1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
device: 0.812
PID: 0.684
performance: 0.678
graphic: 0.662
socket: 0.566
network: 0.547
vnc: 0.537
files: 0.490
other: 0.490
boot: 0.461
permissions: 0.445
semantic: 0.418
KVM: 0.339
debug: 0.277
memory leak in virtio-pci devices
Description of problem:
The Use-After-Free bug mentioned by #2440 **has not been solved**, but the same crash is not reproducable in the later versions. After reviewing the code, I found an initiailized address space `proxy->modern_cfg_mem_as` introduced by [`55fa4be`](vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html "Inspect Commit Details") in `virtio_pci@hw/virtio/virtio-pci.c` will not be destroyed if the later realization is failed.
This will cause memory leak of the device object, which has unused reference and will not be destroyed.
Relative Code in `virtio_pci_realize@virtio-pci.c`:
```c
/* subclasses can enforce modern, so do this unconditionally */
memory_region_init(&proxy->modern_bar, OBJECT(proxy), "virtio-pci",
/* PCI BAR regions must be powers of 2 */
pow2ceil(proxy->notify.offset + proxy->notify.size));
address_space_init(&proxy->modern_cfg_mem_as, &proxy->modern_bar,
"virtio-pci-cfg-mem-as");
if (proxy->disable_legacy == ON_OFF_AUTO_AUTO) {
proxy->disable_legacy = pcie_port ? ON_OFF_AUTO_ON : ON_OFF_AUTO_OFF;
}
```
Steps to reproduce:
```bash
cat <<EOF | qemu-system-i386 -M q35 -nodefaults -chardev stdio,id=char0 -mon char0 -device pcie-pci-bridge,id=br1,bus=pcie.0
device_add virtio-net,failover=on,rx_queue_size=0,bus=br1,id=dev0
device_add virtio-net,failover=on,bus=br1,id=dev0
quit
EOF
```
**This will cause UAF report in version `9.0.2`, but will not in `9.2.0`,** despite the bug still existing in code.
Additional information:
For ASAN report, please refer to #2440.
|