* [Bug 1879531] [NEW] Stack-overflow in _eth_get_rss_ex_dst_addr
@ 2020-05-19 16:40 Alexander Bulekov
2020-05-19 17:32 ` [Bug 1879531] " Alexander Bulekov
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Alexander Bulekov @ 2020-05-19 16:40 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
Hello,
While fuzzing, I found a 1-byte stack-overflow (read) through the
e1000e.
==10318==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdb76c16c2 at pc 0x55594f1a69e1 bp 0x7ffdb76c15a0 sp 0x7ffdb76c1598
READ of size 1 at 0x7ffdb76c16c2 thread T0
#0 0x55594f1a69e0 in _eth_get_rss_ex_dst_addr /home/alxndr/Development/qemu/net/eth.c:410:17
#1 0x55594f1a39da in eth_parse_ipv6_hdr /home/alxndr/Development/qemu/net/eth.c:532:17
#2 0x55594ebc34f2 in net_tx_pkt_parse_headers /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:228:14
#3 0x55594ebc2149 in net_tx_pkt_parse /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:273:9
#4 0x55594ec1ba76 in e1000e_process_tx_desc /home/alxndr/Development/qemu/hw/net/e1000e_core.c:737:29
#5 0x55594ec1aea4 in e1000e_start_xmit /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934:9
#6 0x55594ec0e70e in e1000e_set_tdt /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451:9
#7 0x55594ebec435 in e1000e_core_write /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261:9
#8 0x55594ebdf11b in e1000e_mmio_write /home/alxndr/Development/qemu/hw/net/e1000e.c:109:5
#9 0x55594dfd98b1 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5
#10 0x55594dfd9211 in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18
#11 0x55594dfd7c30 in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16
#12 0x55594dde24b8 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3137:23
#13 0x55594ddd12dc in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14
#14 0x55594ddd0dec in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18
#15 0x55594dfcdbdc in qtest_process_command /home/alxndr/Development/qemu/qtest.c:567:9
#16 0x55594dfc3700 in qtest_process_inbuf /home/alxndr/Development/qemu/qtest.c:710:9
#17 0x55594dfc2cc8 in qtest_read /home/alxndr/Development/qemu/qtest.c:722:5
#18 0x55594f74b259 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/chardev/char.c:183:9
#19 0x55594f74b3ee in qemu_chr_be_write /home/alxndr/Development/qemu/chardev/char.c:195:9
#20 0x55594f7556fc in fd_chr_read /home/alxndr/Development/qemu/chardev/char-fd.c:68:9
#21 0x55594f7ea488 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/io/channel-watch.c:84:12
#22 0x7f43f6c1d897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
#23 0x55594f9dea5d in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9
#24 0x55594f9dd1d7 in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5
#25 0x55594f9dcd6e in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11
#26 0x55594e44cd01 in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9
#27 0x55594f803c21 in main /home/alxndr/Development/qemu/softmmu/main.c:49:5
#28 0x7f43f57b4e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
#29 0x55594dd03889 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0xdbd889)
Address 0x7ffdb76c16c2 is located in stack of thread T0 at offset 34 in frame
#0 0x55594f1a303f in eth_parse_ipv6_hdr /home/alxndr/Development/qemu/net/eth.c:486
This frame has 1 object(s):
[32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/alxndr/Development/qemu/net/eth.c:410:17 in _eth_get_rss_ex_dst_addr
Shadow bytes around the buggy address:
0x100036ed0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100036ed02d0: 00 00 00 00 f1 f1 f1 f1[02]f3 f3 f3 00 00 00 00
0x100036ed02e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==10318==ABORTING
I can reproduce it in qemu 5.0 built with address sanitizer using:
cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001014
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x800010a2
write 0x25 0x2b 0x86dd1900ff5df747002bfc90dd1900ff5df747002bfc9add1900ff5df747002bfca4dd1900ff5df747002b
write 0xe1020030 0x409 0x190002e100000000350908077cdd190002e100000000350912077cdd190002e10000000035091c077cdd190002e100000000350926077cdd190002e100000000350930077cdd190002e10000000035093a077cdd190002e100000000350944077cdd190002e10000000035094e077cdd190002e100000000350958077cdd190002e100000000350962077cdd190002e10000000035096c077cdd190002e100000000350976077cdd190002e100000000350980077cdd190002e10000000035098a077cdd190002e100000000350994077cdd190002e10000000035099e077cdd190002e1000000003509a8077cdd190002e1000000003509b2077cdd190002e1000000003509bc077cdd190002e1000000003509c6077cdd190002e1000000003509d0077cdd190002e1000000003509da077cdd190002e1000000003509e4077cdd190002e1000000003509ee077cdd190002e1000000003509f8077cdd190002e100000000350902077cdd190002e10000000035090c077cdd190002e100000000350916077cdd190002e100000000350920077cdd190002e10000000035092a077cdd190002e100000000350934077cdd190002e10000000035093e077cdd190002e100000000350948077cdd190002e100000000350952077cdd190002e10000000035095c077cdd190002e100000000350966077cdd190002e100000000350970077cdd190002e10000000035097a077cdd190002e100000000350984077cdd190002e10000000035098e077cdd190002e100000000350998077cdd190002e1000000003509a2077cdd190002e1000000003509ac077cdd190002e1000000003509b6077cdd190002e1000000003509c0077cdd190002e1000000003509ca077cdd190002e1000000003509d4077cdd190002e1000000003509de077cdd190002e1000000003509e8077cdd190002e1000000003509f2077cdd190002e1000000003509fc077cdd190002e100000000350906077cdd190002e100000000350910077cdd190002e10000000035091a077cdd190002e100000000350924077cdd190002e10000000035092e077cdd190002e100000000350938077cdd190002e100000000350942077cdd190002e10000000035094c077cdd190002e100000000350956077cdd190002e100000000350960077cdd190002e10000000035096a077cdd190002e100000000350974077cdd190002e10000000035097e077cdd190002e100000000350988077cdd190002e100000000350992077cdd190002e10000000035099c077cdd190002e1000000003509a6077cdd190002e1000000003509b0077cdd190002e1000000003509ba077cdd190002e1000000003509c4077cdd190002e1000000003509ce077cdd190002e1000000003509d8077cdd190002e1000000003509e2
EOF
Also attaching these commands. They can be executed with
./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic < attachment
Let me know if I can provide any further info.
-Alex
** Affects: qemu
Importance: Undecided
Status: New
** Attachment added: "attachment"
https://bugs.launchpad.net/bugs/1879531/+attachment/5374219/+files/attachment
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1879531
Title:
Stack-overflow in _eth_get_rss_ex_dst_addr
Status in QEMU:
New
Bug description:
Hello,
While fuzzing, I found a 1-byte stack-overflow (read) through the
e1000e.
