Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow

From:	Markus Armbruster
Subject:	Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow
Date:	Mon, 23 Jul 2018 17:46:03 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)

"liujunjie (A)" <address@hidden> writes:

> Thanks for your reply.
>> Really?  How exactly can this happen?  Please explain step by step.
> There exist a qemu core related to this. You have mention that "The 
> conversion truncates when strlen(str) - 1 exceeds INT_MAX".
> Later in function qstring_from_substr, this truncated "end" will be assigned 
> to "qstring->length" again, which is size_t. This is the key point why qemu 
> coredumped.
> Because when "end" is truncated, it can be negative number. If we assign a 
> negative number to a size_t variable, this size_t variable can become very 
> large.
> At last, we call g_malloc to try to alloc a large number of member which 
> cannot success. So qemu coredump.
> In my example, use gdb to debug function qstring_from_substr, I can get the 
> following message.
> (gdb) p       qstring->length
> $4 = 18446744072383980732  (too large to allocate)
> (gdb) p       (int) (qstring->length)
> $5 = -1325570884
> (gdb) p/x (int)       qstring->length
> $6 = 0xb0fd64bc
> (gdb) p/x qstring->length
> $7 = 0xffffffffb0fd64bc
> (gdb) p       end
> $8 = <optimized out>

Can you provide a stack backtrace, too?

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] qstring: Fix integer overflow, liujunjie, 2018/07/20
- Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow, Markus Armbruster, 2018/07/23
  - Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow, liujunjie (A), 2018/07/23
    - Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow, Markus Armbruster <=
    - Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow, liujunjie (A), 2018/07/23
    - Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow, Markus Armbruster, 2018/07/24
    - Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow, Markus Armbruster, 2018/07/24
    - Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow, liujunjie (A), 2018/07/24
    - Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow, Markus Armbruster, 2018/07/24
    - Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow, liujunjie (A), 2018/07/24
- Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow, Eric Blake, 2018/07/23
  - Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow, liujunjie (A), 2018/07/23

Prev by Date: Re: [Qemu-devel] [PATCH v5 08/10] migration: create a dedicated thread to release rdma resource
Next by Date: Re: [Qemu-devel] [PATCH 0/6] accel/tcg: Support execution from MMIO and small MMU regions
Previous by thread: Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow
Next by thread: Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow
Index(es):
- Date
- Thread