Fixed some potential null derefs in coreclr

[tpa95]

Fixed some potential null pointer dereferences in inspect.cpp and virtual.cpp. The errors were discovered using the Svace static analyzer. I didn't observe any in practice.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
Reporter: Pavel Tikhomirov (Tihomirov-P@gaz-is.ru).
Organization: Gazinformservice (resp@gaz-is.ru).

[huoyaoyuan]

This is affecting the munmap call in error branch.

[tpa95]

Yes. If mprotect fails, we jump to error before pRetVal is assigned, so munmap(pRetVal, MemSize) ends up being called with NULL.
Also, I can instead call munmap((void*)StartBoundary, MemSize) in the error branch.
But in the previous version of the code, before commit 435bff2, pRetVal was initialized before calling mprotect.

[noahfalk]

fyi @janvorli

[noahfalk]

Its not clear to me that calling munmap(NULL, ...) would cause a NULL-deref but it did seem like the intent of the code was to unmap the memory on error. Calling munmap(StartBoundary, ...) might be a clearer way to write that but I'll let @janvorli decide.

[janvorli]

I think the munmap would likely fail with EINVAL and would not dereference NULL. But maybe that if the size is large enough to reach memory mapped by some other mapping, it could cause it to be unmapped. The doc doesn't explicitly specify the behavior.
Also, the memory reserved in this case would leak.
So the fix looks good.

[tpa95]

Hi @janvorli . Would you prefer moving pRetVal = (void*)StartBoundary; before mprotect, or changing the error-path cleanup to call munmap((void*)StartBoundary, MemSize) instead? I can update the PR accordingly.

[tpa95]

Hi @agocke, @janvorli, @noahfalk. Could you please take a look when you have a moment and let me know if this is ready to merge or if you’d like changes? Thanks!

[agocke]

@elinor-fung could you also take a look?