Re: [PATCH RESEND v2 2/2] migration/xbzrle: fix out-of-bounds write with

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH RESEND v2 2/2] migration/xbzrle: fix out-of-bounds write with

From:	Juan Quintela
Subject:	Re: [PATCH RESEND v2 2/2] migration/xbzrle: fix out-of-bounds write with axv512
Date:	Wed, 15 Mar 2023 21:57:40 +0100
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)

Matheus Tavares Bernardino <quic_mathbern@quicinc.com> wrote:
> xbzrle_encode_buffer_avx512() checks for overflows too scarcely in its
> outer loop, causing out-of-bounds writes:
>
> $ ../configure --target-list=aarch64-softmmu --enable-sanitizers 
> --enable-avx512bw
> $ make tests/unit/test-xbzrle && ./tests/unit/test-xbzrle
>
> ==5518==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x62100000b100 at pc 0x561109a7714d bp 0x7ffed712a440 sp 0x7ffed712a430
> WRITE of size 1 at 0x62100000b100 thread T0
>     #0 0x561109a7714c in uleb128_encode_small ../util/cutils.c:831
>     #1 0x561109b67f6a in xbzrle_encode_buffer_avx512 ../migration/xbzrle.c:275
>     #2 0x5611099a7428 in test_encode_decode_overflow 
> ../tests/unit/test-xbzrle.c:153
>     #3 0x7fb2fb65a58d  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x7a58d)
>     #4 0x7fb2fb65a333  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x7a333)
>     #5 0x7fb2fb65aa79 in g_test_run_suite 
> (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x7aa79)
>     #6 0x7fb2fb65aa94 in g_test_run 
> (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x7aa94)
>     #7 0x5611099a3a23 in main ../tests/unit/test-xbzrle.c:218
>     #8 0x7fb2fa78c082 in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
>     #9 0x5611099a608d in _start (/qemu/build/tests/unit/test-xbzrle+0x28408d)
>
> 0x62100000b100 is located 0 bytes to the right of 4096-byte region 
> [0x62100000a100,0x62100000b100)
> allocated by thread T0 here:
>     #0 0x7fb2fb823a06 in __interceptor_calloc 
> ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
>     #1 0x7fb2fb637ef0 in g_malloc0 
> (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57ef0)
>
> Fix that by performing the overflow check in the inner loop, instead.
>
> Signed-off-by: Matheus Tavares Bernardino <quic_mathbern@quicinc.com>

Reviewed-by: Juan Quintela <quintela@redhat.com>

queued.

As David said, we can still improve the code.

thanks, Juan.

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH RESEND v2 0/2] migration/xbzrle: fix two avx512 runtime issues, Matheus Tavares Bernardino, 2023/03/13
- [PATCH RESEND v2 1/2] migration/xbzrle: use ctz64 to avoid undefined result, Matheus Tavares Bernardino, 2023/03/13
  - Re: [PATCH RESEND v2 1/2] migration/xbzrle: use ctz64 to avoid undefined result, Dr. David Alan Gilbert, 2023/03/15
  - Re: [PATCH RESEND v2 1/2] migration/xbzrle: use ctz64 to avoid undefined result, Juan Quintela, 2023/03/15
- [PATCH RESEND v2 2/2] migration/xbzrle: fix out-of-bounds write with axv512, Matheus Tavares Bernardino, 2023/03/13
  - Re: [PATCH RESEND v2 2/2] migration/xbzrle: fix out-of-bounds write with axv512, Dr. David Alan Gilbert, 2023/03/15
  - Re: [PATCH RESEND v2 2/2] migration/xbzrle: fix out-of-bounds write with axv512, Juan Quintela <=

Prev by Date: Re: [PATCH RESEND v2 1/2] migration/xbzrle: use ctz64 to avoid undefined result
Next by Date: Re: [PATCH 02/10] python: drop pipenv
Previous by thread: Re: [PATCH RESEND v2 2/2] migration/xbzrle: fix out-of-bounds write with axv512
Next by thread: [PULL v3 00/91] tcg patch queue
Index(es):
- Date
- Thread