Stack address is returned from function translate_one
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The vulnerable version is qemu-2.8.0, and the vulnerable function is in "target-
The code snippet is as following.
static ExitStatus translate_
{
const DisasInsn *insn;
ExitStatus ret = NO_EXIT;
DisasFields f;
...
s->fields = &f;
...
s->pc = s->next_pc;
return ret;
}
A stack address, i.e. the address of local variable "f" is returned from current function through the output parameter "s->fields" as a side effect.
This issue is one kind of undefined behaviors, according the C Standard, 6.2.4 [ISO/IEC 9899:2011] (https:/
This dangerous defect may lead to an exploitable vulnerability.
We suggest sanitizing "s->fields" as null before return.
Note that this issue is reported by shqking and Zhenwei Zou together.
tags: | added: behavior undefined |
tags: | removed: behavior undefined |
Changed in qemu: | |
assignee: | nobody → shqking (shqking) |
assignee: | shqking (shqking) → nobody |
Changed in qemu: | |
status: | Fix Committed → Fix Released |
The calling function never uses "->fields", so I do not see a real vulnerability here, is there? Did you use a code analyser for this, or how did you come across this issue?