f5b (0.7.0).
This function could probably be rewritten to take better advantage of virCommand, but that is more invasive.
* src/storage/storage_backend_fs.c (virStorageBackendFileSystemMount): Avoid wasted strdup, and guarantee proper cleanup on all paths. --- src/storage/storage_backend_fs.c | 15 +-------------- 1 files changed, 1 insertions(+), 14 deletions(-)
diff --git a/src/storage/storage_backend_fs.c b/src/storage/storage_backend_fs.c index 3f4d978..207669a 100644 --- a/src/storage/storage_backend_fs.c +++ b/src/storage/storage_backend_fs.c @@ -317,7 +317,6 @@ virStorageBackendFileSystemIsMounted(virStoragePoolObjPtr pool) { static int virStorageBackendFileSystemMount(virStoragePoolObjPtr pool) { char *src; - char *options = NULL; const char **mntargv;
/* 'mount -t auto' doesn't seem to auto determine nfs (or cifs), @@ -328,7 +327,6 @@ virStorageBackendFileSystemMount(virStoragePoolObjPtr pool) { int glusterfs = (pool->def->type == VIR_STORAGE_POOL_NETFS && pool->def->source.format == VIR_STORAGE_POOL_NETFS_GLUSTERFS);
- int option_index; int source_index;
const char *netfs_auto_argv[] = { @@ -358,7 +356,7 @@ virStorageBackendFileSystemMount(virStoragePoolObjPtr pool) { virStoragePoolFormatFileSystemNetTypeToString(pool->def->source.format), NULL, "-o", - NULL, + "direct-io-mode=1", pool->def->target.path, NULL, }; @@ -369,7 +367,6 @@ virStorageBackendFileSystemMount(virStoragePoolObjPtr pool) { } else if (glusterfs) { mntargv = glusterfs_argv; source_index = 3; - option_index = 5; } else { mntargv = fs_argv; source_index = 3; @@ -405,12 +402,6 @@ virStorageBackendFileSystemMount(virStoragePoolObjPtr pool) { }
if (pool->def->type == VIR_STORAGE_POOL_NETFS) { - if (pool->def->source.format == VIR_STORAGE_POOL_NETFS_GLUSTERFS) { - if ((options = strdup("direct-io-mode=1")) == NULL) { - virReportOOMError(); - return -1; - } - } if (virAsprintf(&src, "%s:%s", pool->def->source.host.name, pool->def->source.dir) == -1) { @@ -426,10 +417,6 @@ virStorageBackendFileSystemMount(virStoragePoolObjPtr pool) { } mntargv[source_index] = src;
- if (glusterfs) { - mntargv[option_index] = options; - } - if (virRun(mntargv, NULL) < 0) { VIR_FREE(src); return -1;
Okay it seems we unconditionally set this option for glusterfs, but I'm still confused by the initial author intent there. It would be good if someone else could double check, this looks good but I'm not 100% sure and glusterfs is not used that often. Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
On 06/02/2011 06:38 PM, Daniel Veillard wrote:
On Thu, Jun 02, 2011 at 05:07:55PM -0600, Eric Blake wrote:
Coverity detected that options was being set by strdup but never freed. But why even bother with an options variable? The options parameter never changes! Leak present since commit 44948f5b (0.7.0).
This function could probably be rewritten to take better advantage of virCommand, but that is more invasive.
Okay it seems we unconditionally set this option for glusterfs, but I'm still confused by the initial author intent there. It would be good if someone else could double check, this looks good but I'm not 100% sure and glusterfs is not used that often.
