Re: QEMU | Heap-overflow in virtio_net_queue

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: QEMU | Heap-overflow in virtio_net_queue_enable (#1309)

From:	Alexander Bulekov
Subject:	Re: QEMU \| Heap-overflow in virtio_net_queue_enable (#1309)
Date:	Thu, 10 Nov 2022 10:50:24 -0500

On 221110 1453, Xuan Zhuo wrote:
> On Thu, 10 Nov 2022 00:11:00 -0500, "Michael S. Tsirkin" <mst@redhat.com> 
> wrote:
> > Xuan Zhuo pls take a look ASAP.
> >
> > On Thu, Nov 10, 2022 at 03:04:41AM +0000, Alexander Bulekov (@a1xndr) wrote:
> > Alexander Bulekov created an issue: #1309
> >
> > Hello,
> >
> > I bisected this to 7f863302 ("virtio-net: support queue_enable"). CC:
> > @mstredhat @jasowang (could not find Kangjie Xu or Xuan Zhuo gitlab 
> > accounts).
> >
> >  Reproducer
> >
> > cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
> > 512M -M q35 -nodefaults -device virtio-net,netdev=net0 -netdev \
> > user,id=net0 -qtest stdio
> > outl 0xcf8 0x80000810
> > outl 0xcfc 0xc000
> > outl 0xcf8 0x80000804
> > outl 0xcfc 0x01
> > outl 0xc00d 0x0200
> > outl 0xcf8 0x80000890
> > outb 0xcfc 0x4
> > outl 0xcf8 0x80000889
> > outl 0xcfc 0x1c000000
> > outl 0xcf8 0x80000893
> > outw 0xcfc 0x100
> > EOF
> 
> 
> Hi, I don't reproduce this problem, need valgrind?

