Merge pull request #226 from flaviojs/fix-null-dereference-m_memalign

Fix NULL dereferences from NULL m_memalign values.
GNS3 · Apr 4, 2024 · 7d0108c · 7d0108c
2 parents c31cdab + ae750f2
commit 7d0108c
Show file tree

Hide file tree

Showing 4 changed files with 73 additions and 13 deletions.
diff --git a/stable/mips64_jit.c b/stable/mips64_jit.c
@@ -109,7 +109,10 @@ int mips64_jit_init(cpu_mips_t *cpu)
 
    /* Physical mapping for executable pages */
    len = MIPS_JIT_PC_HASH_SIZE * sizeof(void *);
-   cpu->exec_blk_map = m_memalign(4096,len);
+   if (!(cpu->exec_blk_map = m_memalign(4096,len))) {
+      perror("mips64_jit_init: exec_blk_map");
+      goto err_exec_blk_map;
+   }
    memset(cpu->exec_blk_map,0,len);
 
    /* Get area size */
@@ -124,7 +127,7 @@ int mips64_jit_init(cpu_mips_t *cpu)
       fprintf(stderr,
               "mips64_jit_init: unable to create exec area (size %lu)\n",
               (u_long)cpu->exec_page_area_size);
-      return(-1);
+      goto err_exec_page_area;
    }
 
    /* Carve the executable page area */
@@ -135,7 +138,7 @@ int mips64_jit_init(cpu_mips_t *cpu)
 
    if (!cpu->exec_page_array) {
       fprintf(stderr,"mips64_jit_init: unable to create exec page array\n");
-      return(-1);
+      goto err_exec_page_array;
    }
 
    for(i=0,cp_addr=cpu->exec_page_area;i<cpu->exec_page_count;i++) {
@@ -153,6 +156,15 @@ int mips64_jit_init(cpu_mips_t *cpu)
           (u_long)(cpu->exec_page_area_size / 1048576),
           (u_long)cpu->exec_page_count,MIPS_JIT_BUFSIZE / 1024);
    return(0);
+
+err_exec_page_array:
+   memzone_unmap(cpu->exec_page_area, cpu->exec_page_area_size);
+   cpu->exec_page_area = NULL;
+err_exec_page_area:
+   free(cpu->exec_blk_map);
+   cpu->exec_blk_map = NULL;
+err_exec_blk_map:
+   return(-1);
 }
 
 /* Flush the JIT */

diff --git a/stable/ppc32_jit.c b/stable/ppc32_jit.c
@@ -79,12 +79,18 @@ int ppc32_jit_init(cpu_ppc_t *cpu)
 
    /* JIT mapping for executable pages */
    len = PPC_JIT_IA_HASH_SIZE * sizeof(void *);
-   cpu->exec_blk_map = m_memalign(4096,len);
+   if (!(cpu->exec_blk_map = m_memalign(4096,len))) {
+      perror("ppc32_jit_init: exec_blk_map");
+      goto err_exec_blk_map;
+   }
    memset(cpu->exec_blk_map,0,len);
 
    /* Physical mapping for executable pages */
    len = PPC_JIT_PHYS_HASH_SIZE * sizeof(void *);
-   cpu->exec_phys_map = m_memalign(4096,len);
+   if (!(cpu->exec_phys_map = m_memalign(4096,len))) {
+      perror("ppc32_jit_init: exec_phys_map");
+      goto err_exec_phys_map;
+   }
    memset(cpu->exec_phys_map,0,len);
 
    /* Get area size */
@@ -99,7 +105,7 @@ int ppc32_jit_init(cpu_ppc_t *cpu)
       fprintf(stderr,
               "ppc32_jit_init: unable to create exec area (size %lu)\n",
               (u_long)cpu->exec_page_area_size);
-      return(-1);
+      goto err_exec_page_area;
    }
 
    /* Carve the executable page area */
@@ -110,7 +116,7 @@ int ppc32_jit_init(cpu_ppc_t *cpu)
 
    if (!cpu->exec_page_array) {
       fprintf(stderr,"ppc32_jit_init: unable to create exec page array\n");
-      return(-1);
+      goto err_exec_page_array;
    }
 
    for(i=0,cp_addr=cpu->exec_page_area;i<cpu->exec_page_count;i++) {
@@ -128,6 +134,18 @@ int ppc32_jit_init(cpu_ppc_t *cpu)
           (u_long)(cpu->exec_page_area_size / 1048576),
           (u_long)cpu->exec_page_count,PPC_JIT_BUFSIZE / 1024);
    return(0);
+
+err_exec_page_array:
+   memzone_unmap(cpu->exec_page_area, cpu->exec_page_area_size);
+   cpu->exec_page_area = NULL;
+err_exec_page_area:
+   free(cpu->exec_phys_map);
+   cpu->exec_phys_map = NULL;
+err_exec_phys_map:
+   free(cpu->exec_blk_map);
+   cpu->exec_blk_map = NULL;
+err_exec_blk_map:
+   return(-1);
 }
 
