From: Alex Bennée <[email protected]> While sanity checking a create blob operation the use of the auto freed res variable could lead to inadvertently freeing an existing blob.
Avoid this by in-lining the virtio_gpu_virgl_find_resource() check as the value is not needed anyway. While at it add a comment to the end and use g_steal_pointer to make it clearer the object lifetime exceeds the function bounds if we pass all the checks. Fixes: CVE-2026-6502 Fixes: 7c092f17cce (virtio-gpu: Handle resource blob commands) Message-ID: [email protected] Reviewed-by: Manos Pitsidianakis <[email protected]> Cc: [email protected] Message-ID: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Reviewed-by: Dmitry Osipenko <[email protected]> (cherry picked from commit 30fad722ce68316d22b926ba0e6017f0440465df) Signed-off-by: Michael Tokarev <[email protected]> diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c index a65fca9c62..030b329d5a 100644 --- a/hw/display/virtio-gpu-virgl.c +++ b/hw/display/virtio-gpu-virgl.c @@ -708,8 +708,7 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g, return; } - res = virtio_gpu_virgl_find_resource(g, cblob.resource_id); - if (res) { + if (virtio_gpu_virgl_find_resource(g, cblob.resource_id)) { qemu_log_mask(LOG_GUEST_ERROR, "%s: resource already exists %d\n", __func__, cblob.resource_id); cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_RESOURCE_ID; @@ -762,8 +761,9 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g, res->base.dmabuf_fd = info.fd; + /* Now live, cleaned up in virtio_gpu_virgl_resource_unref */ QTAILQ_INSERT_HEAD(&g->reslist, &res->base, next); - res = NULL; + g_steal_pointer(&res); } static void virgl_cmd_resource_map_blob(VirtIOGPU *g, -- 2.47.3
