[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] A use-after-free in slirp
From: |
P J P |
Subject: |
Re: [Qemu-devel] A use-after-free in slirp |
Date: |
Thu, 24 Aug 2017 16:48:53 +0530 (IST) |
Hello Samuel,
+-- On Wed, 23 Aug 2017, Samuel Thibault wrote --+
| The paste is not available any more. Is it really very large? It's usually
| really better to just send it by mail, so it's archived in the mailing list
| etc.
Yes, stack-trace was quite long.
===
==2704==ERROR: AddressSanitizer: heap-use-after-free on address 0x61400001018c
at pc 0x003921ea145d bp 0x7fd49c4fc940 sp 0x7fd49c4fc930
READ of size 4 at 0x61400001018c thread T2
#0 0x3921ea145c in if_start slirp/if.c:230
#1 0x3921ea1015 in if_output slirp/if.c:141
#2 0x3921eadf1f in ip_output slirp/ip_output.c:85
#3 0x3921ed229e in tcp_respond slirp/tcp_subr.c:218
#4 0x3921ecc959 in tcp_input slirp/tcp_input.c:1392
#5 0x3921eab799 in ip_input slirp/ip_input.c:206
#6 0x3921eb6529 in slirp_input slirp/slirp.c:872
#7 0x3921e7c56f in net_slirp_receive net/slirp.c:119
#8 0x3921e60fe0 in nc_sendv_compat net/net.c:707
#9 0x3921e61170 in qemu_deliver_packet_iov net/net.c:734
#10 0x3921e67c53 in qemu_net_queue_deliver_iov net/queue.c:179
#11 0x3921e67e5b in qemu_net_queue_send_iov net/queue.c:224
#12 0x3921e61395 in qemu_sendv_packet_async net/net.c:770
#13 0x3921e613c2 in qemu_sendv_packet net/net.c:778
#14 0x3921e6961e in net_hub_receive_iov net/hub.c:72
#15 0x3921e69c12 in net_hub_port_receive_iov net/hub.c:123
#16 0x3921e61155 in qemu_deliver_packet_iov net/net.c:732
#17 0x3921e67ae7 in qemu_net_queue_deliver net/queue.c:164
#18 0x3921e67d59 in qemu_net_queue_send net/queue.c:199
#19 0x3921e60d58 in qemu_send_packet_async_with_flags net/net.c:661
#20 0x3921e60d90 in qemu_send_packet_async net/net.c:668
#21 0x3921e60dbd in qemu_send_packet net/net.c:674
#22 0x3921bef076 in ne2000_ioport_write hw/net/ne2000.c:302
#23 0x3921bf07c4 in ne2000_write hw/net/ne2000.c:688
#24 0x3921668a95 in memory_region_write_accessor
/home/test/qemu/memory.c:529
#25 0x3921668d6e in access_with_adjusted_size /home/test/qemu/memory.c:595
#26 0x392166f4ca in memory_region_dispatch_write
/home/test/qemu/memory.c:1337
#27 0x39215c633c in address_space_write_continue /home/test/qemu/exec.c:2942
#28 0x39215c65df in address_space_write /home/test/qemu/exec.c:2987
#29 0x39215c6df3 in address_space_rw /home/test/qemu/exec.c:3089
#30 0x39216a3159 in kvm_handle_io /home/test/qemu/accel/kvm/kvm-all.c:1795
#31 0x39216a4425 in kvm_cpu_exec /home/test/qemu/accel/kvm/kvm-all.c:2035
#32 0x3921636a6c in qemu_kvm_cpu_thread_fn /home/test/qemu/cpus.c:1128
#33 0x7fd4a5f4336c in start_thread (/lib64/libpthread.so.0+0x736c)
#34 0x7fd4a5c7bbbe in __GI___clone (/lib64/libc.so.6+0x110bbe)
0x61400001018c is located 332 bytes inside of 416-byte region
[0x614000010040,0x6140000101e0)
freed by thread T2 here:
#0 0x7fd4a967c4b8 in __interceptor_free (/lib64/libasan.so.4+0xde4b8)
#1 0x3921ebf027 in sofree slirp/socket.c:106
#2 0x3921ed2cd5 in tcp_close slirp/tcp_subr.c:334
#3 0x3921eca600 in tcp_input slirp/tcp_input.c:948
#4 0x3921eab799 in ip_input slirp/ip_input.c:206
#5 0x3921eb6529 in slirp_input slirp/slirp.c:872
#6 0x3921e7c56f in net_slirp_receive net/slirp.c:119
#7 0x3921e60fe0 in nc_sendv_compat net/net.c:707
#8 0x3921e61170 in qemu_deliver_packet_iov net/net.c:734
#9 0x3921e67c53 in qemu_net_queue_deliver_iov net/queue.c:179
#10 0x3921e67e5b in qemu_net_queue_send_iov net/queue.c:224
#11 0x3921e61395 in qemu_sendv_packet_async net/net.c:770
#12 0x3921e613c2 in qemu_sendv_packet net/net.c:778
#13 0x3921e6961e in net_hub_receive_iov net/hub.c:72
#14 0x3921e69c12 in net_hub_port_receive_iov net/hub.c:123
#15 0x3921e61155 in qemu_deliver_packet_iov net/net.c:732
#16 0x3921e67ae7 in qemu_net_queue_deliver net/queue.c:164
#17 0x3921e67d59 in qemu_net_queue_send net/queue.c:199
#18 0x3921e60d58 in qemu_send_packet_async_with_flags net/net.c:661
#19 0x3921e60d90 in qemu_send_packet_async net/net.c:668
#20 0x3921e60dbd in qemu_send_packet net/net.c:674
#21 0x3921bef076 in ne2000_ioport_write hw/net/ne2000.c:302
#22 0x3921bf07c4 in ne2000_write hw/net/ne2000.c:688
#23 0x3921668a95 in memory_region_write_accessor
/home/test/qemu/memory.c:529
