[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v1 1/2] xc_core_arch_map_p2m_tree_rw: fix memory leak


  • To: Edwin Török <edvin.torok@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Fri, 24 Feb 2023 14:56:01 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=y/oaELvFBpy6DwLcgD6jhADRmlgUKUV1FmnIE6QgsK8=; b=iDiqWB/dPQtzklQ0vL58Ena6pytA1Ob88NcOmDcQGrA8St7Bw7V2LBWFozDS1NNC7LOCQ4phV2YrZ2wEtU4/52nITfRKJIbFpV6JR5CNBG6NymBKGwMMpAcqyUfdGOh0nZKtG+yhanvoNQzOuLzU/FTNtUi3uI1jx0yD1/lFA9GWpauy6ZfO3WhZv5aiPfVoxznPqLmcr/ZAtjyaBfQ4jVLkKU8laJSD00pGgQlVu01bpTifMHdn2JEBcB0GutmXMfMVCrFGqCz/fcec0BlfipM3usQYHjaVCtVcq96qIvrbg1as9vL2aNMurUYTYbcXPwk0qIrfpjUVHb0ehze+HQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LKx3Gy70ZjyLer/Zn6Qm3Kjou4bbaQc9jV3zQLZr5aPuFxdqxeepar6zsPCD4w5isYA+ToXo1M42UfR3v9MQYN35+LOD892L5naJJcJp+j7YhAwQXG5db31N7bDZFEaNOuCRUEmdEF6ZcaEtXVFWEkGg6/uXmXBoBqaTNYnIls+dk1ssqnQw1XIAjLHSmkmHHPuxNyyqTaEaRsisz/U5MRdkn58voAqzLtdbXZbRI0FDQnp1ibgnHQfRi4GRPewc1hqsmUtigD24xBbS9WoNflMKl0iUTPUqA/aUH0OuLRGwlRaZCfqG7cDHm/SGepunYZbVNXlQOxhCFBuveGvCYA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Edwin Török <edwin.torok@xxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>
  • Delivery-date: Fri, 24 Feb 2023 14:56:31 +0000
  • Ironport-data: A9a23:S4DwDa1xTX/fMn65KfbD5etwkn2cJEfYwER7XKvMYLTBsI5bpzEPy WdNDD3UO66KZDD9eI8iO4nkpEkGvZWGm9QwHAdopC1hF35El5HIVI+TRqvS04F+DeWYFR46s J9OAjXkBJppJpMJjk71atANlVEliefTAOK6ULWeUsxIbVcMYD87jh5+kPIOjIdtgNyoayuAo tq3qMDEULOf82cc3lk8tuTS93uDgNyo4GlD5gZkOagQ1LPjvyJ94Kw3dPnZw0TQGuG4LsbiL 87fwbew+H/u/htFIrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRrukoPD9IOaF8/ttm8t4sZJ OOhF3CHYVxB0qXkwIzxWvTDes10FfUuFLTveRBTvSEPpqFvnrSFL/hGVSkL0YMkFulfRkcW3 9EdFAA3LU6up/jvxo29b7dNiZF2RCXrFNt3VnBI6xj8VKxjbbWdBqLA6JlfwSs6gd1IEbDGf c0FZDFzbRPGJRpSJlMQD5F4l+Ct7pX9W2QA9BTJ+uxqsi6Kk1AZPLvFabI5fvSjQ8lPk1nej WXB52njWTkRNcCFyCrD+XWp7gPKtXqjANJOSuXpppaGhnW4wlQ6FAIvaGCbqPiLo1/kespbd EAbr39GQa8asRbDosPGdw21pjuIswARX/JUEvYm80edx6zM+QGbC2MYCDlbZ7QOucMpRDpsy liTmNDBDjhorbHTQnWYnp+LqRuiNC5TKnUNDQcGQhEC+MLLu5wog1TESdMLLUKuptj8GDW1z zXUqiE73u8XlZRSiPn9+k3biTWxoJSPVhQy+gjcQmOi6EV+eZKhYIurr1Pc6J6sMbqkc7VIh 1Bc8+D20QzEJcvlePClKAnVIIyU2g==
  • Ironport-hdrordr: A9a23:WfFp56o0gxYvWFLIdSBXooYaV5s2LNV00zEX/kB9WHVpm5Oj+v xGzc5w6farsl0ssREb9uxo9pPwJ080hqQFhbX5Wo3SITUO2VHYVr2KiLGP/9SOIVycygcw79 YZT0E6MqyKMbEYt7eF3ODbKbYdKbC8mcjH5Ns2jU0dND2CA5sQkDuRYTzrd3GeKjM2YqbRWK DshPau8FGbCAgqh4mAdzE4t6+pnay4qLvWJTo9QzI34giHij2lrJb8Dhijxx8bFx9f3Ls49m DBsgrhooGuqeuyxBPw33Laq80+oqqs9vJzQOi3zuQFIDTljQilIKxnRr25pTgw5M2/9Vowl9 HIghE4e+B+8WnYcG2ZqQbknyPgzDEtwXn/zkLwuwqvneXJABYBT+ZRj4NQdRXUr2ImodFHya pOm0aUrYBeAx/slDn0o4GgbWAhqmOE5V4Z1cIDhX1WVoUTLJdXsIwk5UtQVLMNBjjz5owLGP RnSOvc+PFVW1WHaG2xhBgl/PWcGlAIWjuWSEkLvcKYlxBQgXBC1kMdgPcSm38RnahNPKVs1q DhCOBFhbtORsgZYeZWH+EaW/a6DWTLXFblLH+SCU6PLtBGB1v977rMpJkl7uCjf5IFiLEono 7abV9evWkuP2rzFMy12oFR+BylehT9Yd3U8LAd23FFgMy4eFKyWhfzDGzG0vHQ7cn3O/erGM paY/ltcrjexWiHI/c84+SxYegVFZAkarxnhj8KYSP+niv1EPybigX6SoekGFO/K0dsZkrPRl 0+YRPUGOJsqmiWZ16QummlZ5qqQD2xwa5N
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 24/02/2023 1:36 pm, Edwin Török wrote:
> From: Edwin Török <edwin.torok@xxxxxxxxx>
>
> Prior to bd7a29c3d0 'out' would've always been executed and memory
> freed, but that commit changed it such that it returns early and leaks.
>
> Found using gcc 12.2.1 `-fanalyzer`:
> ```
> xg_core_x86.c: In function ‘xc_core_arch_map_p2m_tree_rw’:
> xg_core_x86.c:300:5: error: leak of ‘p2m_frame_list_list’ [CWE-401] 
> [-Werror=analyzer-malloc-leak]
>   300 |     return p2m_frame_list;
>       |     ^~~~~~
>   ‘xc_core_arch_map_p2m_writable’: events 1-2
>     |
>     |  378 | xc_core_arch_map_p2m_writable(xc_interface *xch, struct 
> domain_info_context *dinfo, xc_dominfo_t *info,
>     |      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>     |      | |
>     |      | (1) entry to ‘xc_core_arch_map_p2m_writable’
>     |......
>     |  381 |     return xc_core_arch_map_p2m_rw(xch, dinfo, info, 
> live_shinfo, live_p2m, 1);
>     |      |            
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>     |      |            |
>     |      |            (2) calling ‘xc_core_arch_map_p2m_rw’ from 
> ‘xc_core_arch_map_p2m_writable’
>     |
>     +--> ‘xc_core_arch_map_p2m_rw’: events 3-10
>            |
>            |  319 | xc_core_arch_map_p2m_rw(xc_interface *xch, struct 
> domain_info_context *dinfo, xc_dominfo_t *info,
>            |      | ^~~~~~~~~~~~~~~~~~~~~~~
>            |      | |
>            |      | (3) entry to ‘xc_core_arch_map_p2m_rw’
>            |......
>            |  328 |     if ( xc_domain_nr_gpfns(xch, info->domid, 
> &dinfo->p2m_size) < 0 )
>            |      |        ~
>            |      |        |
>            |      |        (4) following ‘false’ branch...
>            |......
>            |  334 |     if ( dinfo->p2m_size < info->nr_pages  )
>            |      |     ~~ ~
>            |      |     |  |
