[Bug 1878043] Re: memcpy param-overlap in Slirp ip_stripoptions through e1000e

Thomas Huth Thu, 10 Dec 2020 01:51:10 -0800

Released with QEMU v5.2.0.

** Changed in: qemu
       Status: Fix Committed => Fix Released


-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878043

Title:
  memcpy param-overlap in Slirp ip_stripoptions through e1000e

Status in QEMU:
  Fix Released

Bug description:
  Hello,
  While fuzzing, I found an input that triggers an overlapping memcpy (caught 
by AddressSanitizer).
  Overlapping memcpys are undefined behavior according to the POSIX and C 
standards, and can lead to bugs.

  ==16666==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges 
[0x625000264940,0x62500026699a) and [0x625000264948, 0x6250002669a2) overlap
      #0 0x5622d7b6a3d4 in __asan_memcpy 
(/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0x96c3d4)
      #1 0x5622d896a2d2 in ip_stripoptions 
/home/alxndr/Development/qemu/slirp/src/ip_input.c:457:5
      #2 0x5622d8963378 in udp_input 
/home/alxndr/Development/qemu/slirp/src/udp.c:86:9
      #3 0x5622d89351ea in slirp_input 
/home/alxndr/Development/qemu/slirp/src/slirp.c:840:13
      #4 0x5622d852e162 in net_slirp_receive 
/home/alxndr/Development/qemu/net/slirp.c:126:5
      #5 0x5622d8515851 in nc_sendv_compat 
/home/alxndr/Development/qemu/net/net.c:700:15
      #6 0x5622d8515851 in qemu_deliver_packet_iov 
/home/alxndr/Development/qemu/net/net.c:728:15
      #7 0x5622d851786d in qemu_net_queue_deliver_iov 
/home/alxndr/Development/qemu/net/queue.c:179:11
      #8 0x5622d851786d in qemu_net_queue_send_iov 
/home/alxndr/Development/qemu/net/queue.c:224:11
      #9 0x5622d851b1c1 in net_hub_receive_iov 
/home/alxndr/Development/qemu/net/hub.c:74:9
      #10 0x5622d851b1c1 in net_hub_port_receive_iov 
/home/alxndr/Development/qemu/net/hub.c:125:12
      #11 0x5622d851572b in qemu_deliver_packet_iov 
/home/alxndr/Development/qemu/net/net.c:726:15
      #12 0x5622d851786d in qemu_net_queue_deliver_iov 
/home/alxndr/Development/qemu/net/queue.c:179:11
      #13 0x5622d851786d in qemu_net_queue_send_iov 
/home/alxndr/Development/qemu/net/queue.c:224:11
      #14 0x5622d828bf87 in net_tx_pkt_sendv 
/home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:546:9
      #15 0x5622d828bf87 in net_tx_pkt_send 
/home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:620:9
      #16 0x5622d82b5f22 in e1000e_tx_pkt_send 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:666:16
      #17 0x5622d82b5f22 in e1000e_process_tx_desc 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:743:17
      #18 0x5622d82b5f22 in e1000e_start_xmit 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:934:9
      #19 0x5622d82b2be0 in e1000e_set_tdt 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451:9
      #20 0x5622d82a30fc in e1000e_core_write 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261:9
      #21 0x5622d7c9e336 in memory_region_write_accessor 
/home/alxndr/Development/qemu/memory.c:483:5
      #22 0x5622d7c9dcdf in access_with_adjusted_size 
/home/alxndr/Development/qemu/memory.c:544:18
      #23 0x5622d7c9dcdf in memory_region_dispatch_write 
/home/alxndr/Development/qemu/memory.c:1476:16
      #24 0x5622d7bb31d3 in flatview_write_continue 
/home/alxndr/Development/qemu/exec.c:3137:23
      #25 0x5622d7babb97 in flatview_write 
/home/alxndr/Development/qemu/exec.c:3177:14
      #26 0x5622d7babb97 in address_space_write 
/home/alxndr/Development/qemu/exec.c:3268:18

  0x625000264940 is located 64 bytes inside of 8354-byte region 
[0x625000264900,0x6250002669a2)
  allocated by thread T0 here:
      #0 0x5622d7b6b06d in malloc 
(/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0x96d06d)
      #1 0x7f724b932500 in g_malloc 
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54500)

  0x625000264948 is located 72 bytes inside of 8354-byte region 
[0x625000264900,0x6250002669a2)
  allocated by thread T0 here:
      #0 0x5622d7b6b06d in malloc 
(/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0x96d06d)
      #1 0x7f724b932500 in g_malloc 
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54500)

  I can reproduce it in qemu 5.0 built with --enable-sanitizers using:
  cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M 
pc-q35-5.0 -accel qtest -qtest stdio -nographic -monitor none -serial none
  outl 0xcf8 0x80001010
  outl 0xcfc 0xe1020000
  outl 0xcf8 0x80001014
  outl 0xcf8 0x80001004
  outw 0xcfc 0x7
  outl 0xcf8 0x800010a2
  outl 0xcf8 0x8000fa24
  outl 0xcfc 0xe1069000
  outl 0xcf8 0x8000fa04
  outw 0xcfc 0x7
  outl 0xcf8 0x8000fb20
  write 0xe1069100 0xe 0xff810000000000008420f9e10019
  write 0x820b 0xc 0x080047bb0c02e10000004011
  write 0xe1020403 0x36 
0xb700000000e1000f009006e100000000625c5e0000b700000000e1000f009006e100000000625c5e0000b700000000e1000f009006e1
  EOF

  I also attached the trace to this launchpad report, in case the
  formatting is broken:

  qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -nographic
  -monitor none -serial none < attachment

  Please let me know if I can provide any further info.
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878043/+subscriptions

[Bug 1878043] Re: memcpy param-overlap in Slirp ip_stripoptions through e1000e

Reply via email to