Commit b73d7eff1e for qemu.org

commit b73d7eff1eedb2399cd594bc872d5db13506d951
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Tue Nov 19 22:31:22 2024 +0100

    scsi: fix allocation for s390x loadparm

    Coverity reports a possible buffer overrun due to a non-NUL-terminated
    string in scsi_property_set_loadparm().  While things are not so easy,
    because qdev_prop_sanitize_s390x_loadparm is designed to operate on a
    buffer that is not NUL-terminated, in this case the string *does* have
    to be NUL-terminated because it is read by scsi_property_get_loadparm
    and s390_build_iplb.

    Reviewed-by: jrossi@linux.ibm.com
    Cc: thuth@redhat.com
    Fixes: 429442e52d9 ("hw: Add "loadparm" property to scsi disk devices for booting on s390x", 2024-11-18)
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index 8e553487d5..7f13b0588f 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -3152,7 +3152,7 @@ static void scsi_property_set_loadparm(Object *obj, const char *value,
         return;
     }

-    lp_str = g_malloc0(strlen(value));
+    lp_str = g_malloc0(strlen(value) + 1);
     if (!qdev_prop_sanitize_s390x_loadparm(lp_str, value, errp)) {
         g_free(lp_str);
         return;