==10318==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdb76c16c2 at pc 0x55594f1a69e1 bp 0x7ffdb76c15a0 sp 0x7ffdb76c1598
READ of size 1 at 0x7ffdb76c16c2 thread T0
#0 0x55594f1a69e0 in _eth_get_rss_ex_dst_addr /home/alxndr/Development/qemu/net/eth.c:410:17
#1 0x55594f1a39da in eth_parse_ipv6_hdr /home/alxndr/Development/qemu/net/eth.c:532:17
#2 0x55594ebc34f2 in net_tx_pkt_parse_headers /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:228:14
#3 0x55594ebc2149 in net_tx_pkt_parse /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:273:9
#4 0x55594ec1ba76 in e1000e_process_tx_desc /home/alxndr/Development/qemu/hw/net/e1000e_core.c:737:29
#5 0x55594ec1aea4 in e1000e_start_xmit /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934:9
#6 0x55594ec0e70e in e1000e_set_tdt /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451:9
#7 0x55594ebec435 in e1000e_core_write /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261:9
#8 0x55594ebdf11b in e1000e_mmio_write /home/alxndr/Development/qemu/hw/net/e1000e.c:109:5
#9 0x55594dfd98b1 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5
#10 0x55594dfd9211 in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18
#11 0x55594dfd7c30 in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16
#12 0x55594dde24b8 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3137:23
#13 0x55594ddd12dc in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14
#14 0x55594ddd0dec in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18
#15 0x55594dfcdbdc in qtest_process_command /home/alxndr/Development/qemu/qtest.c:567:9
#16 0x55594dfc3700 in qtest_process_inbuf /home/alxndr/Development/qemu/qtest.c:710:9
#17 0x55594dfc2cc8 in qtest_read /home/alxndr/Development/qemu/qtest.c:722:5
#18 0x55594f74b259 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/chardev/char.c:183:9
#19 0x55594f74b3ee in qemu_chr_be_write /home/alxndr/Development/qemu/chardev/char.c:195:9
#20 0x55594f7556fc in fd_chr_read /home/alxndr/Development/qemu/chardev/char-fd.c:68:9
#21 0x55594f7ea488 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/io/channel-watch.c:84:12
#22 0x7f43f6c1d897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
#23 0x55594f9dea5d in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9
#24 0x55594f9dd1d7 in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5
#25 0x55594f9dcd6e in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11
#26 0x55594e44cd01 in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9
#27 0x55594f803c21 in main /home/alxndr/Development/qemu/softmmu/main.c:49:5
#28 0x7f43f57b4e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
#29 0x55594dd03889 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0xdbd889)
Address 0x7ffdb76c16c2 is located in stack of thread T0 at offset 34 in frame
#0 0x55594f1a303f in eth_parse_ipv6_hdr /home/alxndr/Development/qemu/net/eth.c:486
This frame has 1 object(s):
[32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/alxndr/Development/qemu/net/eth.c:410:17 in _eth_get_rss_ex_dst_addr
Shadow bytes around the buggy address:
0x100036ed0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100036ed02d0: 00 00 00 00 f1 f1 f1 f1[02]f3 f3 f3 00 00 00 00
0x100036ed02e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==10318==ABORTING
I can reproduce it in qemu 5.0 built with address sanitizer using:
cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001014
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x800010a2
write 0x25 0x2b 0x86dd1900ff5df747002bfc90dd1900ff5df747002bfc9add1900ff5df747002bfca4dd1900ff5df747002b
write 0xe1020030 0x409 0x190002e100000000350908077cdd190002e100000000350912077cdd190002e10000000035091c077cdd190002e100000000350926077cdd190002e100000000350930077cdd190002e10000000035093a077cdd190002e100000000350944077cdd190002e10000000035094e077cdd190002e100000000350958077cdd190002e100000000350962077cdd190002e10000000035096c077cdd190002e100000000350976077cdd190002e100000000350980077cdd190002e10000000035098a077cdd190002e100000000350994077cdd190002e10000000035099e077cdd190002e1000000003509a8077cdd190002e1000000003509b2077cdd190002e1000000003509bc077cdd190002e1000000003509c6077cdd190002e1000000003509d0077cdd190002e1000000003509da077cdd190002e1000000003509e4077cdd190002e1000000003509ee077cdd190002e1000000003509f8077cdd190002e100000000350902077cdd190002e10000000035090c077cdd190002e100000000350916077cdd190002e100000000350920077cdd190002e10000000035092a077cdd190002e100000000350934077cdd190002e10000000035093e077cdd190002e100000000350948077cdd190002e100000000350952077cdd190002e10000000035095c077cdd190002e100000000350966077cdd190002e100000000350970077cdd190002e10000000035097a077cdd190002e100000000350984077cdd190002e10000000035098e077cdd190002e100000000350998077cdd190002e1000000003509a2077cdd190002e1000000003509ac077cdd190002e1000000003509b6077cdd190002e1000000003509c0077cdd190002e1000000003509ca077cdd190002e1000000003509d4077cdd190002e1000000003509de077cdd190002e1000000003509e8077cdd190002e1000000003509f2077cdd190002e1000000003509fc077cdd190002e100000000350906077cdd190002e100000000350910077cdd190002e10000000035091a077cdd190002e100000000350924077cdd190002e10000000035092e077cdd190002e100000000350938077cdd190002e100000000350942077cdd190002e10000000035094c077cdd190002e100000000350956077cdd190002e100000000350960077cdd190002e10000000035096a077cdd190002e100000000350974077cdd190002e10000000035097e077cdd190002e100000000350988077cdd190002e100000000350992077cdd190002e10000000035099c077cdd190002e1000000003509a6077cdd190002e1000000003509b0077cdd190002e1000000003509ba077cdd190002e1000000003509c4077cdd190002e1000000003509ce077cdd190002e1000000003509d8077cdd190002e1000000003509e2
EOF
Also attaching these commands. They can be executed with
./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic < attachment
Let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1879531/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug 1879531] Re: Stack-overflow in _eth_get_rss_ex_dst_addr
2020-05-19 16:40 [Bug 1879531] [NEW] Stack-overflow in _eth_get_rss_ex_dst_addr Alexander Bulekov
@ 2020-05-19 17:32 ` Alexander Bulekov
2020-12-16 23:28 ` Alexander Bulekov
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Alexander Bulekov @ 2020-05-19 17:32 UTC (permalink / raw)
To: qemu-devel
>From Prasad:
struct ip6_ext_hdr {
uint8_t ip6r_nxt; /* next header */
uint8_t ip6r_len; /* length in units of 8 octets */
};
struct ip6_ext_hdr_routing {
uint8_t nxt;
uint8_t len;
uint8_t rtype;
uint8_t segleft;
uint8_t rsvd[4];
};
Yes, it looks like because 'struct ip6_ext_hdr' type stack variable's address is assigned to
'struct ip6_ext_hdr_routine' type pointer. And such a pointer is accessing '->rtype' variable,
which is not present in 'struct ip6_ext_hdr'.
diff --git a/include/net/eth.h b/include/net/eth.h
index 7f45c678e7..38f2d52bcd 100644
--- a/include/net/eth.h
+++ b/include/net/eth.h
@@ -129,6 +129,7 @@ typedef struct ip6_pseudo_header {
struct ip6_ext_hdr {
uint8_t ip6r_nxt; /* next header */
uint8_t ip6r_len; /* length in units of 8 octets */
+ uint32_t padding;
};
Above patch should help. It is okay to send this report upstream. Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1879531
Title:
Stack-overflow in _eth_get_rss_ex_dst_addr
Status in QEMU:
New
Bug description:
Hello,
While fuzzing, I found a 1-byte stack-overflow (read) through the
e1000e.
