Stack-overflow in _eth_get_rss_ex_dst_addr
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hello,
While fuzzing, I found a 1-byte stack-overflow (read) through the
e1000e.
==10318==ERROR: AddressSanitizer: stack-buffer-
READ of size 1 at 0x7ffdb76c16c2 thread T0
#0 0x55594f1a69e0 in _eth_get_
#1 0x55594f1a39da in eth_parse_ipv6_hdr /home/alxndr/
#2 0x55594ebc34f2 in net_tx_
#3 0x55594ebc2149 in net_tx_pkt_parse /home/alxndr/
#4 0x55594ec1ba76 in e1000e_
#5 0x55594ec1aea4 in e1000e_start_xmit /home/alxndr/
#6 0x55594ec0e70e in e1000e_set_tdt /home/alxndr/
#7 0x55594ebec435 in e1000e_core_write /home/alxndr/
#8 0x55594ebdf11b in e1000e_mmio_write /home/alxndr/
#9 0x55594dfd98b1 in memory_
#10 0x55594dfd9211 in access_
#11 0x55594dfd7c30 in memory_
#12 0x55594dde24b8 in flatview_
#13 0x55594ddd12dc in flatview_write /home/alxndr/
#14 0x55594ddd0dec in address_space_write /home/alxndr/
#15 0x55594dfcdbdc in qtest_process_
#16 0x55594dfc3700 in qtest_process_inbuf /home/alxndr/
#17 0x55594dfc2cc8 in qtest_read /home/alxndr/
#18 0x55594f74b259 in qemu_chr_
#19 0x55594f74b3ee in qemu_chr_be_write /home/alxndr/
#20 0x55594f7556fc in fd_chr_read /home/alxndr/
#21 0x55594f7ea488 in qio_channel_
#22 0x7f43f6c1d897 in g_main_
#23 0x55594f9dea5d in glib_pollfds_poll /home/alxndr/
#24 0x55594f9dd1d7 in os_host_
#25 0x55594f9dcd6e in main_loop_wait /home/alxndr/
#26 0x55594e44cd01 in qemu_main_loop /home/alxndr/
#27 0x55594f803c21 in main /home/alxndr/
#28 0x7f43f57b4e0a in __libc_start_main /build/
#29 0x55594dd03889 in _start (/home/
Address 0x7ffdb76c16c2 is located in stack of thread T0 at offset 34 in frame
#0 0x55594f1a303f in eth_parse_ipv6_hdr /home/alxndr/
This frame has 1 object(s):
[32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-
Shadow bytes around the buggy address:
0x100036ed0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100036ed02d0: 00 00 00 00 f1 f1 f1 f1[02]f3 f3 f3 00 00 00 00
0x100036ed02e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed02f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036ed0320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==10318==ABORTING
I can reproduce it in qemu 5.0 built with address sanitizer using:
cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001014
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x800010a2
write 0x25 0x2b 0x86dd1900ff5df
write 0xe1020030 0x409 0x190002e100000
EOF
Also attaching these commands. They can be executed with
./qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -monitor none -serial none -nographic < attachment
Let me know if I can provide any further info.
-Alex
tags: | added: fuzzer |
From Prasad:
struct ip6_ext_hdr { hdr_routine' type pointer. And such a pointer is accessing '->rtype' variable,
uint8_t ip6r_nxt; /* next header */
uint8_t ip6r_len; /* length in units of 8 octets */
};
struct ip6_ext_hdr_routing {
uint8_t nxt;
uint8_t len;
uint8_t rtype;
uint8_t segleft;
uint8_t rsvd[4];
};
Yes, it looks like because 'struct ip6_ext_hdr' type stack variable's address is assigned to
'struct ip6_ext_
which is not present in 'struct ip6_ext_hdr'.
diff --git a/include/net/eth.h b/include/net/eth.h .38f2d52bcd 100644
index 7f45c678e7.
--- a/include/net/eth.h
+++ b/include/net/eth.h
@@ -129,6 +129,7 @@ typedef struct ip6_pseudo_header {
struct ip6_ext_hdr {
uint8_t ip6r_nxt; /* next header */
uint8_t ip6r_len; /* length in units of 8 octets */
+ uint32_t padding;
};
Above patch should help. It is okay to send this report upstream. Thank you.
--
Prasad J Pandit / Red Hat Product Security Team