Thanks for the reviews. I'm pushing this as-is (along with the rest of the ack'd series); if someone more familiar with glusterfs speaks up, we can revisit that post-release as part of the more invasive rewrite to use virCommand instead of virRun. Now off to round 2 of coverity analysis :) -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
Spotted by coverity. Triggers on failed stat, although I'm not sure how easy that condition is, so I'm not sure if this is a runtime memory hog. Regression introduced in commit 8077d64 (unreleased). * src/util/storage_file.c (virStorageFileGetMetadataFromFD): Reduce need for malloc, avoiding a leak. --- src/util/storage_file.c | 15 +++++++-------- 1 files changed, 7 insertions(+), 8 deletions(-) diff --git a/src/util/storage_file.c b/src/util/storage_file.c index 8dbd933..6b3b756 100644 --- a/src/util/storage_file.c +++ b/src/util/storage_file.c @@ -831,11 +831,6 @@ virStorageFileGetMetadataFromFD(const char *path, int ret = -1; struct stat sb; - if (VIR_ALLOC_N(head, len) < 0) { - virReportOOMError(); - return -1; - } - memset(meta, 0, sizeof (*meta)); if (fstat(fd, &sb) < 0) { @@ -847,13 +842,17 @@ virStorageFileGetMetadataFromFD(const char *path, /* No header to probe for directories */ if (S_ISDIR(sb.st_mode)) { - ret = 0; - goto cleanup; + return 0; } if (lseek(fd, 0, SEEK_SET) == (off_t)-1) { virReportSystemError(errno, _("cannot seek to start of '%s'"), path); - goto cleanup; + return -1; + } + + if (VIR_ALLOC_N(head, len) < 0) { + virReportOOMError(); + return -1; } if ((len = read(fd, head, len)) < 0) { -- 1.7.4.4
On Thu, Jun 02, 2011 at 05:07:56PM -0600, Eric Blake wrote:
Spotted by coverity. Triggers on failed stat, although I'm not sure how easy that condition is, so I'm not sure if this is a runtime memory hog. Regression introduced in commit 8077d64 (unreleased).
* src/util/storage_file.c (virStorageFileGetMetadataFromFD): Reduce need for malloc, avoiding a leak. --- src/util/storage_file.c | 15 +++++++-------- 1 files changed, 7 insertions(+), 8 deletions(-)
diff --git a/src/util/storage_file.c b/src/util/storage_file.c index 8dbd933..6b3b756 100644 --- a/src/util/storage_file.c +++ b/src/util/storage_file.c @@ -831,11 +831,6 @@ virStorageFileGetMetadataFromFD(const char *path, int ret = -1; struct stat sb;
- if (VIR_ALLOC_N(head, len) < 0) { - virReportOOMError(); - return -1; - } - memset(meta, 0, sizeof (*meta));
if (fstat(fd, &sb) < 0) { @@ -847,13 +842,17 @@ virStorageFileGetMetadataFromFD(const char *path,
/* No header to probe for directories */ if (S_ISDIR(sb.st_mode)) { - ret = 0; - goto cleanup; + return 0; }
if (lseek(fd, 0, SEEK_SET) == (off_t)-1) { virReportSystemError(errno, _("cannot seek to start of '%s'"), path); - goto cleanup; + return -1; + } + + if (VIR_ALLOC_N(head, len) < 0) { + virReportOOMError(); + return -1; }
if ((len = read(fd, head, len)) < 0) {
ACK, Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
Detected by Coverity. Only possible on OOM situations. * src/locking/lock_manager.c (virLockManagerPluginNew): Plug leak. --- src/locking/lock_manager.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/src/locking/lock_manager.c b/src/locking/lock_manager.c index 6197fd4..138cc91 100644 --- a/src/locking/lock_manager.c +++ b/src/locking/lock_manager.c @@ -120,7 +120,7 @@ virLockManagerPluginPtr virLockManagerPluginNew(const char *name, { void *handle = NULL; virLockDriverPtr driver; - virLockManagerPluginPtr plugin; + virLockManagerPluginPtr plugin = NULL; const char *moddir = getenv("LIBVIRT_LOCK_MANAGER_PLUGIN_DIR"); char *modfile = NULL; @@ -182,6 +182,7 @@ virLockManagerPluginPtr virLockManagerPluginNew(const char *name, return plugin; cleanup: + VIR_FREE(plugin); VIR_FREE(modfile); if (handle) dlclose(handle); -- 1.7.4.4
On Thu, Jun 02, 2011 at 05:07:57PM -0600, Eric Blake wrote:
Detected by Coverity. Only possible on OOM situations.
* src/locking/lock_manager.c (virLockManagerPluginNew): Plug leak. --- src/locking/lock_manager.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/src/locking/lock_manager.c b/src/locking/lock_manager.c index 6197fd4..138cc91 100644 --- a/src/locking/lock_manager.c +++ b/src/locking/lock_manager.c @@ -120,7 +120,7 @@ virLockManagerPluginPtr virLockManagerPluginNew(const char *name, { void *handle = NULL; virLockDriverPtr driver; - virLockManagerPluginPtr plugin; + virLockManagerPluginPtr plugin = NULL; const char *moddir = getenv("LIBVIRT_LOCK_MANAGER_PLUGIN_DIR"); char *modfile = NULL;
@@ -182,6 +182,7 @@ virLockManagerPluginPtr virLockManagerPluginNew(const char *name, return plugin;
cleanup: + VIR_FREE(plugin); VIR_FREE(modfile); if (handle) dlclose(handle);
ACK, Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
Detected by Coverity. Only possible in OOM situations. * daemon/remote.c (remoteDispatchDomainScreenshot): Plug leak. --- daemon/remote.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/daemon/remote.c b/daemon/remote.c index 2a32ee8..49058f2 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -1453,6 +1453,7 @@ remoteDispatchDomainScreenshot(struct qemud_server *server ATTRIBUTE_UNUSED, *mime_p = strdup(mime); if (*mime_p == NULL) { virReportOOMError(); + VIR_FREE(mime_p); goto cleanup; } -- 1.7.4.4
On Thu, Jun 02, 2011 at 05:07:58PM -0600, Eric Blake wrote:
Detected by Coverity. Only possible in OOM situations.
