[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1661815] Re: Stack address is returned from function translate_one

From: Thomas Huth
Subject: [Bug 1661815] Re: Stack address is returned from function translate_one
Date: Thu, 23 Jan 2020 11:11:37 -0000

I've finally posted a patch for this:

You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.

  Stack address is returned from function translate_one

Status in QEMU:

Bug description:
  The vulnerable version is qemu-2.8.0, and the vulnerable function is
  in "target-s390x/translate.c".

  The code snippet is as following.

  static ExitStatus translate_one(CPUS390XState *env, DisasContext *s)
      const DisasInsn *insn;
      ExitStatus ret = NO_EXIT;
      DisasFields f;
      s->fields = &f;
      s->pc = s->next_pc;
      return ret;

  A stack address, i.e. the address of local variable "f" is returned
  from current function through the output parameter "s->fields" as a
  side effect.

  This issue is one kind of undefined behaviors, according the C
  Standard, 6.2.4 [ISO/IEC 9899:2011]

  This dangerous defect may lead to an exploitable vulnerability.
  We suggest sanitizing "s->fields" as null before return.

  Note that this issue is reported by shqking and Zhenwei Zou together.

To manage notifications about this bug go to:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]