==10318==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdb76c16c2 at pc 0x55594f1a69e1 bp 0x7ffdb76c15a0 sp 0x7ffdb76c1598
READ of size 1 at 0x7ffdb76c16c2 thread T0
#0 0x55594f1a69e0 in _eth_get_rss_ex_dst_addr /home/alxndr/Development/qemu/net/eth.c:410:17
#1 0x55594f1a39da in eth_parse_ipv6_hdr /home/alxndr/Development/qemu/net/eth.c:532:17
#2 0x55594ebc34f2 in net_tx_pkt_parse_headers /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:228:14
#3 0x55594ebc2149 in net_tx_pkt_parse /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:273:9
#4 0x55594ec1ba76 in e1000e_process_tx_desc /home/alxndr/Development/qemu/hw/net/e1000e_core.c:737:29
#5 0x55594ec1aea4 in e1000e_start_xmit /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934:9
#6 0x55594ec0e70e in e1000e_set_tdt /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451:9
#7 0x55594ebec435 in e1000e_core_write /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261:9
#8 0x55594ebdf11b in e1000e_mmio_write /home/alxndr/Development/qemu/hw/net/e1000e.c:109:5
#9 0x55594dfd98b1 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5
#10 0x55594dfd9211 in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18
#11 0x55594dfd7c30 in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16
#12 0x55594dde24b8 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3137:23
#13 0x55594ddd12dc in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14
#14 0x55594ddd0dec in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18
#15 0x55594dfcdbdc in qtest_process_command /home/alxndr/Development/qemu/qtest.c:567:9
#16 0x55594dfc3700 in qtest_process_inbuf /home/alxndr/Development/qemu/qtest.c:710:9
#17 0x55594dfc2cc8 in qtest_read /home/alxndr/Development/qemu/qtest.c:722:5
#18 0x55594f74b259 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/chardev/char.c:183:9
#19 0x55594f74b3ee in qemu_chr_be_write /home/alxndr/Development/qemu/chardev/char.c:195:9
#20 0x55594f7556fc in fd_chr_read /home/alxndr/Development/qemu/chardev/char-fd.c:68:9
#21 0x55594f7ea488 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/io/channel-watch.c:84:12
#22 0x7f43f6c1d897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
#23 0x55594f9dea5d in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9
#24 0x55594f9dd1d7 in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5
#25 0x55594f9dcd6e in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11
#26 0x55594e44cd01 in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9
#27 0x55594f803c21 in main /home/alxndr/Development/qemu/softmmu/main.c:49:5
#28 0x7f43f57b4e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
#29 0x55594dd03889 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0xdbd889)
Address 0x7ffdb76c16c2 is located in stack of thread T0 at offset 34 in frame
#0 0x55594f1a303f in eth_parse_ipv6_hdr /home/alxndr/Development/qemu/net/eth.c:486
This frame has 1 object(s):
[32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/alxndr/Development/qemu/net/eth.c:410:17 in _eth_get_rss_ex_dst_addr
Shadow bytes around the buggy address:
0x100036ed0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100036ed02d0: 00 00 00 00 f1 f1 f1 f1[02]f3 f3 f3 00 00 00 00
0x100036ed02e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==10318==ABORTING
I can reproduce it in qemu 5.0 built with address sanitizer using:
cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001014
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x800010a2
write 0x25 0x2b 0x86dd1900ff5df747002bfc90dd1900ff5df747002bfc9add1900ff5df747002bfca4dd1900ff5df747002b
write 0xe1020030 0x409 0x190002e100000000350908077cdd190002e100000000350912077cdd190002e10000000035091c077cdd190002e100000000350926077cdd190002e100000000350930077cdd190002e10000000035093a077cdd190002e100000000350944077cdd190002e10000000035094e077cdd190002e100000000350958077cdd190002e100000000350962077cdd190002e10000000035096c077cdd190002e100000000350976077cdd190002e100000000350980077cdd190002e10000000035098a077cdd190002e100000000350994077cdd190002e10000000035099e077cdd190002e1000000003509a8077cdd190002e1000000003509b2077cdd190002e1000000003509bc077cdd190002e1000000003509c6077cdd190002e1000000003509d0077cdd190002e1000000003509da077cdd190002e1000000003509e4077cdd190002e1000000003509ee077cdd190002e1000000003509f8077cdd190002e100000000350902077cdd190002e10000000035090c077cdd190002e100000000350916077cdd190002e100000000350920077cdd190002e10000000035092a077cdd190002e100000000350934077cdd190002e10000000035093e077cdd190002e100000000350948077cdd190002e100000000350952077cdd190002e10000000035095c077cdd190002e100000000350966077cdd190002e100000000350970077cdd190002e10000000035097a077cdd190002e100000000350984077cdd190002e10000000035098e077cdd190002e100000000350998077cdd190002e1000000003509a2077cdd190002e1000000003509ac077cdd190002e1000000003509b6077cdd190002e1000000003509c0077cdd190002e1000000003509ca077cdd190002e1000000003509d4077cdd190002e1000000003509de077cdd190002e1000000003509e8077cdd190002e1000000003509f2077cdd190002e1000000003509fc077cdd190002e100000000350906077cdd190002e100000000350910077cdd190002e10000000035091a077cdd190002e100000000350924077cdd190002e10000000035092e077cdd190002e100000000350938077cdd190002e100000000350942077cdd190002e10000000035094c077cdd190002e100000000350956077cdd190002e100000000350960077cdd190002e10000000035096a077cdd190002e100000000350974077cdd190002e10000000035097e077cdd190002e100000000350988077cdd190002e100000000350992077cdd190002e10000000035099c077cdd190002e1000000003509a6077cdd190002e1000000003509b0077cdd190002e1000000003509ba077cdd190002e1000000003509c4077cdd190002e1000000003509ce077cdd190002e1000000003509d8077cdd190002e1000000003509e2
EOF
Also attaching these commands. They can be executed with
./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic < attachment
Let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1879531/+subscriptions
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Bug 1879531] Re: Stack-overflow in _eth_get_rss_ex_dst_addr
2020-05-19 16:40 [Bug 1879531] [NEW] Stack-overflow in _eth_get_rss_ex_dst_addr Alexander Bulekov
2020-05-19 17:32 ` [Bug 1879531] " Alexander Bulekov
@ 2020-12-16 23:28 ` Alexander Bulekov
2021-01-26 11:31 ` Philippe Mathieu-Daudé
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Alexander Bulekov @ 2020-12-16 23:28 UTC (permalink / raw)
To: qemu-devel
Minimized Reproducer:
cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 \
-accel qtest -monitor none \
-serial none -nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001004
outw 0xcfc 0x7
write 0x25 0x1 0x86
write 0x26 0x1 0xdd
write 0x4f 0x1 0x2b
write 0xe1020030 0x4 0x190002e1
write 0xe102003a 0x2 0x0807
write 0xe1020048 0x4 0x12077cdd
write 0xe1020400 0x4 0xba077cdd
write 0xe1020420 0x4 0x190002e1
write 0xe1020428 0x4 0x3509d807
write 0xe1020438 0x1 0xe2
EOF
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1879531
Title:
Stack-overflow in _eth_get_rss_ex_dst_addr
Status in QEMU:
New
Bug description:
Hello,
While fuzzing, I found a 1-byte stack-overflow (read) through the
e1000e.
