[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1879531] Re: Stack-overflow in _eth_get_rss_ex_dst_addr
|
From: |
Alexander Bulekov |
|
Subject: |
[Bug 1879531] Re: Stack-overflow in _eth_get_rss_ex_dst_addr |
|
Date: |
Wed, 16 Dec 2020 23:28:29 -0000 |
Minimized Reproducer:
cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 \
-accel qtest -monitor none \
-serial none -nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001004
outw 0xcfc 0x7
write 0x25 0x1 0x86
write 0x26 0x1 0xdd
write 0x4f 0x1 0x2b
write 0xe1020030 0x4 0x190002e1
write 0xe102003a 0x2 0x0807
write 0xe1020048 0x4 0x12077cdd
write 0xe1020400 0x4 0xba077cdd
write 0xe1020420 0x4 0x190002e1
write 0xe1020428 0x4 0x3509d807
write 0xe1020438 0x1 0xe2
EOF
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1879531
Title:
Stack-overflow in _eth_get_rss_ex_dst_addr
Status in QEMU:
New
Bug description:
Hello,
While fuzzing, I found a 1-byte stack-overflow (read) through the
e1000e.
==10318==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffdb76c16c2 at pc 0x55594f1a69e1 bp 0x7ffdb76c15a0 sp 0x7ffdb76c1598
READ of size 1 at 0x7ffdb76c16c2 thread T0
#0 0x55594f1a69e0 in _eth_get_rss_ex_dst_addr
/home/alxndr/Development/qemu/net/eth.c:410:17
#1 0x55594f1a39da in eth_parse_ipv6_hdr
/home/alxndr/Development/qemu/net/eth.c:532:17
#2 0x55594ebc34f2 in net_tx_pkt_parse_headers
/home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:228:14
#3 0x55594ebc2149 in net_tx_pkt_parse
/home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:273:9
#4 0x55594ec1ba76 in e1000e_process_tx_desc
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:737:29
#5 0x55594ec1aea4 in e1000e_start_xmit
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:934:9
#6 0x55594ec0e70e in e1000e_set_tdt
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451:9
#7 0x55594ebec435 in e1000e_core_write
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261:9
#8 0x55594ebdf11b in e1000e_mmio_write
/home/alxndr/Development/qemu/hw/net/e1000e.c:109:5
#9 0x55594dfd98b1 in memory_region_write_accessor
/home/alxndr/Development/qemu/memory.c:483:5
#10 0x55594dfd9211 in access_with_adjusted_size
/home/alxndr/Development/qemu/memory.c:544:18
#11 0x55594dfd7c30 in memory_region_dispatch_write
/home/alxndr/Development/qemu/memory.c:1476:16
#12 0x55594dde24b8 in flatview_write_continue
/home/alxndr/Development/qemu/exec.c:3137:23
#13 0x55594ddd12dc in flatview_write
/home/alxndr/Development/qemu/exec.c:3177:14
#14 0x55594ddd0dec in address_space_write
/home/alxndr/Development/qemu/exec.c:3268:18
#15 0x55594dfcdbdc in qtest_process_command
/home/alxndr/Development/qemu/qtest.c:567:9
#16 0x55594dfc3700 in qtest_process_inbuf
/home/alxndr/Development/qemu/qtest.c:710:9
#17 0x55594dfc2cc8 in qtest_read
/home/alxndr/Development/qemu/qtest.c:722:5
#18 0x55594f74b259 in qemu_chr_be_write_impl
/home/alxndr/Development/qemu/chardev/char.c:183:9
#19 0x55594f74b3ee in qemu_chr_be_write
/home/alxndr/Development/qemu/chardev/char.c:195:9
#20 0x55594f7556fc in fd_chr_read
/home/alxndr/Development/qemu/chardev/char-fd.c:68:9
#21 0x55594f7ea488 in qio_channel_fd_source_dispatch
/home/alxndr/Development/qemu/io/channel-watch.c:84:12
#22 0x7f43f6c1d897 in g_main_context_dispatch
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
#23 0x55594f9dea5d in glib_pollfds_poll
/home/alxndr/Development/qemu/util/main-loop.c:219:9
#24 0x55594f9dd1d7 in os_host_main_loop_wait
/home/alxndr/Development/qemu/util/main-loop.c:242:5
#25 0x55594f9dcd6e in main_loop_wait
/home/alxndr/Development/qemu/util/main-loop.c:518:11
#26 0x55594e44cd01 in qemu_main_loop
/home/alxndr/Development/qemu/softmmu/vl.c:1664:9
#27 0x55594f803c21 in main
