[PATCH] hyperv: Avoid memleak in hypervDomainDefParsePhysicalDisk

Fri, 06 Feb 2026 05:33:02 -0800 

From: Michal Privoznik <[email protected]>

When parsing a physical disk, the @hostResouce is escaped once
with the retval being stored into @hostEscaped. Then, it's
escaped again, but the retval is stored into the very same
variable, leading to a leak where intermediate value is lost.

256 bytes in 1 blocks are definitely lost in loss record 469 of 483
   at 0x49543A0: realloc (vg_replace_malloc.c:1804)
   by 0x516C251: g_realloc (in /usr/lib64/libglib-2.0.so.0.8400.4)
   by 0x518BB7E: g_string_expand (in /usr/lib64/libglib-2.0.so.0.8400.4)
   by 0x518BFF9: g_string_insert_len (in /usr/lib64/libglib-2.0.so.0.8400.4)
   by 0x4A58B5F: g_string_append_len_inline (gstring.h:247)
   by 0x4A58B5F: virBufferAdd (virbuffer.c:164)
   by 0x4AFDA71: virStringReplace (virstring.c:708)
   by 0x4DA4381: hypervDomainDefParsePhysicalDisk (hyperv_driver.c:1375)
   by 0x4DA4A18: hypervDomainDefParseStorage (hyperv_driver.c:1487)
   by 0x4DA9E31: hypervDomainGetXMLDesc (hyperv_driver.c:2761)
   by 0x4DFB3E5: virDomainGetXMLDesc (libvirt-domain.c:2898)
   by 0x406D39B: cmdDumpXML (virsh-domain.c:10787)
   by 0x40B13B1: vshCommandRun (vsh.c:1383)

Signed-off-by: Michal Privoznik <[email protected]>
---
 src/hyperv/hyperv_driver.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/hyperv/hyperv_driver.c b/src/hyperv/hyperv_driver.c
index 8dd56f39dc..203bbeb8a5 100644
--- a/src/hyperv/hyperv_driver.c
+++ b/src/hyperv/hyperv_driver.c
@@ -1351,6 +1351,7 @@ hypervDomainDefParsePhysicalDisk(hypervPrivate *priv,
     virDomainDiskDef *disk = NULL;
     char **hostResource = entry->data->HostResource.data;
     g_autofree char *hostEscaped = NULL;
+    g_autofree char *hostEscapedTwice = NULL;
     g_autofree char *driveNumberStr = NULL;
     g_auto(virBuffer) query = VIR_BUFFER_INITIALIZER;
     int addr = -1, ctrlr_idx = -1;
@@ -1373,12 +1374,12 @@ hypervDomainDefParsePhysicalDisk(hypervPrivate *priv,
 
     /* Query Msvm_DiskDrive for the DriveNumber */
     hostEscaped = virStringReplace(*hostResource, "\\\"", "\"");
-    hostEscaped = virStringReplace(hostEscaped, "\\", "\\\\");
+    hostEscapedTwice = virStringReplace(hostEscaped, "\\", "\\\\");
 
     /* quotes must be preserved, so virBufferEscapeSQL can't be used */
     virBufferAsprintf(&query,
                       MSVM_DISKDRIVE_WQL_SELECT "WHERE __PATH='%s'",
-                      hostEscaped);
+                      hostEscapedTwice);
 
     if (hypervGetWmiClass(Msvm_DiskDrive, &diskdrive) < 0)
         goto cleanup;
-- 
2.52.0

Reply via email to