==10318==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdb76c16c2 at pc 0x55594f1a69e1 bp 0x7ffdb76c15a0 sp 0x7ffdb76c1598
READ of size 1 at 0x7ffdb76c16c2 thread T0
#0 0x55594f1a69e0 in _eth_get_rss_ex_dst_addr /home/alxndr/Development/qemu/net/eth.c:410:17
#1 0x55594f1a39da in eth_parse_ipv6_hdr /home/alxndr/Development/qemu/net/eth.c:532:17
#2 0x55594ebc34f2 in net_tx_pkt_parse_headers /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:228:14
#3 0x55594ebc2149 in net_tx_pkt_parse /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:273:9
#4 0x55594ec1ba76 in e1000e_process_tx_desc /home/alxndr/Development/qemu/hw/net/e1000e_core.c:737:29
#5 0x55594ec1aea4 in e1000e_start_xmit /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934:9
#6 0x55594ec0e70e in e1000e_set_tdt /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451:9
#7 0x55594ebec435 in e1000e_core_write /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261:9
#8 0x55594ebdf11b in e1000e_mmio_write /home/alxndr/Development/qemu/hw/net/e1000e.c:109:5
#9 0x55594dfd98b1 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5
#10 0x55594dfd9211 in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18
#11 0x55594dfd7c30 in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16
#12 0x55594dde24b8 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3137:23
#13 0x55594ddd12dc in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14
#14 0x55594ddd0dec in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18
#15 0x55594dfcdbdc in qtest_process_command /home/alxndr/Development/qemu/qtest.c:567:9
#16 0x55594dfc3700 in qtest_process_inbuf /home/alxndr/Development/qemu/qtest.c:710:9
#17 0x55594dfc2cc8 in qtest_read /home/alxndr/Development/qemu/qtest.c:722:5
#18 0x55594f74b259 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/chardev/char.c:183:9
#19 0x55594f74b3ee in qemu_chr_be_write /home/alxndr/Development/qemu/chardev/char.c:195:9
#20 0x55594f7556fc in fd_chr_read /home/alxndr/Development/qemu/chardev/char-fd.c:68:9
#21 0x55594f7ea488 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/io/channel-watch.c:84:12
#22 0x7f43f6c1d897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
#23 0x55594f9dea5d in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9
#24 0x55594f9dd1d7 in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5
#25 0x55594f9dcd6e in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11
#26 0x55594e44cd01 in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9
#27 0x55594f803c21 in main /home/alxndr/Development/qemu/softmmu/main.c:49:5
#28 0x7f43f57b4e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
#29 0x55594dd03889 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0xdbd889)
Address 0x7ffdb76c16c2 is located in stack of thread T0 at offset 34 in frame
#0 0x55594f1a303f in eth_parse_ipv6_hdr /home/alxndr/Development/qemu/net/eth.c:486
This frame has 1 object(s):
[32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/alxndr/Development/qemu/net/eth.c:410:17 in _eth_get_rss_ex_dst_addr
Shadow bytes around the buggy address:
0x100036ed0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100036ed02d0: 00 00 00 00 f1 f1 f1 f1[02]f3 f3 f3 00 00 00 00
0x100036ed02e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==10318==ABORTING
I can reproduce it in qemu 5.0 built with address sanitizer using:
cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001014
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x800010a2
write 0x25 0x2b 0x86dd1900ff5df747002bfc90dd1900ff5df747002bfc9add1900ff5df747002bfca4dd1900ff5df747002b
write 0xe1020030 0x409 0x190002e100000000350908077cdd190002e100000000350912077cdd190002e10000000035091c077cdd190002e100000000350926077cdd190002e100000000350930077cdd190002e10000000035093a077cdd190002e100000000350944077cdd190002e10000000035094e077cdd190002e100000000350958077cdd190002e100000000350962077cdd190002e10000000035096c077cdd190002e100000000350976077cdd190002e100000000350980077cdd190002e10000000035098a077cdd190002e100000000350994077cdd190002e10000000035099e077cdd190002e1000000003509a8077cdd190002e1000000003509b2077cdd190002e1000000003509bc077cdd190002e1000000003509c6077cdd190002e1000000003509d0077cdd190002e1000000003509da077cdd190002e1000000003509e4077cdd190002e1000000003509ee077cdd190002e1000000003509f8077cdd190002e100000000350902077cdd190002e10000000035090c077cdd190002e100000000350916077cdd190002e100000000350920077cdd190002e10000000035092a077cdd190002e100000000350934077cdd190002e10000000035093e077cdd190002e100000000350948077cdd190002e100000000350952077cdd190002e10000000035095c077cdd190002e100000000350966077cdd190002e100000000350970077cdd190002e10000000035097a077cdd190002e100000000350984077cdd190002e10000000035098e077cdd190002e100000000350998077cdd190002e1000000003509a2077cdd190002e1000000003509ac077cdd190002e1000000003509b6077cdd190002e1000000003509c0077cdd190002e1000000003509ca077cdd190002e1000000003509d4077cdd190002e1000000003509de077cdd190002e1000000003509e8077cdd190002e1000000003509f2077cdd190002e1000000003509fc077cdd190002e100000000350906077cdd190002e100000000350910077cdd190002e10000000035091a077cdd190002e100000000350924077cdd190002e10000000035092e077cdd190002e100000000350938077cdd190002e100000000350942077cdd190002e10000000035094c077cdd190002e100000000350956077cdd190002e100000000350960077cdd190002e10000000035096a077cdd190002e100000000350974077cdd190002e10000000035097e077cdd190002e100000000350988077cdd190002e100000000350992077cdd190002e10000000035099c077cdd190002e1000000003509a6077cdd190002e1000000003509b0077cdd190002e1000000003509ba077cdd190002e1000000003509c4077cdd190002e1000000003509ce077cdd190002e1000000003509d8077cdd190002e1000000003509e2
EOF
Also attaching these commands. They can be executed with
./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic < attachment
Let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1879531/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug 1879531] Re: Stack-overflow in _eth_get_rss_ex_dst_addr
2020-05-19 16:40 [Bug 1879531] [NEW] Stack-overflow in _eth_get_rss_ex_dst_addr Alexander Bulekov
2020-05-19 17:32 ` [Bug 1879531] " Alexander Bulekov
2020-12-16 23:28 ` Alexander Bulekov
@ 2021-01-26 11:31 ` Philippe Mathieu-Daudé
2021-01-26 12:58 ` Peter Maydell
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-01-26 11:31 UTC (permalink / raw)
To: qemu-devel
Proposed fix:
https://www.mail-archive.com/qemu-devel@nongnu.org/msg773408.html
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1879531
Title:
Stack-overflow in _eth_get_rss_ex_dst_addr
Status in QEMU:
New
Bug description:
Hello,
While fuzzing, I found a 1-byte stack-overflow (read) through the
e1000e.
