QEMU

memcpy param-overlap in Slirp ip_stripoptions through e1000e

Bug #1878043 reported by Alexander Bulekov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Fix Released
Undecided
Dr. David Alan Gilbert

Bug Description

Hello,
While fuzzing, I found an input that triggers an overlapping memcpy (caught by AddressSanitizer).
Overlapping memcpys are undefined behavior according to the POSIX and C standards, and can lead to bugs.

==16666==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x625000264940,0x62500026699a) and [0x625000264948, 0x6250002669a2) overlap
    #0 0x5622d7b6a3d4 in __asan_memcpy (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0x96c3d4)
    #1 0x5622d896a2d2 in ip_stripoptions /home/alxndr/Development/qemu/slirp/src/ip_input.c:457:5
    #2 0x5622d8963378 in udp_input /home/alxndr/Development/qemu/slirp/src/udp.c:86:9
    #3 0x5622d89351ea in slirp_input /home/alxndr/Development/qemu/slirp/src/slirp.c:840:13
    #4 0x5622d852e162 in net_slirp_receive /home/alxndr/Development/qemu/net/slirp.c:126:5
    #5 0x5622d8515851 in nc_sendv_compat /home/alxndr/Development/qemu/net/net.c:700:15
    #6 0x5622d8515851 in qemu_deliver_packet_iov /home/alxndr/Development/qemu/net/net.c:728:15
    #7 0x5622d851786d in qemu_net_queue_deliver_iov /home/alxndr/Development/qemu/net/queue.c:179:11
    #8 0x5622d851786d in qemu_net_queue_send_iov /home/alxndr/Development/qemu/net/queue.c:224:11
    #9 0x5622d851b1c1 in net_hub_receive_iov /home/alxndr/Development/qemu/net/hub.c:74:9
    #10 0x5622d851b1c1 in net_hub_port_receive_iov /home/alxndr/Development/qemu/net/hub.c:125:12
    #11 0x5622d851572b in qemu_deliver_packet_iov /home/alxndr/Development/qemu/net/net.c:726:15
    #12 0x5622d851786d in qemu_net_queue_deliver_iov /home/alxndr/Development/qemu/net/queue.c:179:11
    #13 0x5622d851786d in qemu_net_queue_send_iov /home/alxndr/Development/qemu/net/queue.c:224:11
    #14 0x5622d828bf87 in net_tx_pkt_sendv /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:546:9
    #15 0x5622d828bf87 in net_tx_pkt_send /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:620:9
    #16 0x5622d82b5f22 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/hw/net/e1000e_core.c:666:16
    #17 0x5622d82b5f22 in e1000e_process_tx_desc /home/alxndr/Development/qemu/hw/net/e1000e_core.c:743:17
    #18 0x5622d82b5f22 in e1000e_start_xmit /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934:9
    #19 0x5622d82b2be0 in e1000e_set_tdt /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451:9
    #20 0x5622d82a30fc in e1000e_core_write /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261:9
    #21 0x5622d7c9e336 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5
    #22 0x5622d7c9dcdf in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18
    #23 0x5622d7c9dcdf in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16
    #24 0x5622d7bb31d3 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3137:23
    #25 0x5622d7babb97 in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14
    #26 0x5622d7babb97 in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18

0x625000264940 is located 64 bytes inside of 8354-byte region [0x625000264900,0x6250002669a2)
allocated by thread T0 here:
    #0 0x5622d7b6b06d in malloc (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0x96d06d)
    #1 0x7f724b932500 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54500)

0x625000264948 is located 72 bytes inside of 8354-byte region [0x625000264900,0x6250002669a2)
allocated by thread T0 here:
    #0 0x5622d7b6b06d in malloc (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0x96d06d)
    #1 0x7f724b932500 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54500)

I can reproduce it in qemu 5.0 built with --enable-sanitizers using:
cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -nographic -monitor none -serial none
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001014
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x800010a2
outl 0xcf8 0x8000fa24
outl 0xcfc 0xe1069000
outl 0xcf8 0x8000fa04
outw 0xcfc 0x7
outl 0xcf8 0x8000fb20
write 0xe1069100 0xe 0xff810000000000008420f9e10019
write 0x820b 0xc 0x080047bb0c02e10000004011
write 0xe1020403 0x36 0xb700000000e1000f009006e100000000625c5e0000b700000000e1000f009006e100000000625c5e0000b700000000e1000f009006e1
EOF

I also attached the trace to this launchpad report, in case the formatting is broken:

qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -nographic -monitor none -serial none < attachment

Please let me know if I can provide any further info.
-Alex

Revision history for this message
Alexander Bulekov (a1xndr) wrote :
Revision history for this message
Dr. David Alan Gilbert (dgilbert-h) wrote :

Created patch and merge request in upstream libslirp:

https://gitlab.freedesktop.org/dgilbert/libslirp/-/commit/d620bac888923524f8b8407dbf35f6d2b3b7ddb2

Changed in qemu:
assignee: nobody → Dr. David Alan Gilbert (dgilbert-h)
status: New → In Progress
Revision history for this message
Dr. David Alan Gilbert (dgilbert-h) wrote :

Committed in upstream libslirp:

commit d620bac888923524f8b8407dbf35f6d2b3b7ddb2 (origin/lp1878043, lp1878043)
Author: Dr. David Alan Gilbert <email address hidden>
Date: Fri Jul 17 18:17:41 2020 +0100

    ip_stripoptions use memmove

John Snow (jnsnow)
Changed in qemu:
status: In Progress → Fix Committed
Revision history for this message
Thomas Huth (th-huth) wrote :

Released with QEMU v5.2.0.

Changed in qemu:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.