From 8ccd35f25cdf2e03f44585a11b7daf93d1d46a3a Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 21 Jul 2025 10:07:53 +0100 Subject: [PATCH] hw/misc/ivshmem-pci: Improve error handling Coverity points out that the ivshmem-pci code has some error handling cases where it incorrectly tries to use an invalid filedescriptor. These generally happen because ivshmem_recv_msg() calls qemu_chr_fe_get_msgfd(), which might return -1, but the code in process_msg() generally assumes that the file descriptor was provided when it was supposed to be. In particular: * the error case in process_msg() only needs to close the fd if one was provided * process_msg_shmem() should fail if no fd was provided Coverity: CID 1508726 Signed-off-by: Peter Maydell Reviewed-by: Markus Armbruster Message-id: 20250711145012.1521936-1-peter.maydell@linaro.org --- hw/misc/ivshmem-pci.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/hw/misc/ivshmem-pci.c b/hw/misc/ivshmem-pci.c index 5a10bca633..d47ae739d6 100644 --- a/hw/misc/ivshmem-pci.c +++ b/hw/misc/ivshmem-pci.c @@ -479,6 +479,11 @@ static void process_msg_shmem(IVShmemState *s, int fd, Error **errp) struct stat buf; size_t size; + if (fd < 0) { + error_setg(errp, "server didn't provide fd with shared memory message"); + return; + } + if (s->ivshmem_bar2) { error_setg(errp, "server sent unexpected shared memory message"); close(fd); @@ -553,7 +558,9 @@ static void process_msg(IVShmemState *s, int64_t msg, int fd, Error **errp) if (msg < -1 || msg > IVSHMEM_MAX_PEERS) { error_setg(errp, "server sent invalid message %" PRId64, msg); - close(fd); + if (fd >= 0) { + close(fd); + } return; } -- 2.47.2