It should work in a build with --enable-sanitizers
-Alex

> 
> 
> Thanks.
> 
> 
>       sudo sh test.sh
>       [I 0.000000] OPENED
>       [R +0.014069] outl 0xcf8 0x80000810
>       [S +0.014089] OK
>       OK
>       [R +0.014100] outl 0xcfc 0xc000
>       [S +0.014113] OK
>       OK
>       [R +0.014117] outl 0xcf8 0x80000804
>       [S +0.014125] OK
>       OK
>       [R +0.014133] outl 0xcfc 0x01
>       [S +0.014210] OK
>       OK
>       [R +0.014215] outl 0xc00d 0x0200
>       [S +0.014222] OK
>       OK
>       [R +0.014226] outl 0xcf8 0x80000890
>       [S +0.014233] OK
>       OK
>       [R +0.014240] outb 0xcfc 0x4
>       [S +0.014247] OK
>       OK
>       [R +0.014252] outl 0xcf8 0x80000889
>       [S +0.014259] OK
>       OK
>       [R +0.014266] outl 0xcfc 0x1c000000
>       [S +0.014275] OK
>       OK
>       [R +0.014279] outl 0xcf8 0x80000893
>       [S +0.014288] OK
>       OK
>       [R +0.014292] outw 0xcfc 0x100
>       [S +0.014304] OK
>       OK
>       [I +0.014319] CLOSED
> 
> 
> 
> 
> 
>       ^Cqemu-system-i386: GLib: g_timer_elapsed: assertion 'timer != NULL' 
> failed
>       [I +0.000000] CLOSED
> 
> 
> >
> >  Stack-Trace
> >
> > ==3742222==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> > 0x61400001a9f8 at pc 0x55db851032b1 bp 0x7ffe639914c0 sp 0x7ffe639914b8
> > READ of size 8 at 0x61400001a9f8 thread T0
> >     #0 0x55db851032b0 in virtio_net_queue_enable 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/net/virtio-net.c:572:14
> >     #1 0x55db85361748 in memory_region_write_accessor 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c:493:5
> >     #2 0x55db8536129a in access_with_adjusted_size 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c:555:18
> >     #3 0x55db85360c03 in memory_region_dispatch_write 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c
> >     #4 0x55db8485e11f in virtio_address_space_write 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/virtio/virtio-pci.c:592:5
> >     #5 0x55db8485e11f in virtio_write_config 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/virtio/virtio-pci.c:670:13
> >     #6 0x55db844de82a in pci_host_config_write_common 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/pci/pci_host.c:85:5
> >     #7 0x55db85361748 in memory_region_write_accessor 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c:493:5
> >     #8 0x55db8536129a in access_with_adjusted_size 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c:555:18
> >     #9 0x55db85360c03 in memory_region_dispatch_write 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c
> >     #10 0x55db853ad390 in flatview_write_continue 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/physmem.c:2825:23
> >     #11 0x55db853a4833 in flatview_write 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/physmem.c:2867:12
> >     #12 0x55db853a4543 in address_space_write 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/physmem.c:2963:18
> >     #13 0x55db85354567 in cpu_outw 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/ioport.c:70:5
> >     #14 0x55db853b8129 in qtest_process_command 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/qtest.c:480:13
> >     #15 0x55db853b6cb8 in qtest_process_inbuf 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/qtest.c:802:9
> >     #16 0x55db85a3e284 in fd_chr_read 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../chardev/char-fd.c:72:9
> >     #17 0x7f7f528c8a9e in g_main_context_dispatch 
> > (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x53a9e) (BuildId: 
> > 1697a734f1bc7448cd8772689a1c439343f062f7)
> >     #18 0x55db85cc1f33 in glib_pollfds_poll 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../util/main-loop.c:297:9
> >     #19 0x55db85cc1f33 in os_host_main_loop_wait 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../util/main-loop.c:320:5
> >     #20 0x55db85cc1f33 in main_loop_wait 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../util/main-loop.c:606:11
> >     #21 0x55db849163a6 in qemu_main_loop 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/runstate.c:739:9
> >     #22 0x55db83d54105 in qemu_default_main 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/main.c:37:14
> >     #23 0x7f7f520c6209 in __libc_start_call_main 
> > csu/../sysdeps/nptl/libc_start_call_main.h:58:16
> >     #24 0x7f7f520c62bb in __libc_start_main csu/../csu/libc-start.c:389:3
> >     #25 0x55db83c93ef0 in _start 
> > (/home/alxndr/Development/qemu-demo/qemu/build-asan/qemu-system-i386+0x1f9cef0)
> >  (BuildId: 574fb9ebea37c72f33a18ee7cda64eaf34590574)
> >
> > 0x61400001a9f8 is located 32 bytes to the right of 408-byte region 
> > [0x61400001a840,0x61400001a9d8)
> > allocated by thread T0 here:
> >     #0 0x55db83d16f28 in __interceptor_calloc 
> > (/home/alxndr/Development/qemu-demo/qemu/build-asan/qemu-system-i386+0x201ff28)
> >  (BuildId: 574fb9ebea37c72f33a18ee7cda64eaf34590574)
> >     #1 0x7f7f528ceb30 in g_malloc0 
> > (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x59b30) (BuildId: 
> > 1697a734f1bc7448cd8772689a1c439343f062f7)
> >     #2 0x55db850f8d11 in virtio_net_device_realize 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/net/virtio-net.c:3621:18
> >     #3 0x55db85250321 in virtio_device_realize 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/virtio/virtio.c:4168:9
> >     #4 0x55db85658931 in device_set_realized 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/core/qdev.c:566:13
> >     #5 0x55db85679238 in property_set_bool 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/object.c:2285:5
> >     #6 0x55db8567442c in object_property_set 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/object.c:1420:5
> >     #7 0x55db8568012c in object_property_set_qobject 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/qom-qobject.c:28:10
> >     #8 0x55db844cef9a in pci_qdev_realize 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/pci/pci.c:2218:9
> >     #9 0x55db85658931 in device_set_realized 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/core/qdev.c:566:13
> >     #10 0x55db85679238 in property_set_bool 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/object.c:2285:5
> >     #11 0x55db8567442c in object_property_set 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/object.c:1420:5
> >     #12 0x55db8568012c in object_property_set_qobject 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/qom-qobject.c:28:10
> >     #13 0x55db8490f344 in qdev_device_add 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/qdev-monitor.c:733:11
> >     #14 0x55db849172b2 in qemu_create_cli_devices 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/vl.c:2536:5
> >     #15 0x55db849172b2 in qmp_x_exit_preconfig 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/vl.c:2604:5
> >     #16 0x55db8491db5f in qemu_init 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/vl.c:3601:9
> >     #17 0x55db83d54125 in main 
> > /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/main.c:47:5
> >
> > OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53186
> >
> > libqtest Reproducer: repro.c
> >
> > Thank you
> >
> > —
> > Reply to this email directly or view it on GitLab.
> > You're receiving this email because you have been mentioned on gitlab.com.
> > Unsubscribe from this thread · Manage all notifications · Help
> >
>

[Prev in Thread]

Current Thread

[Next in Thread]

Re: QEMU | Heap-overflow in virtio_net_queue_enable (#1309), Michael S. Tsirkin, 2022/11/10
- Re: QEMU | Heap-overflow in virtio_net_queue_enable (#1309), Jason Wang, 2022/11/10
  - Re: QEMU | Heap-overflow in virtio_net_queue_enable (#1309), Xuan Zhuo, 2022/11/10
- Re: QEMU | Heap-overflow in virtio_net_queue_enable (#1309), Xuan Zhuo, 2022/11/10
  - Re: QEMU | Heap-overflow in virtio_net_queue_enable (#1309), Alexander Bulekov <=

Prev by Date: Re: [PATCH] avocado: use sha1 for fc31 imgs to avoid first time re-download
Next by Date: Re: [PATCH v6 10/10] vdpa: Always start CVQ in SVQ mode
Previous by thread: Re: QEMU | Heap-overflow in virtio_net_queue_enable (#1309)
Next by thread: [PATCH v2 0/2] hw/nvme: errp fixes
Index(es):
- Date
- Thread