id = 2845
title = "memory leak in virtio-pci devices"
state = "opened"
created_at = "2025-02-27T09:55:11.167Z"
closed_at = "n/a"
labels = ["device: PCI", "device:virtio"]
url = "https://gitlab.com/qemu-project/qemu/-/issues/2845"
host-os = "Ubuntu 22.04 LTS"
host-arch = "x86"
qemu-version = "9.2.0"
guest-os = "n/a"
guest-arch = "n/a"
description = """The Use-After-Free bug mentioned by #2440 **has not been solved**, but the same crash is not reproducable in the later versions. After reviewing the code, I found an initiailized address space `proxy->modern_cfg_mem_as` introduced by  [`55fa4be`](vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html "Inspect Commit Details") in `virtio_pci@hw/virtio/virtio-pci.c` will not be destroyed if the later realization is failed. 
This will cause memory leak of the device object, which has unused reference and will not be destroyed.

Relative Code in `virtio_pci_realize@virtio-pci.c`:

```c
/* subclasses can enforce modern, so do this unconditionally */
memory_region_init(&proxy->modern_bar, OBJECT(proxy), "virtio-pci",
                    /* PCI BAR regions must be powers of 2 */
                    pow2ceil(proxy->notify.offset + proxy->notify.size));

address_space_init(&proxy->modern_cfg_mem_as, &proxy->modern_bar,
                    "virtio-pci-cfg-mem-as");

if (proxy->disable_legacy == ON_OFF_AUTO_AUTO) {
    proxy->disable_legacy = pcie_port ? ON_OFF_AUTO_ON : ON_OFF_AUTO_OFF;
}
```"""
reproduce = """```bash
cat <<EOF | qemu-system-i386 -M q35 -nodefaults -chardev stdio,id=char0 -mon char0 -device pcie-pci-bridge,id=br1,bus=pcie.0
device_add virtio-net,failover=on,rx_queue_size=0,bus=br1,id=dev0
device_add virtio-net,failover=on,bus=br1,id=dev0
quit
EOF
```

**This will cause UAF report in version `9.0.2`, but will not in `9.2.0`,** despite the bug still existing in code."""
additional = """For ASAN report, please refer to #2440."""