>            |      |     |  (6) following ‘false’ branch...
>            |      |     (5) ...to here
>            |......
>            |  340 |     p2m_cr3 = GET_FIELD(live_shinfo, arch.p2m_cr3, 
> dinfo->guest_width);
>            |      |     ~~~~~~~
>            |      |     |
>            |      |     (7) ...to here
>            |  341 |
>            |  342 |     p2m_frame_list = p2m_cr3 ? 
> xc_core_arch_map_p2m_list_rw(xch, dinfo, dom, live_shinfo, p2m_cr3)
>            |      |                      
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>            |  343 |                              : 
> xc_core_arch_map_p2m_tree_rw(xch, dinfo, dom, live_shinfo);
>            |      |                              
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>            |      |                              | |
>            |      |                              | (9) ...to here
>            |      |                              | (10) calling 
> ‘xc_core_arch_map_p2m_tree_rw’ from ‘xc_core_arch_map_p2m_rw’
>            |      |                              (8) following ‘false’ 
> branch...
>            |
>            +--> ‘xc_core_arch_map_p2m_tree_rw’: events 11-24
>                   |
>                   |  228 | xc_core_arch_map_p2m_tree_rw(xc_interface *xch, 
> struct domain_info_context *dinfo,
>                   |      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
>                   |      | |
>                   |      | (11) entry to ‘xc_core_arch_map_p2m_tree_rw’
>                   |......
>                   |  245 |     if ( !live_p2m_frame_list_list )
>                   |      |        ~
>                   |      |        |
>                   |      |        (12) following ‘false’ branch (when 
> ‘live_p2m_frame_list_list’ is non-NULL)...
>                   |......
>                   |  252 |     if ( !(p2m_frame_list_list = 
> malloc(PAGE_SIZE)) )
>                   |      |     ~~ ~                         ~~~~~~~~~~~~~~~~~
>                   |      |     |  |                         |
>                   |      |     |  |                         (14) allocated 
> here
>                   |      |     |  (15) assuming ‘p2m_frame_list_list’ is 
> non-NULL
>                   |      |     |  (16) following ‘false’ branch (when 
> ‘p2m_frame_list_list’ is non-NULL)...
>                   |      |     (13) ...to here
>                   |......
>                   |  257 |     memcpy(p2m_frame_list_list, 
> live_p2m_frame_list_list, PAGE_SIZE);
>                   |      |     ~~~~~~
>                   |      |     |
>                   |      |     (17) ...to here
>                   |......
>                   |  266 |     else if ( dinfo->guest_width < sizeof(unsigned 
> long) )
>                   |      |             ~
>                   |      |             |
>                   |      |             (18) following ‘false’ branch...
>                   |......
>                   |  270 |     live_p2m_frame_list =
>                   |      |     ~~~~~~~~~~~~~~~~~~~
>                   |      |     |
>                   |      |     (19) ...to here
>                   |......
>                   |  275 |     if ( !live_p2m_frame_list )
>                   |      |        ~
>                   |      |        |
>                   |      |        (20) following ‘false’ branch (when 
> ‘live_p2m_frame_list’ is non-NULL)...
>                   |......
>                   |  282 |     if ( !(p2m_frame_list = 
> malloc(P2M_TOOLS_FL_SIZE)) )
>                   |      |     ~~ ~
>                   |      |     |  |
>                   |      |     |  (22) following ‘false’ branch (when 
> ‘p2m_frame_list’ is non-NULL)...
>                   |      |     (21) ...to here
>                   |......
>                   |  287 |     memset(p2m_frame_list, 0, P2M_TOOLS_FL_SIZE);
>                   |      |     ~~~~~~
>                   |      |     |
>                   |      |     (23) ...to here
>                   |......
>                   |  300 |     return p2m_frame_list;
>                   |      |     ~~~~~~
>                   |      |     |
>                   |      |     (24) ‘p2m_frame_list_list’ leaks here; was 
> allocated at (14)
>                   |
> ```
> Fixes: bd7a29c3d0 ("tools/libs/ctrl: fix xc_core_arch_map_p2m() to support 
> linear p2m table")
>
> Signed-off-by: Edwin Török <edwin.torok@xxxxxxxxx>
> ---
>  tools/libs/guest/xg_core_x86.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/tools/libs/guest/xg_core_x86.c b/tools/libs/guest/xg_core_x86.c
> index 61106b98b8..69929879d7 100644
> --- a/tools/libs/guest/xg_core_x86.c
> +++ b/tools/libs/guest/xg_core_x86.c
> @@ -297,6 +297,8 @@ xc_core_arch_map_p2m_tree_rw(xc_interface *xch, struct 
> domain_info_context *dinf
>  
>      dinfo->p2m_frames = P2M_FL_ENTRIES;
>  
> +    free(p2m_frame_list_list);
> +
>      return p2m_frame_list;
>  
>   out:

