Re: QEMU | Heap-overflow in virtio_net_queue

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: QEMU | Heap-overflow in virtio_net_queue_enable (#1309)

From:	Michael S. Tsirkin
Subject:	Re: QEMU \| Heap-overflow in virtio_net_queue_enable (#1309)
Date:	Thu, 10 Nov 2022 00:11:00 -0500

Xuan Zhuo pls take a look ASAP.

On Thu, Nov 10, 2022 at 03:04:41AM +0000, Alexander Bulekov (@a1xndr) wrote:
Alexander Bulekov created an issue: #1309

Hello,

I bisected this to 7f863302 ("virtio-net: support queue_enable"). CC:
@mstredhat @jasowang (could not find Kangjie Xu or Xuan Zhuo gitlab accounts).

 Reproducer

cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -M q35 -nodefaults -device virtio-net,netdev=net0 -netdev \
user,id=net0 -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xc000
outl 0xcf8 0x80000804
outl 0xcfc 0x01
outl 0xc00d 0x0200
outl 0xcf8 0x80000890
outb 0xcfc 0x4
outl 0xcf8 0x80000889
outl 0xcfc 0x1c000000
outl 0xcf8 0x80000893
outw 0xcfc 0x100
EOF

 Stack-Trace

==3742222==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x61400001a9f8 at pc 0x55db851032b1 bp 0x7ffe639914c0 sp 0x7ffe639914b8
READ of size 8 at 0x61400001a9f8 thread T0
    #0 0x55db851032b0 in virtio_net_queue_enable 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/net/virtio-net.c:572:14
    #1 0x55db85361748 in memory_region_write_accessor 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c:493:5
    #2 0x55db8536129a in access_with_adjusted_size 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c:555:18
    #3 0x55db85360c03 in memory_region_dispatch_write 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c
    #4 0x55db8485e11f in virtio_address_space_write 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/virtio/virtio-pci.c:592:5
    #5 0x55db8485e11f in virtio_write_config 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/virtio/virtio-pci.c:670:13
    #6 0x55db844de82a in pci_host_config_write_common 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/pci/pci_host.c:85:5
    #7 0x55db85361748 in memory_region_write_accessor 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c:493:5
    #8 0x55db8536129a in access_with_adjusted_size 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c:555:18
    #9 0x55db85360c03 in memory_region_dispatch_write 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c
    #10 0x55db853ad390 in flatview_write_continue 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/physmem.c:2825:23
    #11 0x55db853a4833 in flatview_write 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/physmem.c:2867:12
    #12 0x55db853a4543 in address_space_write 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/physmem.c:2963:18
    #13 0x55db85354567 in cpu_outw 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/ioport.c:70:5
    #14 0x55db853b8129 in qtest_process_command 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/qtest.c:480:13
    #15 0x55db853b6cb8 in qtest_process_inbuf 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/qtest.c:802:9
    #16 0x55db85a3e284 in fd_chr_read 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../chardev/char-fd.c:72:9
    #17 0x7f7f528c8a9e in g_main_context_dispatch 
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x53a9e) (BuildId: 
1697a734f1bc7448cd8772689a1c439343f062f7)
    #18 0x55db85cc1f33 in glib_pollfds_poll 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../util/main-loop.c:297:9
    #19 0x55db85cc1f33 in os_host_main_loop_wait 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../util/main-loop.c:320:5
    #20 0x55db85cc1f33 in main_loop_wait 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../util/main-loop.c:606:11
    #21 0x55db849163a6 in qemu_main_loop 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/runstate.c:739:9
    #22 0x55db83d54105 in qemu_default_main 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/main.c:37:14
    #23 0x7f7f520c6209 in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #24 0x7f7f520c62bb in __libc_start_main csu/../csu/libc-start.c:389:3
    #25 0x55db83c93ef0 in _start 
(/home/alxndr/Development/qemu-demo/qemu/build-asan/qemu-system-i386+0x1f9cef0) 
(BuildId: 574fb9ebea37c72f33a18ee7cda64eaf34590574)

0x61400001a9f8 is located 32 bytes to the right of 408-byte region 
[0x61400001a840,0x61400001a9d8)
allocated by thread T0 here:
    #0 0x55db83d16f28 in __interceptor_calloc 
(/home/alxndr/Development/qemu-demo/qemu/build-asan/qemu-system-i386+0x201ff28) 
(BuildId: 574fb9ebea37c72f33a18ee7cda64eaf34590574)
    #1 0x7f7f528ceb30 in g_malloc0 
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x59b30) (BuildId: 
1697a734f1bc7448cd8772689a1c439343f062f7)
    #2 0x55db850f8d11 in virtio_net_device_realize 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/net/virtio-net.c:3621:18
    #3 0x55db85250321 in virtio_device_realize 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/virtio/virtio.c:4168:9
    #4 0x55db85658931 in device_set_realized 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/core/qdev.c:566:13
    #5 0x55db85679238 in property_set_bool 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/object.c:2285:5
    #6 0x55db8567442c in object_property_set 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/object.c:1420:5
    #7 0x55db8568012c in object_property_set_qobject 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/qom-qobject.c:28:10
    #8 0x55db844cef9a in pci_qdev_realize 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/pci/pci.c:2218:9
    #9 0x55db85658931 in device_set_realized 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/core/qdev.c:566:13
    #10 0x55db85679238 in property_set_bool 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/object.c:2285:5
    #11 0x55db8567442c in object_property_set 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/object.c:1420:5
    #12 0x55db8568012c in object_property_set_qobject 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/qom-qobject.c:28:10
    #13 0x55db8490f344 in qdev_device_add 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/qdev-monitor.c:733:11
    #14 0x55db849172b2 in qemu_create_cli_devices 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/vl.c:2536:5
    #15 0x55db849172b2 in qmp_x_exit_preconfig 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/vl.c:2604:5
    #16 0x55db8491db5f in qemu_init 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/vl.c:3601:9
    #17 0x55db83d54125 in main 
/home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/main.c:47:5

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53186

libqtest Reproducer: repro.c

Thank you

—
Reply to this email directly or view it on GitLab.
You're receiving this email because you have been mentioned on gitlab.com.
Unsubscribe from this thread · Manage all notifications · Help

[Prev in Thread]

Current Thread

[Next in Thread]

Re: QEMU | Heap-overflow in virtio_net_queue_enable (#1309), Michael S. Tsirkin <=
- Re: QEMU | Heap-overflow in virtio_net_queue_enable (#1309), Jason Wang, 2022/11/10
  - Re: QEMU | Heap-overflow in virtio_net_queue_enable (#1309), Xuan Zhuo, 2022/11/10
- Re: QEMU | Heap-overflow in virtio_net_queue_enable (#1309), Xuan Zhuo, 2022/11/10
  - Re: QEMU | Heap-overflow in virtio_net_queue_enable (#1309), Alexander Bulekov, 2022/11/10

Prev by Date: Re: [PATCH] Use a more portable way to enable target specific functions
Next by Date: Re: QEMU | Heap-overflow in virtio_net_queue_enable (#1309)
Previous by thread: Re: [PATCH v11 0/5] RISC-V Smstateen support
Next by thread: Re: QEMU | Heap-overflow in virtio_net_queue_enable (#1309)
Index(es):
- Date
- Thread