[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] A use-after-free in slirp
|
From: |
P J P |
|
Subject: |
[Qemu-devel] A use-after-free in slirp |
|
Date: |
Thu, 3 Aug 2017 17:45:06 +0530 (IST) |
Hello Jan, Samuel
Wjjzhang(CC'd) has reported a use-after-free issue which seems to occur while
responding to a packet, after the socket has been closed by another thread.
===
==31922==ERROR: AddressSanitizer: heap-use-after-free on address 0x61400001ff8c
at pc 0x56485de28ea0 bp 0x7f00f44fc950 sp 0x7f00f44fc940
READ of size 4 at 0x61400001ff8c thread T2
#0 0x56485de28e9f in if_start slirp/if.c:230
#1 0x56485de28a58 in if_output slirp/if.c:141
#2 0x56485de35173 in ip_output slirp/ip_output.c:85
#3 0x56485de57c48 in tcp_respond slirp/tcp_subr.c:218
#4 0x56485de52440 in tcp_input slirp/tcp_input.c:1392
#5 0x56485de329ef in ip_input slirp/ip_input.c:206
#6 0x56485de3cf93 in slirp_input slirp/slirp.c:872
#7 0x56485de0726d in net_slirp_receive net/slirp.c:119
#8 0x56485ddee24d in nc_sendv_compat net/net.c:707
#9 0x56485ddee3dd in qemu_deliver_packet_iov net/net.c:734
#10 0x56485ddf422c in qemu_net_queue_deliver_iov net/queue.c:179
...
===
A full trace output can be seen
here -> https://paste.fedoraproject.org/paste/gh~hDctqUQ8uVt6UdG~zbg
I tried to debug how the 'so' and 'slirp' objects are connected and why it's
leading to a UAF issue, but couldn't quite fix it.
Could you please help with an appropriate patch for this one?
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
- [Qemu-devel] A use-after-free in slirp,
P J P <=