diff mbox series

[1/3] softmmu/ioport.c: allocate MemoryRegionPortioList ports on the heap

Message ID 20230419151652.362717-2-mark.cave-ayland@ilande.co.uk
State New
Headers show
Series softmmu/ioport.c: fix use-after-free when calling portio_list_destroy() | expand

Commit Message

Mark Cave-Ayland April 19, 2023, 3:16 p.m. UTC 
In order to facilitate a conversion of MemoryRegionPortioList to a QOM object
move the allocation of MemoryRegionPortioList ports to the heap instead of
using a variable-length member at the end of the MemoryRegionPortioList
structure.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
---
 softmmu/ioport.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

Philippe Mathieu-Daudé April 20, 2023, 8:37 a.m. UTC | #1 
On 19/4/23 17:16, Mark Cave-Ayland wrote:
> In order to facilitate a conversion of MemoryRegionPortioList to a QOM object
> move the allocation of MemoryRegionPortioList ports to the heap instead of
> using a variable-length member at the end of the MemoryRegionPortioList
> structure.
> 
> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
> ---
>   softmmu/ioport.c | 7 ++++---
>   1 file changed, 4 insertions(+), 3 deletions(-)

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
diff mbox series

Patch

diff --git a/softmmu/ioport.c b/softmmu/ioport.c
index cb8adb0b93..d0d5b0bcaa 100644
--- a/softmmu/ioport.c
+++ b/softmmu/ioport.c
@@ -35,7 +35,7 @@ 
 typedef struct MemoryRegionPortioList {
     MemoryRegion mr;
     void *portio_opaque;
-    MemoryRegionPortio ports[];
+    MemoryRegionPortio *ports;
 } MemoryRegionPortioList;
 
 static uint64_t unassigned_io_read(void *opaque, hwaddr addr, unsigned size)
@@ -147,6 +147,7 @@  void portio_list_destroy(PortioList *piolist)
     for (i = 0; i < piolist->nr; ++i) {
         mrpio = container_of(piolist->regions[i], MemoryRegionPortioList, mr);
         object_unparent(OBJECT(&mrpio->mr));
+        g_free(mrpio->ports);
         g_free(mrpio);
     }
     g_free(piolist->regions);
@@ -227,9 +228,9 @@  static void portio_list_add_1(PortioList *piolist,
     unsigned i;
 
     /* Copy the sub-list and null-terminate it.  */
-    mrpio = g_malloc0(sizeof(MemoryRegionPortioList) +
-                      sizeof(MemoryRegionPortio) * (count + 1));
+    mrpio = g_malloc0(sizeof(MemoryRegionPortioList));
     mrpio->portio_opaque = piolist->opaque;
+    mrpio->ports = g_malloc0(sizeof(MemoryRegionPortio) * (count + 1));
     memcpy(mrpio->ports, pio_init, sizeof(MemoryRegionPortio) * count);
     memset(mrpio->ports + count, 0, sizeof(MemoryRegionPortio));