* daemon/remote.c (remoteDispatchDomainScreenshot): Plug leak. --- daemon/remote.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/daemon/remote.c b/daemon/remote.c index 2a32ee8..49058f2 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -1453,6 +1453,7 @@ remoteDispatchDomainScreenshot(struct qemud_server *server ATTRIBUTE_UNUSED, *mime_p = strdup(mime); if (*mime_p == NULL) { virReportOOMError(); + VIR_FREE(mime_p); goto cleanup; }
ACK, Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
Detected by Coverity. This leaked a cpumap on every iteration of the loop. Leak introduced in commit 1cc4d02 (v0.9.0). * src/qemu/qemu_process.c (qemuProcessSetVcpuAffinites): Plug leak, and hoist allocation outside loop. --- src/qemu/qemu_process.c | 21 +++++++++++++-------- 1 files changed, 13 insertions(+), 8 deletions(-) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 116253e..f175d50 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -1195,6 +1195,8 @@ qemuProcessSetVcpuAffinites(virConnectPtr conn, pid_t vcpupid; unsigned char *cpumask; int vcpu, cpumaplen, hostcpus, maxcpu; + unsigned char *cpumap = NULL; + int ret = -1; if (virNodeGetInfo(conn, &nodeinfo) != 0) { return -1; @@ -1216,18 +1218,18 @@ qemuProcessSetVcpuAffinites(virConnectPtr conn, if (maxcpu > hostcpus) maxcpu = hostcpus; + if (VIR_ALLOC_N(cpumap, cpumaplen) < 0) { + virReportOOMError(); + return -1; + } + for (vcpu = 0; vcpu < def->cputune.nvcpupin; vcpu++) { if (vcpu != def->cputune.vcpupin[vcpu]->vcpuid) continue; int i; - unsigned char *cpumap = NULL; - - if (VIR_ALLOC_N(cpumap, cpumaplen) < 0) { - virReportOOMError(); - return -1; - } + memset(cpumap, 0, cpumaplen); cpumask = (unsigned char *)def->cputune.vcpupin[vcpu]->cpumask; vcpupid = priv->vcpupids[vcpu]; @@ -1249,11 +1251,14 @@ qemuProcessSetVcpuAffinites(virConnectPtr conn, cpumap, cpumaplen, maxcpu) < 0) { - return -1; + goto cleanup; } } - return 0; + ret = 0; +cleanup: + VIR_FREE(cpumap); + return ret; } static int -- 1.7.4.4
On Thu, Jun 02, 2011 at 05:07:59PM -0600, Eric Blake wrote:
Detected by Coverity. This leaked a cpumap on every iteration of the loop. Leak introduced in commit 1cc4d02 (v0.9.0).