/home/alxndr/Development/qemu/softmmu/main.c:49:5
#28 0x7f43f57b4e0a in __libc_start_main
/build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
#29 0x55594dd03889 in _start
(/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0xdbd889)
Address 0x7ffdb76c16c2 is located in stack of thread T0 at offset 34 in frame
#0 0x55594f1a303f in eth_parse_ipv6_hdr
/home/alxndr/Development/qemu/net/eth.c:486
This frame has 1 object(s):
[32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows
this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/alxndr/Development/qemu/net/eth.c:410:17 in _eth_get_rss_ex_dst_addr
Shadow bytes around the buggy address:
0x100036ed0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100036ed02d0: 00 00 00 00 f1 f1 f1 f1[02]f3 f3 f3 00 00 00 00
0x100036ed02e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==10318==ABORTING
I can reproduce it in qemu 5.0 built with address sanitizer using:
cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio
-monitor none -serial none -nographic
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001014
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x800010a2
write 0x25 0x2b
0x86dd1900ff5df747002bfc90dd1900ff5df747002bfc9add1900ff5df747002bfca4dd1900ff5df747002b
write 0xe1020030 0x409
0x190002e100000000350908077cdd190002e100000000350912077cdd190002e10000000035091c077cdd190002e100000000350926077cdd190002e100000000350930077cdd190002e10000000035093a077cdd190002e100000000350944077cdd190002e10000000035094e077cdd190002e100000000350958077cdd190002e100000000350962077cdd190002e10000000035096c077cdd190002e100000000350976077cdd190002e100000000350980077cdd190002e10000000035098a077cdd190002e100000000350994077cdd190002e10000000035099e077cdd190002e1000000003509a8077cdd190002e1000000003509b2077cdd190002e1000000003509bc077cdd190002e1000000003509c6077cdd190002e1000000003509d0077cdd190002e1000000003509da077cdd190002e1000000003509e4077cdd190002e1000000003509ee077cdd190002e1000000003509f8077cdd190002e100000000350902077cdd190002e10000000035090c077cdd190002e100000000350916077cdd190002e100000000350920077cdd190002e10000000035092a077cdd190002e100000000350934077cdd190002e10000000035093e077cdd190002e100000000350948077cdd190002e100000000350952077cdd190002e10000000035095c077cdd190002e100000000350966077cdd190002e100000000350970077cdd190002e10000000035097a077cdd190002e100000000350984077cdd190002e10000000035098e077cdd190002e100000000350998077cdd190002e1000000003509a2077cdd190002e1000000003509ac077cdd190002e1000000003509b6077cdd190002e1000000003509c0077cdd190002e1000000003509ca077cdd190002e1000000003509d4077cdd190002e1000000003509de077cdd190002e1000000003509e8077cdd190002e1000000003509f2077cdd190002e1000000003509fc077cdd190002e100000000350906077cdd190002e100000000350910077cdd190002e10000000035091a077cdd190002e100000000350924077cdd190002e10000000035092e077cdd190002e100000000350938077cdd190002e100000000350942077cdd190002e10000000035094c077cdd190002e100000000350956077cdd190002e100000000350960077cdd190002e10000000035096a077cdd190002e100000000350974077cdd190002e10000000035097e077cdd190002e100000000350988077cdd190002e100000000350992077cdd190002e10000000035099c077cdd190002e1000000003509a6077cdd190002e1000000003509b0077cdd190002e1000000003509ba077cdd190002e1000000003509c4077cdd190002e1000000003509ce077cdd190002e1000000003509d8077cdd190002e1000000003509e2
EOF
Also attaching these commands. They can be executed with
./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none
-serial none -nographic < attachment
Let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1879531/+subscriptions
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug 1879531] Re: Stack-overflow in _eth_get_rss_ex_dst_addr,
Alexander Bulekov <=