==10318==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdb76c16c2 at pc 0x55594f1a69e1 bp 0x7ffdb76c15a0 sp 0x7ffdb76c1598
READ of size 1 at 0x7ffdb76c16c2 thread T0
#0 0x55594f1a69e0 in _eth_get_rss_ex_dst_addr /home/alxndr/Development/qemu/net/eth.c:410:17
#1 0x55594f1a39da in eth_parse_ipv6_hdr /home/alxndr/Development/qemu/net/eth.c:532:17
#2 0x55594ebc34f2 in net_tx_pkt_parse_headers /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:228:14
#3 0x55594ebc2149 in net_tx_pkt_parse /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:273:9
#4 0x55594ec1ba76 in e1000e_process_tx_desc /home/alxndr/Development/qemu/hw/net/e1000e_core.c:737:29
#5 0x55594ec1aea4 in e1000e_start_xmit /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934:9
#6 0x55594ec0e70e in e1000e_set_tdt /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451:9
#7 0x55594ebec435 in e1000e_core_write /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261:9
#8 0x55594ebdf11b in e1000e_mmio_write /home/alxndr/Development/qemu/hw/net/e1000e.c:109:5
#9 0x55594dfd98b1 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5
#10 0x55594dfd9211 in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18
#11 0x55594dfd7c30 in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16
#12 0x55594dde24b8 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3137:23
#13 0x55594ddd12dc in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14
#14 0x55594ddd0dec in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18
#15 0x55594dfcdbdc in qtest_process_command /home/alxndr/Development/qemu/qtest.c:567:9
#16 0x55594dfc3700 in qtest_process_inbuf /home/alxndr/Development/qemu/qtest.c:710:9
#17 0x55594dfc2cc8 in qtest_read /home/alxndr/Development/qemu/qtest.c:722:5
#18 0x55594f74b259 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/chardev/char.c:183:9
#19 0x55594f74b3ee in qemu_chr_be_write /home/alxndr/Development/qemu/chardev/char.c:195:9
#20 0x55594f7556fc in fd_chr_read /home/alxndr/Development/qemu/chardev/char-fd.c:68:9
#21 0x55594f7ea488 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/io/channel-watch.c:84:12
#22 0x7f43f6c1d897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
#23 0x55594f9dea5d in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9
#24 0x55594f9dd1d7 in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5
#25 0x55594f9dcd6e in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11
#26 0x55594e44cd01 in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9
#27 0x55594f803c21 in main /home/alxndr/Development/qemu/softmmu/main.c:49:5
#28 0x7f43f57b4e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
#29 0x55594dd03889 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0xdbd889)
Address 0x7ffdb76c16c2 is located in stack of thread T0 at offset 34 in frame
#0 0x55594f1a303f in eth_parse_ipv6_hdr /home/alxndr/Development/qemu/net/eth.c:486
This frame has 1 object(s):
[32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/alxndr/Development/qemu/net/eth.c:410:17 in _eth_get_rss_ex_dst_addr
Shadow bytes around the buggy address:
0x100036ed0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100036ed02d0: 00 00 00 00 f1 f1 f1 f1[02]f3 f3 f3 00 00 00 00
0x100036ed02e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==10318==ABORTING
I can reproduce it in qemu 5.0 built with address sanitizer using:
cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001014
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x800010a2
write 0x25 0x2b 0x86dd1900ff5df747002bfc90dd1900ff5df747002bfc9add1900ff5df747002bfca4dd1900ff5df747002b
write 0xe1020030 0x409 0x190002e100000000350908077cdd190002e100000000350912077cdd190002e10000000035091c077cdd190002e100000000350926077cdd190002e100000000350930077cdd190002e10000000035093a077cdd190002e100000000350944077cdd190002e10000000035094e077cdd190002e100000000350958077cdd190002e100000000350962077cdd190002e10000000035096c077cdd190002e100000000350976077cdd190002e100000000350980077cdd190002e10000000035098a077cdd190002e100000000350994077cdd190002e10000000035099e077cdd190002e1000000003509a8077cdd190002e1000000003509b2077cdd190002e1000000003509bc077cdd190002e1000000003509c6077cdd190002e1000000003509d0077cdd190002e1000000003509da077cdd190002e1000000003509e4077cdd190002e1000000003509ee077cdd190002e1000000003509f8077cdd190002e100000000350902077cdd190002e10000000035090c077cdd190002e100000000350916077cdd190002e100000000350920077cdd190002e10000000035092a077cdd190002e100000000350934077cdd190002e10000000035093e077cdd190002e100000000350948077cdd190002e100000000350952077cdd190002e10000000035095c077cdd190002e100000000350966077cdd190002e100000000350970077cdd190002e10000000035097a077cdd190002e100000000350984077cdd190002e10000000035098e077cdd190002e100000000350998077cdd190002e1000000003509a2077cdd190002e1000000003509ac077cdd190002e1000000003509b6077cdd190002e1000000003509c0077cdd190002e1000000003509ca077cdd190002e1000000003509d4077cdd190002e1000000003509de077cdd190002e1000000003509e8077cdd190002e1000000003509f2077cdd190002e1000000003509fc077cdd190002e100000000350906077cdd190002e100000000350910077cdd190002e10000000035091a077cdd190002e100000000350924077cdd190002e10000000035092e077cdd190002e100000000350938077cdd190002e100000000350942077cdd190002e10000000035094c077cdd190002e100000000350956077cdd190002e100000000350960077cdd190002e10000000035096a077cdd190002e100000000350974077cdd190002e10000000035097e077cdd190002e100000000350988077cdd190002e100000000350992077cdd190002e10000000035099c077cdd190002e1000000003509a6077cdd190002e1000000003509b0077cdd190002e1000000003509ba077cdd190002e1000000003509c4077cdd190002e1000000003509ce077cdd190002e1000000003509d8077cdd190002e1000000003509e2
EOF
Also attaching these commands. They can be executed with
./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic < attachment
Let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1879531/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug 1879531] Re: Stack-overflow in _eth_get_rss_ex_dst_addr
2020-05-19 16:40 [Bug 1879531] [NEW] Stack-overflow in _eth_get_rss_ex_dst_addr Alexander Bulekov
` (2 preceding siblings ...)
