[Qemu-devel] [Bug 1837094] [NEW] UndefinedBehaviorSanitizer crash around slirp::ip_reass()

[Qemu-devel] [Bug 1837094] [NEW] UndefinedBehaviorSanitizer crash around slirp::ip_reass()

[Philippe Mathieu-Daudé]

Public bug reported:

tag: v4.1.0-rc1

./configure --enable-sanitizers --extra-cflags=-O1

==26130==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000046d588 bp 0x7fff6ee9f940 sp 0x7fff6ee9f8e8 T26130)
==26130==The signal is caused by a WRITE memory access.
==26130==Hint: address points to the zero page.
    #0 0x0000561ad346d587 in ip_deq() at slirp/src/ip_input.c:411:55
    #1 0x0000561ad346cffb in ip_reass() at slirp/src/ip_input.c:304:9
    #2 0x0000561ad346cb6f in ip_input() at slirp/src/ip_input.c:184:18

I only had access to the last packet which isn't the culprit, I'm now
seeing how to log the network traffic of the guest to provide more
useful information.

** Affects: qemu
     Importance: Undecided
         Status: New


** Tags: slirp

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1837094

Title:
  UndefinedBehaviorSanitizer crash around slirp::ip_reass()

Status in QEMU:
  New

Bug description:
  tag: v4.1.0-rc1

  ./configure --enable-sanitizers --extra-cflags=-O1

  ==26130==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000046d588 bp 0x7fff6ee9f940 sp 0x7fff6ee9f8e8 T26130)
  ==26130==The signal is caused by a WRITE memory access.
  ==26130==Hint: address points to the zero page.
      #0 0x0000561ad346d587 in ip_deq() at slirp/src/ip_input.c:411:55
      #1 0x0000561ad346cffb in ip_reass() at slirp/src/ip_input.c:304:9
      #2 0x0000561ad346cb6f in ip_input() at slirp/src/ip_input.c:184:18

  I only had access to the last packet which isn't the culprit, I'm now
  seeing how to log the network traffic of the guest to provide more
  useful information.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1837094/+subscriptions

[Qemu-devel] [Bug 1837094] Re: UndefinedBehaviorSanitizer crash around slirp::ip_reass()

[Philippe Mathieu-Daudé]

** Description changed:

  tag: v4.1.0-rc1
  
  ./configure --enable-sanitizers --extra-cflags=-O1
  
- ==26130==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000046d588 bp 0x7fff6ee9f940 sp 0x7fff6ee9f8e8 T26130)
+ ==26130==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000561ad346d588 bp 0x7fff6ee9f940 sp 0x7fff6ee9f8e8 T26130)
  ==26130==The signal is caused by a WRITE memory access.
  ==26130==Hint: address points to the zero page.
-     #0 0x0000561ad346d587 in ip_deq() at slirp/src/ip_input.c:411:55
-     #1 0x0000561ad346cffb in ip_reass() at slirp/src/ip_input.c:304:9
-     #2 0x0000561ad346cb6f in ip_input() at slirp/src/ip_input.c:184:18
+     #0 0x0000561ad346d587 in ip_deq() at slirp/src/ip_input.c:411:55
+     #1 0x0000561ad346cffb in ip_reass() at slirp/src/ip_input.c:304:9
+     #2 0x0000561ad346cb6f in ip_input() at slirp/src/ip_input.c:184:18
  
  I only had access to the last packet which isn't the culprit, I'm now
  seeing how to log the network traffic of the guest to provide more
  useful information.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1837094

Title:
  UndefinedBehaviorSanitizer crash around slirp::ip_reass()

Status in QEMU:
  New

Bug description:
  tag: v4.1.0-rc1

  ./configure --enable-sanitizers --extra-cflags=-O1

  ==26130==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000561ad346d588 bp 0x7fff6ee9f940 sp 0x7fff6ee9f8e8 T26130)
  ==26130==The signal is caused by a WRITE memory access.
  ==26130==Hint: address points to the zero page.
      #0 0x0000561ad346d587 in ip_deq() at slirp/src/ip_input.c:411:55
      #1 0x0000561ad346cffb in ip_reass() at slirp/src/ip_input.c:304:9
      #2 0x0000561ad346cb6f in ip_input() at slirp/src/ip_input.c:184:18

  I only had access to the last packet which isn't the culprit, I'm now
  seeing how to log the network traffic of the guest to provide more
  useful information.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1837094/+subscriptions

[Qemu-devel] [Bug 1837094] Re: UndefinedBehaviorSanitizer crash around slirp::ip_reass()

[Philippe Mathieu-Daudé]

Recent libslirp patch 126c04ac (explained in e0be8043) changed
ip_reass(), so this bug might be fixed.

https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04ac
https://gitlab.freedesktop.org/slirp/libslirp/commit/e0be8043