 /* Flush the JIT */

diff --git a/unstable/ppc32_jit.c b/unstable/ppc32_jit.c
@@ -79,12 +79,18 @@ int ppc32_jit_init(cpu_ppc_t *cpu)
 
    /* Virtual address mapping for TCB */
    len = PPC_JIT_VIRT_HASH_SIZE * sizeof(void *);
-   cpu->tcb_virt_hash = m_memalign(4096,len);
+   if (!(cpu->tcb_virt_hash = m_memalign(4096,len))) {
+      perror("ppc32_jit_init: tcb_virt_hash");
+      goto err_tcb_virt_hash;
+   }
    memset(cpu->tcb_virt_hash,0,len);
 
    /* Physical address mapping for TCB */
    len = PPC_JIT_PHYS_HASH_SIZE * sizeof(void *);
-   cpu->tcb_phys_hash = m_memalign(4096,len);
+   if (!(cpu->tcb_phys_hash = m_memalign(4096,len))) {
+      perror("ppc32_jit_init: tcb_phys_hash");
+      goto err_tcb_phys_hash;
+   }
    memset(cpu->tcb_phys_hash,0,len);
 
    /* Get area size */
@@ -99,7 +105,7 @@ int ppc32_jit_init(cpu_ppc_t *cpu)
       fprintf(stderr,
               "ppc32_jit_init: unable to create exec area (size %lu)\n",
               (u_long)cpu->exec_page_area_size);
-      return(-1);
+      goto err_exec_page_area;
    }
 
    /* Carve the executable page area */
@@ -110,7 +116,7 @@ int ppc32_jit_init(cpu_ppc_t *cpu)
 
    if (!cpu->exec_page_array) {
       fprintf(stderr,"ppc32_jit_init: unable to create exec page array\n");
-      return(-1);
+      goto err_exec_page_array;
    }
 
    for(i=0,cp_addr=cpu->exec_page_area;i<cpu->exec_page_count;i++) {
@@ -128,6 +134,18 @@ int ppc32_jit_init(cpu_ppc_t *cpu)
           (u_long)(cpu->exec_page_area_size / 1048576),
           (u_long)cpu->exec_page_count,PPC_JIT_BUFSIZE / 1024);
    return(0);
+
+err_exec_page_array:
+   memzone_unmap(cpu->exec_page_area, cpu->exec_page_area_size);
+   cpu->exec_page_area = NULL;
+err_exec_page_area:
+   free(cpu->tcb_phys_hash);
+   cpu->tcb_phys_hash = NULL;
+err_tcb_phys_hash:
+   free(cpu->tcb_virt_hash);
+   cpu->tcb_virt_hash = NULL;
+err_tcb_virt_hash:
+   return(-1);
 }
 
 /* Flush the JIT */

diff --git a/unstable/tcb.c b/unstable/tcb.c
@@ -786,15 +786,27 @@ int cpu_jit_init(cpu_gen_t *cpu,size_t virt_hash_size,size_t phys_hash_size)
 
    /* Virtual address mapping for TCB */
    len = virt_hash_size * sizeof(void *);
-   cpu->tb_virt_hash = m_memalign(4096,len);
+   if (!(cpu->tb_virt_hash = m_memalign(4096,len))) {
+      perror("cpu_jit_init: tb_virt_hash");
+      goto err_tb_virt_hash;
+   }
    memset(cpu->tb_virt_hash,0,len);
 
    /* Physical address mapping for TCB */
    len = phys_hash_size * sizeof(void *);
-   cpu->tb_phys_hash = m_memalign(4096,len);
+   if (!(cpu->tb_phys_hash = m_memalign(4096,len))) {
+      perror("cpu_jit_init: tb_phys_hash");
+      goto err_tb_phys_hash;
+   }
    memset(cpu->tb_phys_hash,0,len);
 
    return(0);
+
+err_tb_phys_hash:
+   free(cpu->tb_virt_hash);
+   cpu->tb_virt_hash = NULL;
+err_tb_virt_hash:
+   return(-1);
 }
 
 /* Shutdown the JIT structures of a CPU */