Hello, Alexander Bulekov, le lun. 03 mai 2021 16:09:33 -0400, a ecrit: > Forwarding this along to the list, so it doesn't get burried during the > gitlab issue migration.
Thanks! Pushed a proposed fix on https://gitlab.freedesktop.org/slirp/libslirp/-/merge_requests/86 Samuel > ----- Forwarded message from "Alexander Bulekov (@a1xndr)" > <git...@mg.gitlab.com> ----- > > Alexander Bulekov created an issue: > https://gitlab.com/qemu-project/qemu/-/issues/111 > > Hello, > Reproducer > ``` > cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ > 512M -M q35 -nodefaults -device e1000e,netdev=net0 -netdev user,id=net0 \ > -qtest stdio > outl 0xcf8 0x80000813 > outl 0xcfc 0x56 > outl 0xcf8 0x80000801 > outl 0xcfc 0x06000000 > write 0x56000403 0x1 0x02 > write 0x5600042b 0x1 0x80 > write 0x20a 0x1 0x86 > write 0x20b 0x1 0xdd > write 0x20c 0x1 0x60 > write 0x212 0x1 0x11 > write 0x213 0x1 0x01 > write 0x224 0x1 0xfe > write 0x225 0x1 0xc0 > write 0x233 0x1 0x02 > write 0x237 0x1 0x45 > write 0x23d 0x1 0x01 > write 0xb 0x1 0x24 > write 0x10 0x1 0xfe > write 0x11 0x1 0x01 > write 0x19 0x1 0x01 > write 0x1a 0x1 0x10 > write 0x1b 0x1 0x25 > write 0x5600043a 0x1 0x04 > EOF > ``` > > Stack-trace: > ``` > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../net/eth.c:374:27 in > ../net/eth.c:375:27: runtime error: member access within misaligned address > 0x631000014846 for type 'struct ip6_header', which requires 4 byte alignment > 0x631000014846: note: pointer points here > 00 00 11 11 60 00 00 00 00 00 11 11 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 fe c0 00 00 > ^ > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../net/eth.c:375:27 in > qemu-fuzz-i386: ../slirp/src/ndp_table.c:59: _Bool ndp_table_search(Slirp *, > struct in6_addr, uint8_t *): Assertion `!in6_zero(&ip_addr)' failed. > > #8 in __assert_fail assert/assert.c:101:3 > #9 in ndp_table_search /slirp/src/ndp_table.c:59:5 > #10 in if_encap6 /slirp/src/slirp.c:926:10 > #11 in if_encap /slirp/src/slirp.c:967:15 > #12 in if_start /slirp/src/if.c:183:45 > #13 in ip6_output /slirp/src/ip6_output.c:35:9 > #14 in tftp_udp_output /slirp/src/tftp.c:161:9 > #15 in tftp_send_error /slirp/src/tftp.c:223:5 > #16 in tftp_handle_rrq /slirp/src/tftp.c > #17 in tftp_input /slirp/src/tftp.c:453:9 > #18 in udp6_input /slirp/src/udp6.c:81:9 > #19 in slirp_input /slirp/src/slirp.c:847:13 > #20 in net_slirp_receive /net/slirp.c:136:5 > #21 in nc_sendv_compat /net/net.c > #22 in qemu_deliver_packet_iov /net/net.c:765:15 > #23 in qemu_net_queue_deliver_iov /net/queue.c:179:11 > #24 in qemu_net_queue_send_iov /net/queue.c:246:11 > #25 in net_tx_pkt_sendv /hw/net/net_tx_pkt.c:558:9 > #26 in net_tx_pkt_send /hw/net/net_tx_pkt.c:633:9 > #27 in e1000e_tx_pkt_send /hw/net/e1000e_core.c:659:16 > #28 in e1000e_process_tx_desc /hw/net/e1000e_core.c:736:17 > #29 in e1000e_start_xmit /hw/net/e1000e_core.c:927:9 > #30 in e1000e_set_tdt /hw/net/e1000e_core.c:2444:9 > #31 in e1000e_core_write /hw/net/e1000e_core.c:3256:9 > #32 in memory_region_write_accessor /softmmu/memory.c:491:5 > #33 in access_with_adjusted_size /softmmu/memory.c:552:18 > #34 in memory_region_dispatch_write /softmmu/memory.c > #35 in flatview_write_continue /softmmu/physmem.c:2746:23 > #36 in flatview_write /softmmu/physmem.c:2786:14 > #37 in address_space_write /softmmu/physmem.c:2878:18 > ``` > > Test-case: > ``` > /* > * Autogenerated Fuzzer Test Case > * > * Copyright (c) 2021 <name of author> > * > * This work is licensed under the terms of the GNU GPL, version 2 or later. > * See the COPYING file in the top-level directory. > */ > > #include "qemu/osdep.h" > > #include "libqos/libqtest.h" > > static void test_fuzz(void) > { > QTestState *s = qtest_init("-display none , -m 512M -M q35 -nodefaults > -device " > "e1000e,netdev=net0 -netdev user,id=net0"); > qtest_outl(s, 0xcf8, 0x80000813); > qtest_outl(s, 0xcfc, 0x56); > qtest_outl(s, 0xcf8, 0x80000801); > qtest_outl(s, 0xcfc, 0x06000000); > qtest_bufwrite(s, 0x56000403, "\x02", 0x1); > qtest_bufwrite(s, 0x5600042b, "\x80", 0x1); > qtest_bufwrite(s, 0x20a, "\x86", 0x1); > qtest_bufwrite(s, 0x20b, "\xdd", 0x1); > qtest_bufwrite(s, 0x20c, "\x60", 0x1); > qtest_bufwrite(s, 0x212, "\x11", 0x1); > qtest_bufwrite(s, 0x213, "\x01", 0x1); > qtest_bufwrite(s, 0x224, "\xfe", 0x1); > qtest_bufwrite(s, 0x225, "\xc0", 0x1); > qtest_bufwrite(s, 0x233, "\x02", 0x1); > qtest_bufwrite(s, 0x237, "\x45", 0x1); > qtest_bufwrite(s, 0x23d, "\x01", 0x1); > qtest_bufwrite(s, 0xb, "\x24", 0x1); > qtest_bufwrite(s, 0x10, "\xfe", 0x1); > qtest_bufwrite(s, 0x11, "\x01", 0x1); > qtest_bufwrite(s, 0x19, "\x01", 0x1); > qtest_bufwrite(s, 0x1a, "\x10", 0x1); > qtest_bufwrite(s, 0x1b, "\x25", 0x1); > qtest_bufwrite(s, 0x5600043a, "\x04", 0x1); > qtest_quit(s); > } > int main(int argc, char **argv) > { > const char *arch = qtest_get_arch(); > > g_test_init(&argc, &argv, NULL); > > if (strcmp(arch, "i386") == 0) { > qtest_add_func("fuzz/test_fuzz", test_fuzz); > } > > return g_test_run(); > } > ``` > > OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33873 > -- Samuel Tu as lu les docs. Tu es devenu un informaticien. Que tu le veuilles ou non. Lire la doc, c'est le Premier et Unique Commandement de l'informaticien. -+- TP in: Guide du Linuxien pervers - "L'évangile selon St Thomas"