#24 0x3921668d6e in access_with_adjusted_size /home/test/qemu/memory.c:595
#25 0x392166f4ca in memory_region_dispatch_write
/home/test/qemu/memory.c:1337
#26 0x39215c633c in address_space_write_continue /home/test/qemu/exec.c:2942
#27 0x39215c65df in address_space_write /home/test/qemu/exec.c:2987
#28 0x39215c6df3 in address_space_rw /home/test/qemu/exec.c:3089
#29 0x39216a3159 in kvm_handle_io /home/test/qemu/accel/kvm/kvm-all.c:1795
previously allocated by thread T2 here:
#0 0x7fd4a967c850 in malloc (/lib64/libasan.so.4+0xde850)
#1 0x3921ebeaa5 in socreate slirp/socket.c:51
#2 0x3921ec7184 in tcp_input slirp/tcp_input.c:432
#3 0x3921eab799 in ip_input slirp/ip_input.c:206
#4 0x3921eb6529 in slirp_input slirp/slirp.c:872
#5 0x3921e7c56f in net_slirp_receive net/slirp.c:119
#6 0x3921e60fe0 in nc_sendv_compat net/net.c:707
#7 0x3921e61170 in qemu_deliver_packet_iov net/net.c:734
#8 0x3921e67c53 in qemu_net_queue_deliver_iov net/queue.c:179
#9 0x3921e67e5b in qemu_net_queue_send_iov net/queue.c:224
#10 0x3921e61395 in qemu_sendv_packet_async net/net.c:770
#11 0x3921e613c2 in qemu_sendv_packet net/net.c:778
#12 0x3921e6961e in net_hub_receive_iov net/hub.c:72
#13 0x3921e69c12 in net_hub_port_receive_iov net/hub.c:123
#14 0x3921e61155 in qemu_deliver_packet_iov net/net.c:732
#15 0x3921e67ae7 in qemu_net_queue_deliver net/queue.c:164
#16 0x3921e67d59 in qemu_net_queue_send net/queue.c:199
#17 0x3921e60d58 in qemu_send_packet_async_with_flags net/net.c:661
#18 0x3921e60d90 in qemu_send_packet_async net/net.c:668
#19 0x3921e60dbd in qemu_send_packet net/net.c:674
#20 0x3921bef076 in ne2000_ioport_write hw/net/ne2000.c:302
#21 0x3921bf07c4 in ne2000_write hw/net/ne2000.c:688
#22 0x3921668a95 in memory_region_write_accessor
/home/test/qemu/memory.c:529
#23 0x3921668d6e in access_with_adjusted_size /home/test/qemu/memory.c:595
#24 0x392166f4ca in memory_region_dispatch_write
/home/test/qemu/memory.c:1337
#25 0x39215c633c in address_space_write_continue /home/test/qemu/exec.c:2942
#26 0x39215c65df in address_space_write /home/test/qemu/exec.c:2987
#27 0x39215c6df3 in address_space_rw /home/test/qemu/exec.c:3089
#28 0x39216a3159 in kvm_handle_io /home/test/qemu/accel/kvm/kvm-all.c:1795
#29 0x39216a4425 in kvm_cpu_exec /home/test/qemu/accel/kvm/kvm-all.c:2035
Thread T2 created by T0 here:
#0 0x7fd4a95d5a2f in pthread_create (/lib64/libasan.so.4+0x37a2f)
#1 0x39221e317e in qemu_thread_create util/qemu-thread-posix.c:508
#2 0x39216392a7 in qemu_kvm_start_vcpu /home/test/qemu/cpus.c:1734
#3 0x3921639868 in qemu_init_vcpu /home/test/qemu/cpus.c:1774
#4 0x392182ae7a in x86_cpu_realizefn /home/test/qemu/target/i386/cpu.c:3735
#5 0x3921ae4b71 in device_set_realized hw/core/qdev.c:914
#6 0x3921f66be3 in property_set_bool qom/object.c:1886
#7 0x3921f629f5 in object_property_set qom/object.c:1093
#8 0x3921f6987c in object_property_set_qobject qom/qom-qobject.c:27
#9 0x3921f62cc2 in object_property_set_bool qom/object.c:1162
#10 0x39217abf1f in pc_new_cpu /home/test/qemu/hw/i386/pc.c:1102
#11 0x39217ac727 in pc_cpus_init /home/test/qemu/hw/i386/pc.c:1182
#12 0x39217b5c34 in pc_init1 /home/test/qemu/hw/i386/pc_piix.c:151
#13 0x39217b79c5 in pc_init_v2_10 /home/test/qemu/hw/i386/pc_piix.c:446
#14 0x3921af5157 in machine_run_board_init hw/core/machine.c:760
#15 0x392196b37c in main /home/test/qemu/vl.c:4633
#16 0x7fd4a5b8b509 in __libc_start_main (/lib64/libc.so.6+0x20509)
SUMMARY: AddressSanitizer: heap-use-after-free slirp/if.c:230 in if_start
Shadow bytes around the buggy address:
0x0c287fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fffa000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c287fffa010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c287fffa020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c287fffa030: fd[fd]fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c287fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fffa050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fffa060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fffa070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fffa080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2704==ABORTING
===
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F