On 3/23/2026 4:45 PM, Stefan Weil wrote:
diff --git a/target/i386/kvm/tdx.c b/target/i386/kvm/tdx.c
index e35983ad9bd..e474abf3a60 100644
--- a/target/i386/kvm/tdx.c
+++ b/target/i386/kvm/tdx.c
@@ -766,6 +766,106 @@ static uint32_t
tdx_adjust_cpuid_features(X86ConfidentialGuest *cg,
return value;
}
+static struct kvm_cpuid2 *tdx_fetch_cpuid(CPUState *cpu, int *ret)
+{
+ struct kvm_cpuid2 *fetch_cpuid;
+ int size = KVM_MAX_CPUID_ENTRIES;
+ Error *local_err = NULL;
+ int r;
+
+ do {
+ error_free(local_err);
+ local_err = NULL;
+
+ fetch_cpuid = g_malloc0(sizeof(*fetch_cpuid) +
+ sizeof(struct kvm_cpuid_entry2) * size);
+ fetch_cpuid->nent = size;
+ r = tdx_vcpu_ioctl(cpu, KVM_TDX_GET_CPUID, 0, fetch_cpuid,
&local_err);
+ if (r == -E2BIG) {
+ g_free(fetch_cpuid);
+ size = fetch_cpuid->nent;
I don't understand this code, and CodeQL on GitHub reports a use after
free here (and I think it is right).
Thanks for your report!
I just sent a fix for it:
https://lore.kernel.org/all/[email protected]/