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1837094

Title:
  UndefinedBehaviorSanitizer crash around slirp::ip_reass()

Status in QEMU:
  New

Bug description:
  tag: v4.1.0-rc1

  ./configure --enable-sanitizers --extra-cflags=-O1

  ==26130==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000561ad346d588 bp 0x7fff6ee9f940 sp 0x7fff6ee9f8e8 T26130)
  ==26130==The signal is caused by a WRITE memory access.
  ==26130==Hint: address points to the zero page.
      #0 0x0000561ad346d587 in ip_deq() at slirp/src/ip_input.c:411:55
      #1 0x0000561ad346cffb in ip_reass() at slirp/src/ip_input.c:304:9
      #2 0x0000561ad346cb6f in ip_input() at slirp/src/ip_input.c:184:18

  I only had access to the last packet which isn't the culprit, I'm now
  seeing how to log the network traffic of the guest to provide more
  useful information.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1837094/+subscriptions

[Qemu-devel] [Bug 1837094] Re: UndefinedBehaviorSanitizer crash around slirp::ip_reass()

[Samuel thibault]

And

https://gitlab.freedesktop.org/slirp/libslirp/commit/d203c81b

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1837094

Title:
  UndefinedBehaviorSanitizer crash around slirp::ip_reass()

Status in QEMU:
  New

Bug description:
  tag: v4.1.0-rc1

  ./configure --enable-sanitizers --extra-cflags=-O1

  ==26130==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000561ad346d588 bp 0x7fff6ee9f940 sp 0x7fff6ee9f8e8 T26130)
  ==26130==The signal is caused by a WRITE memory access.
  ==26130==Hint: address points to the zero page.
      #0 0x0000561ad346d587 in ip_deq() at slirp/src/ip_input.c:411:55
      #1 0x0000561ad346cffb in ip_reass() at slirp/src/ip_input.c:304:9
      #2 0x0000561ad346cb6f in ip_input() at slirp/src/ip_input.c:184:18

  I only had access to the last packet which isn't the culprit, I'm now
  seeing how to log the network traffic of the guest to provide more
  useful information.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1837094/+subscriptions

[Bug 1837094] Re: UndefinedBehaviorSanitizer crash around slirp::ip_reass()

[Philippe Mathieu-Daudé]

I apologize for not understanding this bug was a security issue, and not
insisting on it.

It has been fixed in SLiRP by "Fix use-afte-free in ip_reass() (CVE-2020-1983)":
https://gitlab.freedesktop.org/slirp/libslirp/commit/9bd6c591

And in QEMU by commit 7769c23774 "slirp: update to fix CVE-2020-1983".

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1983

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1837094

Title:
  UndefinedBehaviorSanitizer crash around slirp::ip_reass()

Status in QEMU:
  Fix Released

Bug description:
  tag: v4.1.0-rc1

  ./configure --enable-sanitizers --extra-cflags=-O1

  ==26130==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000561ad346d588 bp 0x7fff6ee9f940 sp 0x7fff6ee9f8e8 T26130)
  ==26130==The signal is caused by a WRITE memory access.
  ==26130==Hint: address points to the zero page.
      #0 0x0000561ad346d587 in ip_deq() at slirp/src/ip_input.c:411:55
      #1 0x0000561ad346cffb in ip_reass() at slirp/src/ip_input.c:304:9
      #2 0x0000561ad346cb6f in ip_input() at slirp/src/ip_input.c:184:18

  I only had access to the last packet which isn't the culprit, I'm now
  seeing how to log the network traffic of the guest to provide more
  useful information.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1837094/+subscriptions

[Bug 1837094] Re: UndefinedBehaviorSanitizer crash around slirp::ip_reass()

[Philippe Mathieu-Daudé]

Fixed in QEMU release v5.0.0

** Changed in: qemu
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1837094

Title:
  UndefinedBehaviorSanitizer crash around slirp::ip_reass()

Status in QEMU:
  Fix Released

Bug description:
  tag: v4.1.0-rc1

  ./configure --enable-sanitizers --extra-cflags=-O1

  ==26130==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000561ad346d588 bp 0x7fff6ee9f940 sp 0x7fff6ee9f8e8 T26130)
  ==26130==The signal is caused by a WRITE memory access.
  ==26130==Hint: address points to the zero page.
      #0 0x0000561ad346d587 in ip_deq() at slirp/src/ip_input.c:411:55
      #1 0x0000561ad346cffb in ip_reass() at slirp/src/ip_input.c:304:9
      #2 0x0000561ad346cb6f in ip_input() at slirp/src/ip_input.c:184:18

  I only had access to the last packet which isn't the culprit, I'm now
  seeing how to log the network traffic of the guest to provide more
  useful information.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1837094/+subscriptions