Fwd: Out-of-bounds access in rx_fifo_push()

Sun, 04 May 2025 13:53:55 -0700 

Hello,

This is a bug I reported to qemu-security, while I was suggested to
forward it here
because it doesn't align with the virtualization use case.

Thanks,
Chuhong

---------- Forwarded message ---------
From: Chuhong Yuan <hsleste...@gmail.com>
Date: Sat, May 3, 2025 at 11:30 PM
Subject: Out-of-bounds access in rx_fifo_push()
To: <qemu-secur...@nongnu.org>


I detected an out-of-bounds access in rx_fifo_push() with the fuzzer.
Run the fuzzer with:
```
export QEMU_FUZZ_ARGS="-display none -machine accel=qtest, -m 512M
-machine smdkc210"
export QEMU_FUZZ_OBJECTS="*lan9118-mmio*"
./qemu-fuzz-arm --fuzz-target=generic-fuzz
```
The error stack:
../hw/net/lan9118.c:455:5: runtime error: index -30 out of bounds for
type 'uint32_t[3360]' (aka 'unsigned int[3360]')
    #0 0x5db0345b2020 in rx_fifo_push qemu/build/../hw/net/lan9118.c:455:26
    #1 0x5db0345b02a2 in lan9118_receive qemu/build/../hw/net/lan9118.c:546:13
    #2 0x5db034f8c2cf in nc_sendv_compat qemu/build/../net/net.c:794:11
    #3 0x5db034f8c2cf in qemu_deliver_packet_iov qemu/build/../net/net.c:841:15
    #4 0x5db034f93d1c in qemu_net_queue_deliver_iov
qemu/build/../net/queue.c:179:11
    #5 0x5db034f93d1c in qemu_net_queue_send_iov
qemu/build/../net/queue.c:235:11
    #6 0x5db034f73a83 in net_hub_receive_iov qemu/build/../net/hub.c:74:9
    #7 0x5db034f73a83 in net_hub_port_receive_iov qemu/build/../net/hub.c:125:12
    #8 0x5db034f8c0b1 in qemu_deliver_packet_iov qemu/build/../net/net.c:839:15
    #9 0x5db034f916d5 in qemu_net_queue_deliver qemu/build/../net/queue.c:164:11
    #10 0x5db034f9195c in qemu_net_queue_send qemu/build/../net/queue.c:210:11
    #11 0x5db034f80328 in qemu_send_packet_async_with_flags
qemu/build/../net/net.c:742:12
    #12 0x5db034fd8e1a in net_slirp_send_packet qemu/build/../net/slirp.c:130:12
    #13 0x730d1764af9d
(/usr/lib/x86_64-linux-gnu/libslirp.so.0+0x19f9d) (BuildId:
083a517df5bba0cceb41bd923e84dd78ed894739)
    #14 0x730d17638dd0
(/usr/lib/x86_64-linux-gnu/libslirp.so.0+0x7dd0) (BuildId:
083a517df5bba0cceb41bd923e84dd78ed894739)
    #15 0x730d1763957a
(/usr/lib/x86_64-linux-gnu/libslirp.so.0+0x857a) (BuildId:
083a517df5bba0cceb41bd923e84dd78ed894739)
    #16 0x730d1763868a
(/usr/lib/x86_64-linux-gnu/libslirp.so.0+0x768a) (BuildId:
083a517df5bba0cceb41bd923e84dd78ed894739)
    #17 0x730d17638add
(/usr/lib/x86_64-linux-gnu/libslirp.so.0+0x7add) (BuildId:
083a517df5bba0cceb41bd923e84dd78ed894739)
    #18 0x5db03627becf in timerlist_run_timers
qemu/build/../util/qemu-timer.c:563:9
    #19 0x5db03627d1b8 in qemu_clock_run_timers
qemu/build/../util/qemu-timer.c:577:12
    #20 0x5db03627d1b8 in qemu_clock_advance_virtual_time
qemu/build/../util/qemu-timer.c:683:9
    #21 0x5db035e5b7e1 in qtest_process_command
qemu/build/../system/qtest.c:718:18
    #22 0x5db035e5714d in qtest_process_inbuf qemu/build/../system/qtest.c:769:9
    #23 0x5db035e56ac6 in qtest_server_inproc_recv
qemu/build/../system/qtest.c:897:9
    #24 0x5db035f5a702 in qtest_sendf qemu/build/../tests/qtest/libqtest.c:695:5
    #25 0x5db035f5a814 in qtest_clock_step_next
qemu/build/../tests/qtest/libqtest.c:1116:5
    #26 0x5db035fdcc4f in generic_fuzz
qemu/build/../tests/qtest/fuzz/generic_fuzz.c:666:13
    #27 0x5db035fcfa57 in LLVMFuzzerTestOneInput
qemu/build/../tests/qtest/fuzz/fuzz.c:172:5
    #28 0x5db033ae6459 in fuzzer::Fuzzer::ExecuteCallback(unsigned
char const*, unsigned long)
llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:612:15
    #29 0x5db033aea030 in fuzzer::Fuzzer::RunOne(unsigned char const*,
unsigned long, bool, fuzzer::InputInfo*, bool, bool*)
llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:22
    #30 0x5db033aeba9b in fuzzer::Fuzzer::MutateAndTestOne()
llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:758:25
    #31 0x5db033aeddaf in
fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile,
std::allocator<fuzzer::SizedFile>>&)
llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:903:21
    #32 0x5db033ad2b7a in fuzzer::FuzzerDriver(int*, char***, int
(*)(unsigned char const*, unsigned long))
llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:10
    #33 0x5db033abfe46 in main
llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30
    #34 0x730d16e2a1c9  (/usr/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9)
(BuildId: 42c84c92e6f98126b3e2230ebfdead22c235b667)
    #35 0x730d16e2a28a in __libc_start_main
(/usr/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId:
42c84c92e6f98126b3e2230ebfdead22c235b667)
    #36 0x5db033abfe84 in _start (qemu/build/qemu-fuzz-arm+0x2600e84)

By analyzing the codes, the reason is that the code at line 624
doesn't have a boundary value check, so `s->rx_fifo_used` can be a
negative value. So if line 622 cuts `s->rx_fifo_head` to 0, the
`fifo_pos` at line 452 will be negative, which causes the
out-of-bounds access.

Ack: Chuhong Yuan (hsleste...@gmail.com)

Reply via email to