* src/qemu/qemu_process.c (qemuProcessSetVcpuAffinites): Plug leak, and hoist allocation outside loop. --- src/qemu/qemu_process.c | 21 +++++++++++++-------- 1 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 116253e..f175d50 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -1195,6 +1195,8 @@ qemuProcessSetVcpuAffinites(virConnectPtr conn, pid_t vcpupid; unsigned char *cpumask; int vcpu, cpumaplen, hostcpus, maxcpu; + unsigned char *cpumap = NULL; + int ret = -1;
if (virNodeGetInfo(conn, &nodeinfo) != 0) { return -1; @@ -1216,18 +1218,18 @@ qemuProcessSetVcpuAffinites(virConnectPtr conn, if (maxcpu > hostcpus) maxcpu = hostcpus;
+ if (VIR_ALLOC_N(cpumap, cpumaplen) < 0) { + virReportOOMError(); + return -1; + } + for (vcpu = 0; vcpu < def->cputune.nvcpupin; vcpu++) { if (vcpu != def->cputune.vcpupin[vcpu]->vcpuid) continue;
int i; - unsigned char *cpumap = NULL; - - if (VIR_ALLOC_N(cpumap, cpumaplen) < 0) { - virReportOOMError(); - return -1; - }
+ memset(cpumap, 0, cpumaplen); cpumask = (unsigned char *)def->cputune.vcpupin[vcpu]->cpumask; vcpupid = priv->vcpupids[vcpu];
@@ -1249,11 +1251,14 @@ qemuProcessSetVcpuAffinites(virConnectPtr conn, cpumap, cpumaplen, maxcpu) < 0) { - return -1; + goto cleanup; } }
- return 0; + ret = 0; +cleanup: + VIR_FREE(cpumap); + return ret; }
Whoops !!! ACK, better to allocate out of the loop, fix looks fine, Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
Detected by Coverity. Introduced in commit aaf2b70, and turned into a regression in the next few commits through 4e6e6672 (unreleased). * src/conf/domain_event.c (virDomainEventStateFree): Free object, per documentation. --- src/conf/domain_event.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/src/conf/domain_event.c b/src/conf/domain_event.c index 34a9d91..fabc1a5 100644 --- a/src/conf/domain_event.c +++ b/src/conf/domain_event.c @@ -1,7 +1,7 @@ /* * domain_event.c: domain event queue processing helpers * - * Copyright (C) 2010 Red Hat, Inc. + * Copyright (C) 2010-2011 Red Hat, Inc. * Copyright (C) 2008 VirtualIron * * This library is free software; you can redistribute it and/or @@ -555,6 +555,7 @@ virDomainEventStateFree(virDomainEventStatePtr state) if (state->timer != -1) virEventRemoveTimeout(state->timer); + VIR_FREE(state); } /** -- 1.7.4.4
On Thu, Jun 02, 2011 at 05:08:00PM -0600, Eric Blake wrote:
Detected by Coverity. Introduced in commit aaf2b70, and turned into a regression in the next few commits through 4e6e6672 (unreleased).
* src/conf/domain_event.c (virDomainEventStateFree): Free object, per documentation. --- src/conf/domain_event.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/src/conf/domain_event.c b/src/conf/domain_event.c index 34a9d91..fabc1a5 100644 --- a/src/conf/domain_event.c +++ b/src/conf/domain_event.c @@ -1,7 +1,7 @@ /* * domain_event.c: domain event queue processing helpers * - * Copyright (C) 2010 Red Hat, Inc. + * Copyright (C) 2010-2011 Red Hat, Inc. * Copyright (C) 2008 VirtualIron * * This library is free software; you can redistribute it and/or @@ -555,6 +555,7 @@ virDomainEventStateFree(virDomainEventStatePtr state)
if (state->timer != -1) virEventRemoveTimeout(state->timer); + VIR_FREE(state); }
ACK, otherwise we leak in various ways from different drivers, Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
Coverity complained that infd could be -1 at the point where it is passed to write, when in reality, this code can only be reached if infd is non-negative. * src/util/command.c (virCommandProcessIO): Help out coverity. --- src/util/command.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/src/util/command.c b/src/util/command.c index a2f7ff6..b51bdcf 100644 --- a/src/util/command.c +++ b/src/util/command.c @@ -961,6 +961,9 @@ virCommandProcessIO(virCommandPtr cmd) } else { int done; + /* Coverity 5.3.0 can't see that we only get here if + * infd is in the set because it was non-negative. */ + sa_assert(infd != -1); done = write(infd, cmd->inbuf + inoff, inlen - inoff); if (done < 0) { -- 1.7.4.4
On Thu, Jun 02, 2011 at 05:08:01PM -0600, Eric Blake wrote:
Coverity complained that infd could be -1 at the point where it is passed to write, when in reality, this code can only be reached if infd is non-negative.