2021-01-26 11:31 ` Philippe Mathieu-Daudé
@ 2021-01-26 12:58 ` Peter Maydell
2021-03-18 10:03 ` Paolo Bonzini
2021-04-30 8:24 ` Thomas Huth
5 siblings, 0 replies; 7+ messages in thread
From: Peter Maydell @ 2021-01-26 12:58 UTC (permalink / raw)
To: qemu-devel
** Tags added: fuzzer
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1879531
Title:
Stack-overflow in _eth_get_rss_ex_dst_addr
Status in QEMU:
New
Bug description:
Hello,
While fuzzing, I found a 1-byte stack-overflow (read) through the
e1000e.
==10318==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdb76c16c2 at pc 0x55594f1a69e1 bp 0x7ffdb76c15a0 sp 0x7ffdb76c1598
READ of size 1 at 0x7ffdb76c16c2 thread T0
#0 0x55594f1a69e0 in _eth_get_rss_ex_dst_addr /home/alxndr/Development/qemu/net/eth.c:410:17
#1 0x55594f1a39da in eth_parse_ipv6_hdr /home/alxndr/Development/qemu/net/eth.c:532:17
#2 0x55594ebc34f2 in net_tx_pkt_parse_headers /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:228:14
#3 0x55594ebc2149 in net_tx_pkt_parse /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:273:9
#4 0x55594ec1ba76 in e1000e_process_tx_desc /home/alxndr/Development/qemu/hw/net/e1000e_core.c:737:29
#5 0x55594ec1aea4 in e1000e_start_xmit /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934:9
#6 0x55594ec0e70e in e1000e_set_tdt /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451:9
#7 0x55594ebec435 in e1000e_core_write /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261:9
#8 0x55594ebdf11b in e1000e_mmio_write /home/alxndr/Development/qemu/hw/net/e1000e.c:109:5
#9 0x55594dfd98b1 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5
#10 0x55594dfd9211 in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18
#11 0x55594dfd7c30 in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16
#12 0x55594dde24b8 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3137:23
#13 0x55594ddd12dc in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14
#14 0x55594ddd0dec in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18
#15 0x55594dfcdbdc in qtest_process_command /home/alxndr/Development/qemu/qtest.c:567:9
#16 0x55594dfc3700 in qtest_process_inbuf /home/alxndr/Development/qemu/qtest.c:710:9
#17 0x55594dfc2cc8 in qtest_read /home/alxndr/Development/qemu/qtest.c:722:5
#18 0x55594f74b259 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/chardev/char.c:183:9
#19 0x55594f74b3ee in qemu_chr_be_write /home/alxndr/Development/qemu/chardev/char.c:195:9
#20 0x55594f7556fc in fd_chr_read /home/alxndr/Development/qemu/chardev/char-fd.c:68:9
#21 0x55594f7ea488 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/io/channel-watch.c:84:12
#22 0x7f43f6c1d897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
#23 0x55594f9dea5d in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9
#24 0x55594f9dd1d7 in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5
#25 0x55594f9dcd6e in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11
#26 0x55594e44cd01 in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9
#27 0x55594f803c21 in main /home/alxndr/Development/qemu/softmmu/main.c:49:5
#28 0x7f43f57b4e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
#29 0x55594dd03889 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0xdbd889)
Address 0x7ffdb76c16c2 is located in stack of thread T0 at offset 34 in frame
#0 0x55594f1a303f in eth_parse_ipv6_hdr /home/alxndr/Development/qemu/net/eth.c:486
This frame has 1 object(s):
[32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/alxndr/Development/qemu/net/eth.c:410:17 in _eth_get_rss_ex_dst_addr
Shadow bytes around the buggy address:
0x100036ed0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100036ed02d0: 00 00 00 00 f1 f1 f1 f1[02]f3 f3 f3 00 00 00 00
0x100036ed02e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==10318==ABORTING
I can reproduce it in qemu 5.0 built with address sanitizer using:
cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001014
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x800010a2
write 0x25 0x2b 0x86dd1900ff5df747002bfc90dd1900ff5df747002bfc9add1900ff5df747002bfca4dd1900ff5df747002b
write 0xe1020030 0x409 0x190002e100000000350908077cdd190002e100000000350912077cdd190002e10000000035091c077cdd190002e100000000350926077cdd190002e100000000350930077cdd190002e10000000035093a077cdd190002e100000000350944077cdd190002e10000000035094e077cdd190002e100000000350958077cdd190002e100000000350962077cdd190002e10000000035096c077cdd190002e100000000350976077cdd190002e100000000350980077cdd190002e10000000035098a077cdd190002e100000000350994077cdd190002e10000000035099e077cdd190002e1000000003509a8077cdd190002e1000000003509b2077cdd190002e1000000003509bc077cdd190002e1000000003509c6077cdd190002e1000000003509d0077cdd190002e1000000003509da077cdd190002e1000000003509e4077cdd190002e1000000003509ee077cdd190002e1000000003509f8077cdd190002e100000000350902077cdd190002e10000000035090c077cdd190002e100000000350916077cdd190002e100000000350920077cdd190002e10000000035092a077cdd190002e100000000350934077cdd190002e10000000035093e077cdd190002e100000000350948077cdd190002e100000000350952077cdd190002e10000000035095c077cdd190002e100000000350966077cdd190002e100000000350970077cdd190002e10000000035097a077cdd190002e100000000350984077cdd190002e10000000035098e077cdd190002e100000000350998077cdd190002e1000000003509a2077cdd190002e1000000003509ac077cdd190002e1000000003509b6077cdd190002e1000000003509c0077cdd190002e1000000003509ca077cdd190002e1000000003509d4077cdd190002e1000000003509de077cdd190002e1000000003509e8077cdd190002e1000000003509f2077cdd190002e1000000003509fc077cdd190002e100000000350906077cdd190002e100000000350910077cdd190002e10000000035091a077cdd190002e100000000350924077cdd190002e10000000035092e077cdd190002e100000000350938077cdd190002e100000000350942077cdd190002e10000000035094c077cdd190002e100000000350956077cdd190002e100000000350960077cdd190002e10000000035096a077cdd190002e100000000350974077cdd190002e10000000035097e077cdd190002e100000000350988077cdd190002e100000000350992077cdd190002e10000000035099c077cdd190002e1000000003509a6077cdd190002e1000000003509b0077cdd190002e1000000003509ba077cdd190002e1000000003509c4077cdd190002e1000000003509ce077cdd190002e1000000003509d8077cdd190002e1000000003509e2
EOF
Also attaching these commands. They can be executed with
./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic < attachment
Let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1879531/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug 1879531] Re: Stack-overflow in _eth_get_rss_ex_dst_addr
2020-05-19 16:40 [Bug 1879531] [NEW] Stack-overflow in _eth_get_rss_ex_dst_addr Alexander Bulekov
` (3 preceding siblings ...)
