Fix the UAF issue by reading the returned size before freeing the fetch_cpuid structure.
Link: https://lore.kernel.org/r/[email protected] Reported-by: Stefan Weil <[email protected]> Signed-off-by: Xiaoyao Li <[email protected]> --- target/i386/kvm/tdx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/i386/kvm/tdx.c b/target/i386/kvm/tdx.c index 4cae99c281ac..e578110df4da 100644 --- a/target/i386/kvm/tdx.c +++ b/target/i386/kvm/tdx.c @@ -847,8 +847,8 @@ static struct kvm_cpuid2 *tdx_fetch_cpuid(CPUState *cpu, int *ret) fetch_cpuid->nent = size; r = tdx_vcpu_ioctl(cpu, KVM_TDX_GET_CPUID, 0, fetch_cpuid, &local_err); if (r == -E2BIG) { - g_free(fetch_cpuid); size = fetch_cpuid->nent; + g_free(fetch_cpuid); } } while (r == -E2BIG); -- 2.43.0