I agree there are problems here, but I think they're larger still.  The
live_p2m_frame_list_list and live_p2m_frame_list foreign mappings are
leaked too on the success path.

I think this is the necessary fix:

~Andrew

----8<----

diff --git a/tools/libs/guest/xg_core_x86.c b/tools/libs/guest/xg_core_x86.c
index 61106b98b877..c5e4542ccccc 100644
--- a/tools/libs/guest/xg_core_x86.c
+++ b/tools/libs/guest/xg_core_x86.c
@@ -229,11 +229,11 @@ xc_core_arch_map_p2m_tree_rw(xc_interface *xch,
struct domain_info_context *dinf
                              uint32_t dom, shared_info_any_t *live_shinfo)
 {
     /* Double and single indirect references to the live P2M table */
-    xen_pfn_t *live_p2m_frame_list_list;
+    xen_pfn_t *live_p2m_frame_list_list = NULL;
     xen_pfn_t *live_p2m_frame_list = NULL;
     /* Copies of the above. */
     xen_pfn_t *p2m_frame_list_list = NULL;
-    xen_pfn_t *p2m_frame_list;
+    xen_pfn_t *p2m_frame_list = NULL;
 
     int err;
     int i;
@@ -297,8 +297,6 @@ xc_core_arch_map_p2m_tree_rw(xc_interface *xch,
struct domain_info_context *dinf
 
     dinfo->p2m_frames = P2M_FL_ENTRIES;
 
-    return p2m_frame_list;
-
  out:
     err = errno;
 
@@ -312,7 +310,7 @@ xc_core_arch_map_p2m_tree_rw(xc_interface *xch,
struct domain_info_context *dinf
 
     errno = err;
 
-    return NULL;
+    return p2m_frame_list;
 }
 
 static int




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.