2021-01-26 12:58 ` Peter Maydell
@ 2021-03-18 10:03 ` Paolo Bonzini
2021-04-30 8:24 ` Thomas Huth
5 siblings, 0 replies; 7+ messages in thread
From: Paolo Bonzini @ 2021-03-18 10:03 UTC (permalink / raw)
To: qemu-devel
Updated version: https://www.mail-archive.com/qemu-
devel@nongnu.org/msg789998.html
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1879531
Title:
Stack-overflow in _eth_get_rss_ex_dst_addr
Status in QEMU:
New
Bug description:
Hello,
While fuzzing, I found a 1-byte stack-overflow (read) through the
e1000e.
==10318==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdb76c16c2 at pc 0x55594f1a69e1 bp 0x7ffdb76c15a0 sp 0x7ffdb76c1598
READ of size 1 at 0x7ffdb76c16c2 thread T0
#0 0x55594f1a69e0 in _eth_get_rss_ex_dst_addr /home/alxndr/Development/qemu/net/eth.c:410:17
#1 0x55594f1a39da in eth_parse_ipv6_hdr /home/alxndr/Development/qemu/net/eth.c:532:17
#2 0x55594ebc34f2 in net_tx_pkt_parse_headers /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:228:14
#3 0x55594ebc2149 in net_tx_pkt_parse /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:273:9
#4 0x55594ec1ba76 in e1000e_process_tx_desc /home/alxndr/Development/qemu/hw/net/e1000e_core.c:737:29
#5 0x55594ec1aea4 in e1000e_start_xmit /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934:9
#6 0x55594ec0e70e in e1000e_set_tdt /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451:9
#7 0x55594ebec435 in e1000e_core_write /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261:9
#8 0x55594ebdf11b in e1000e_mmio_write /home/alxndr/Development/qemu/hw/net/e1000e.c:109:5
#9 0x55594dfd98b1 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5
#10 0x55594dfd9211 in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18
#11 0x55594dfd7c30 in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16
#12 0x55594dde24b8 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3137:23
#13 0x55594ddd12dc in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14
#14 0x55594ddd0dec in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18
#15 0x55594dfcdbdc in qtest_process_command /home/alxndr/Development/qemu/qtest.c:567:9
#16 0x55594dfc3700 in qtest_process_inbuf /home/alxndr/Development/qemu/qtest.c:710:9
#17 0x55594dfc2cc8 in qtest_read /home/alxndr/Development/qemu/qtest.c:722:5
#18 0x55594f74b259 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/chardev/char.c:183:9
#19 0x55594f74b3ee in qemu_chr_be_write /home/alxndr/Development/qemu/chardev/char.c:195:9
#20 0x55594f7556fc in fd_chr_read /home/alxndr/Development/qemu/chardev/char-fd.c:68:9
#21 0x55594f7ea488 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/io/channel-watch.c:84:12
#22 0x7f43f6c1d897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
#23 0x55594f9dea5d in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9
#24 0x55594f9dd1d7 in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5
#25 0x55594f9dcd6e in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11
#26 0x55594e44cd01 in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9
#27 0x55594f803c21 in main /home/alxndr/Development/qemu/softmmu/main.c:49:5
#28 0x7f43f57b4e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
#29 0x55594dd03889 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0xdbd889)
Address 0x7ffdb76c16c2 is located in stack of thread T0 at offset 34 in frame
#0 0x55594f1a303f in eth_parse_ipv6_hdr /home/alxndr/Development/qemu/net/eth.c:486
This frame has 1 object(s):
[32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/alxndr/Development/qemu/net/eth.c:410:17 in _eth_get_rss_ex_dst_addr
Shadow bytes around the buggy address:
0x100036ed0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100036ed02d0: 00 00 00 00 f1 f1 f1 f1[02]f3 f3 f3 00 00 00 00
0x100036ed02e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==10318==ABORTING
I can reproduce it in qemu 5.0 built with address sanitizer using:
cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001014
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x800010a2
write 0x25 0x2b 0x86dd1900ff5df747002bfc90dd1900ff5df747002bfc9add1900ff5df747002bfca4dd1900ff5df747002b
write 0xe1020030 0x409 0x190002e100000000350908077cdd190002e100000000350912077cdd190002e10000000035091c077cdd190002e100000000350926077cdd190002e100000000350930077cdd190002e10000000035093a077cdd190002e100000000350944077cdd190002e10000000035094e077cdd190002e100000000350958077cdd190002e100000000350962077cdd190002e10000000035096c077cdd190002e100000000350976077cdd190002e100000000350980077cdd190002e10000000035098a077cdd190002e100000000350994077cdd190002e10000000035099e077cdd190002e1000000003509a8077cdd190002e1000000003509b2077cdd190002e1000000003509bc077cdd190002e1000000003509c6077cdd190002e1000000003509d0077cdd190002e1000000003509da077cdd190002e1000000003509e4077cdd190002e1000000003509ee077cdd190002e1000000003509f8077cdd190002e100000000350902077cdd190002e10000000035090c077cdd190002e100000000350916077cdd190002e100000000350920077cdd190002e10000000035092a077cdd190002e100000000350934077cdd190002e10000000035093e077cdd190002e100000000350948077cdd190002e100000000350952077cdd190002e10000000035095c077cdd190002e100000000350966077cdd190002e100000000350970077cdd190002e10000000035097a077cdd190002e100000000350984077cdd190002e10000000035098e077cdd190002e100000000350998077cdd190002e1000000003509a2077cdd190002e1000000003509ac077cdd190002e1000000003509b6077cdd190002e1000000003509c0077cdd190002e1000000003509ca077cdd190002e1000000003509d4077cdd190002e1000000003509de077cdd190002e1000000003509e8077cdd190002e1000000003509f2077cdd190002e1000000003509fc077cdd190002e100000000350906077cdd190002e100000000350910077cdd190002e10000000035091a077cdd190002e100000000350924077cdd190002e10000000035092e077cdd190002e100000000350938077cdd190002e100000000350942077cdd190002e10000000035094c077cdd190002e100000000350956077cdd190002e100000000350960077cdd190002e10000000035096a077cdd190002e100000000350974077cdd190002e10000000035097e077cdd190002e100000000350988077cdd190002e100000000350992077cdd190002e10000000035099c077cdd190002e1000000003509a6077cdd190002e1000000003509b0077cdd190002e1000000003509ba077cdd190002e1000000003509c4077cdd190002e1000000003509ce077cdd190002e1000000003509d8077cdd190002e1000000003509e2
EOF
Also attaching these commands. They can be executed with
./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic < attachment
Let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1879531/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug 1879531] Re: Stack-overflow in _eth_get_rss_ex_dst_addr
2020-05-19 16:40 [Bug 1879531] [NEW] Stack-overflow in _eth_get_rss_ex_dst_addr Alexander Bulekov
` (4 preceding siblings ...)
