On Tue, Oct 21, 2025 at 04:34:32PM +0100, Peter Maydell wrote:
> On Fri, 3 Oct 2025 at 16:40, Peter Xu <[email protected]> wrote:
> >
> > From: Steve Sistare <[email protected]>
> >
> > Add the cpr-exec migration mode. Usage:
> > qemu-system-$arch -machine aux-ram-share=on ...
> > migrate_set_parameter mode cpr-exec
> > migrate_set_parameter cpr-exec-command \
> > <arg1> <arg2> ... -incoming <uri-1> \
> > migrate -d <uri-1>
>
> Hi; Coverity complains about this code (CID 1641397):
>
> > +static void cpr_exec_cb(void *opaque)
> > +{
> > + MigrationState *s = migrate_get_current();
> > + char **argv = strv_from_str_list(s->parameters.cpr_exec_command);
> > + Error *err = NULL;
> > +
> > + /*
> > + * Clear the close-on-exec flag for all preserved fd's. We cannot do
> > so
> > + * earlier because they should not persist across miscellaneous fork
> > and
> > + * exec calls that are performed during normal operation.
> > + */
> > + cpr_exec_preserve_fds();
> > +
> > + trace_cpr_exec();
> > + execvp(argv[0], argv);
> > +
> > + /*
> > + * exec should only fail if argv[0] is bogus, or has a permissions
> > problem,
> > + * or the system is very short on resources.
> > + */
> > + g_strfreev(argv);
>
> Here we free the argv array...
>
> > + cpr_exec_unpreserve_fds();
> > +
> > + error_setg_errno(&err, errno, "execvp %s failed", argv[0]);
>
> ...but here we read from the freed memory argv[0].
>
> Presumably we can just move the free down a bit ?
Yep, will change this to:
error_setg_errno(&err, errno, "execvp %s failed", argv[0]);
g_clear_pointer(&argv, g_strfreev);
--
Peter Xu