* src/util/command.c (virCommandProcessIO): Help out coverity. --- src/util/command.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/src/util/command.c b/src/util/command.c index a2f7ff6..b51bdcf 100644 --- a/src/util/command.c +++ b/src/util/command.c @@ -961,6 +961,9 @@ virCommandProcessIO(virCommandPtr cmd) } else { int done;
+ /* Coverity 5.3.0 can't see that we only get here if + * infd is in the set because it was non-negative. */ + sa_assert(infd != -1); done = write(infd, cmd->inbuf + inoff, inlen - inoff); if (done < 0) {
ACK, Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
* src/remote/remote_driver.c (remoteGenericOpen): Help coverity. --- src/remote/remote_driver.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 14c3d24..fcb4c14 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -2547,8 +2547,13 @@ remoteGenericOpen(virConnectPtr conn, virConnectAuthPtr auth, struct private_data *priv; int ret; ret = remoteOpenSecondaryDriver(conn, auth, flags, &priv); - if (ret == VIR_DRV_OPEN_SUCCESS) + if (ret == VIR_DRV_OPEN_SUCCESS) { *genericPrivateData = priv; + } else { + /* Coverity 5.3.0 missed that remoteOpenSecondaryDriver + * guarantees priv is clean on failure. */ + sa_assert(!priv); + } return ret; } } -- 1.7.4.4
Coverity couldn't see that priv is clean on failure. But on failure, we might as well guarantee that callers don't try to free uninitialized memory. * src/remote/remote_driver.c (remoteGenericOpen): Even on failure, pass priv back to caller. --- In reading my own mail, I decided that patch 10 can be made simpler. v2: rewrite to avoid sa_assert and be more robust. src/remote/remote_driver.c | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-) diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 14c3d24..8335a1a 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -2545,10 +2545,8 @@ remoteGenericOpen(virConnectPtr conn, virConnectAuthPtr auth, * use the UNIX transport. This handles Xen driver * which doesn't have its own impl of the network APIs. */ struct private_data *priv; - int ret; - ret = remoteOpenSecondaryDriver(conn, auth, flags, &priv); - if (ret == VIR_DRV_OPEN_SUCCESS) - *genericPrivateData = priv; + int ret = remoteOpenSecondaryDriver(conn, auth, flags, &priv); + *genericPrivateData = priv; return ret; } } -- 1.7.4.4
On Thu, Jun 02, 2011 at 05:24:25PM -0600, Eric Blake wrote:
Coverity couldn't see that priv is clean on failure. But on failure, we might as well guarantee that callers don't try to free uninitialized memory.
* src/remote/remote_driver.c (remoteGenericOpen): Even on failure, pass priv back to caller. ---
In reading my own mail, I decided that patch 10 can be made simpler.
v2: rewrite to avoid sa_assert and be more robust.
src/remote/remote_driver.c | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 14c3d24..8335a1a 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -2545,10 +2545,8 @@ remoteGenericOpen(virConnectPtr conn, virConnectAuthPtr auth, * use the UNIX transport. This handles Xen driver * which doesn't have its own impl of the network APIs. */ struct private_data *priv; - int ret; - ret = remoteOpenSecondaryDriver(conn, auth, flags, &priv); - if (ret == VIR_DRV_OPEN_SUCCESS) - *genericPrivateData = priv; + int ret = remoteOpenSecondaryDriver(conn, auth, flags, &priv); + *genericPrivateData = priv; return ret; } }
I really prefer the second version, ACK Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
Detected by Coverity. Bug introduced in 08106e2044 (unreleased). * src/conf/domain_conf.c (virDomainChannelDefCheckABIStability): Use correct sizeof operand. --- src/conf/domain_conf.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 9975bca..0d9fef4 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -7269,7 +7269,8 @@ static bool virDomainChannelDefCheckABIStability(virDomainChrDefPtr src, } break; case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_GUESTFWD: - if (memcmp(src->target.addr, dst->target.addr, sizeof(src->target.addr)) != 0) { + if (memcmp(src->target.addr, dst->target.addr, + sizeof(*src->target.addr)) != 0) { char *saddr = virSocketFormatAddrFull(src->target.addr, true, ":"); char *daddr = virSocketFormatAddrFull(dst->target.addr, true, ":"); virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED, -- 1.7.4.4
On Thu, Jun 02, 2011 at 05:42:27PM -0600, Eric Blake wrote:
Detected by Coverity. Bug introduced in 08106e2044 (unreleased).
* src/conf/domain_conf.c (virDomainChannelDefCheckABIStability): Use correct sizeof operand. --- src/conf/domain_conf.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 9975bca..0d9fef4 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -7269,7 +7269,8 @@ static bool virDomainChannelDefCheckABIStability(virDomainChrDefPtr src, } break; case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_GUESTFWD: - if (memcmp(src->target.addr, dst->target.addr, sizeof(src->target.addr)) != 0) { + if (memcmp(src->target.addr, dst->target.addr, + sizeof(*src->target.addr)) != 0) { char *saddr = virSocketFormatAddrFull(src->target.addr, true, ":"); char *daddr = virSocketFormatAddrFull(dst->target.addr, true, ":"); virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED,
Oops, good catch !!! ACK, Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
participants (2)
-
Daniel Veillard -
Eric Blake