2021-03-18 10:03 ` Paolo Bonzini
@ 2021-04-30 8:24 ` Thomas Huth
5 siblings, 0 replies; 7+ messages in thread
From: Thomas Huth @ 2021-04-30 8:24 UTC (permalink / raw)
To: qemu-devel
https://gitlab.com/qemu-project/qemu/-/commit/7d6a4f123e00c9dbd
** Changed in: qemu
Status: New => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1879531
Title:
Stack-overflow in _eth_get_rss_ex_dst_addr
Status in QEMU:
Fix Released
Bug description:
Hello,
While fuzzing, I found a 1-byte stack-overflow (read) through the
e1000e.
==10318==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdb76c16c2 at pc 0x55594f1a69e1 bp 0x7ffdb76c15a0 sp 0x7ffdb76c1598
READ of size 1 at 0x7ffdb76c16c2 thread T0
#0 0x55594f1a69e0 in _eth_get_rss_ex_dst_addr /home/alxndr/Development/qemu/net/eth.c:410:17
#1 0x55594f1a39da in eth_parse_ipv6_hdr /home/alxndr/Development/qemu/net/eth.c:532:17
#2 0x55594ebc34f2 in net_tx_pkt_parse_headers /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:228:14
#3 0x55594ebc2149 in net_tx_pkt_parse /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:273:9
#4 0x55594ec1ba76 in e1000e_process_tx_desc /home/alxndr/Development/qemu/hw/net/e1000e_core.c:737:29
#5 0x55594ec1aea4 in e1000e_start_xmit /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934:9
#6 0x55594ec0e70e in e1000e_set_tdt /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451:9
#7 0x55594ebec435 in e1000e_core_write /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261:9
#8 0x55594ebdf11b in e1000e_mmio_write /home/alxndr/Development/qemu/hw/net/e1000e.c:109:5
#9 0x55594dfd98b1 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5
#10 0x55594dfd9211 in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18
#11 0x55594dfd7c30 in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16
#12 0x55594dde24b8 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3137:23
#13 0x55594ddd12dc in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14
#14 0x55594ddd0dec in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18
#15 0x55594dfcdbdc in qtest_process_command /home/alxndr/Development/qemu/qtest.c:567:9
#16 0x55594dfc3700 in qtest_process_inbuf /home/alxndr/Development/qemu/qtest.c:710:9
#17 0x55594dfc2cc8 in qtest_read /home/alxndr/Development/qemu/qtest.c:722:5
#18 0x55594f74b259 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/chardev/char.c:183:9
#19 0x55594f74b3ee in qemu_chr_be_write /home/alxndr/Development/qemu/chardev/char.c:195:9
#20 0x55594f7556fc in fd_chr_read /home/alxndr/Development/qemu/chardev/char-fd.c:68:9
#21 0x55594f7ea488 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/io/channel-watch.c:84:12
#22 0x7f43f6c1d897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
#23 0x55594f9dea5d in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9
#24 0x55594f9dd1d7 in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5
#25 0x55594f9dcd6e in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11
#26 0x55594e44cd01 in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9
#27 0x55594f803c21 in main /home/alxndr/Development/qemu/softmmu/main.c:49:5
#28 0x7f43f57b4e0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
#29 0x55594dd03889 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0xdbd889)
Address 0x7ffdb76c16c2 is located in stack of thread T0 at offset 34 in frame
#0 0x55594f1a303f in eth_parse_ipv6_hdr /home/alxndr/Development/qemu/net/eth.c:486
This frame has 1 object(s):
[32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/alxndr/Development/qemu/net/eth.c:410:17 in _eth_get_rss_ex_dst_addr
Shadow bytes around the buggy address:
0x100036ed0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100036ed02d0: 00 00 00 00 f1 f1 f1 f1[02]f3 f3 f3 00 00 00 00
0x100036ed02e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==10318==ABORTING
I can reproduce it in qemu 5.0 built with address sanitizer using:
cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001014
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x800010a2
write 0x25 0x2b 0x86dd1900ff5df747002bfc90dd1900ff5df747002bfc9add1900ff5df747002bfca4dd1900ff5df747002b
write 0xe1020030 0x409 0x190002e100000000350908077cdd190002e100000000350912077cdd190002e10000000035091c077cdd190002e100000000350926077cdd190002e100000000350930077cdd190002e10000000035093a077cdd190002e100000000350944077cdd190002e10000000035094e077cdd190002e100000000350958077cdd190002e100000000350962077cdd190002e10000000035096c077cdd190002e100000000350976077cdd190002e100000000350980077cdd190002e10000000035098a077cdd190002e100000000350994077cdd190002e10000000035099e077cdd190002e1000000003509a8077cdd190002e1000000003509b2077cdd190002e1000000003509bc077cdd190002e1000000003509c6077cdd190002e1000000003509d0077cdd190002e1000000003509da077cdd190002e1000000003509e4077cdd190002e1000000003509ee077cdd190002e1000000003509f8077cdd190002e100000000350902077cdd190002e10000000035090c077cdd190002e100000000350916077cdd190002e100000000350920077cdd190002e10000000035092a077cdd190002e100000000350934077cdd190002e10000000035093e077cdd190002e100000000350948077cdd190002e100000000350952077cdd190002e10000000035095c077cdd190002e100000000350966077cdd190002e100000000350970077cdd190002e10000000035097a077cdd190002e100000000350984077cdd190002e10000000035098e077cdd190002e100000000350998077cdd190002e1000000003509a2077cdd190002e1000000003509ac077cdd190002e1000000003509b6077cdd190002e1000000003509c0077cdd190002e1000000003509ca077cdd190002e1000000003509d4077cdd190002e1000000003509de077cdd190002e1000000003509e8077cdd190002e1000000003509f2077cdd190002e1000000003509fc077cdd190002e100000000350906077cdd190002e100000000350910077cdd190002e10000000035091a077cdd190002e100000000350924077cdd190002e10000000035092e077cdd190002e100000000350938077cdd190002e100000000350942077cdd190002e10000000035094c077cdd190002e100000000350956077cdd190002e100000000350960077cdd190002e10000000035096a077cdd190002e100000000350974077cdd190002e10000000035097e077cdd190002e100000000350988077cdd190002e100000000350992077cdd190002e10000000035099c077cdd190002e1000000003509a6077cdd190002e1000000003509b0077cdd190002e1000000003509ba077cdd190002e1000000003509c4077cdd190002e1000000003509ce077cdd190002e1000000003509d8077cdd190002e1000000003509e2
EOF
Also attaching these commands. They can be executed with
./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic < attachment
Let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1879531/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-04-30 8:33 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-19 16:40 [Bug 1879531] [NEW] Stack-overflow in _eth_get_rss_ex_dst_addr Alexander Bulekov
2020-05-19 17:32 ` [Bug 1879531] " Alexander Bulekov
2020-12-16 23:28 ` Alexander Bulekov
2021-01-26 11:31 ` Philippe Mathieu-Daudé
2021-01-26 12:58 ` Peter Maydell
2021-03-18 10:03 ` Paolo Bonzini
2021-04-30 8:24 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).