On 8/29/19 5:53 PM, Philippe Mathieu-Daudé wrote:
> On 8/29/19 5:43 PM, Philippe Mathieu-Daudé wrote:
>> On 8/26/19 12:54 AM, Samuel Thibault wrote:
>>> Philippe Mathieu-Daudé, le ven. 23 août 2019 17:15:32 +0200, a ecrit:
>>>>> Did you make your test with commit 126c04acbabd ("Fix heap overflow in
>>>>> ip_reass on big packet input") applied?
>>>>
>>>> Yes, unfortunately it doesn't fix the issue.
>>>
>>> Ok.
>>>
>>> Could you try the attached patch? There was a use-after-free. Without
>>> it, I can indeed crash qemu with the given exploit. With it I don't
>>> seem to be able to crash it (trying in a loop for several minutes).
> [...]
>>
>> Note 2: We miss some Makefile rules in QEMU with the libslirp split.
>>
>> Checkouting branches in the slirp/ directory doesn't trigger recompiling
>> the slirp object, and even if I force the creation of the libslirp.a
>> archive, the QEMU binaries are not linked again with the refreshed archive.
>
> And I hit the same issue after applying your patch =)
>
> So, using a clean workspace, I can not reproduce the null deref anymore.
>
> If you send a proper patch, feel free to add:
>
> Tested-by: Philippe Mathieu-Daudé <phi...@redhat.com>
I was going to suggest to also add:
Reported-by: Quan Wenli <wq...@redhat.com>
But you answered in another thread that this patch was already commited
3 days ago as:
https://gitlab.freedesktop.org/slirp/libslirp/commit/d203c81b
