1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
|
Guest(ubuntu 18.04) crashes when trying uploading file
I speficy slirp network, and I can open websites, git clone repos. But when I try to upload a file to slack, or try to do a git push, it crashes.
My host is ubuntu 16.04 with kernel 4.15.0-29-generic, and qemu is latest source in git(commit 1fb57da72ae0886e). The command I use is
./x86_64-softmmu/qemu-system-x86_64 -machine q35,accel=kvm -m 2048 -drive file=../qcow2/guest.qcow2 -netdev user,id=realnet0 -device e1000e,netdev=realnet0
The trace is as follows
*** Error in `./x86_64-softmmu/qemu-system-x86_64': free(): invalid next size (normal): 0x00007f66d80b7300 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f66fb7967e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f66fb79f37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f66fb7a353c]
./x86_64-softmmu/qemu-system-x86_64(+0x6a8549)[0x55dc10c7d549]
./x86_64-softmmu/qemu-system-x86_64(+0x6a99d4)[0x55dc10c7e9d4]
./x86_64-softmmu/qemu-system-x86_64(+0x6ad09a)[0x55dc10c8209a]
./x86_64-softmmu/qemu-system-x86_64(+0x6a3feb)[0x55dc10c78feb]
./x86_64-softmmu/qemu-system-x86_64(+0x6a746e)[0x55dc10c7c46e]
./x86_64-softmmu/qemu-system-x86_64(+0x68fe2c)[0x55dc10c64e2c]
./x86_64-softmmu/qemu-system-x86_64(+0x685b3b)[0x55dc10c5ab3b]
./x86_64-softmmu/qemu-system-x86_64(+0x685bfd)[0x55dc10c5abfd]
./x86_64-softmmu/qemu-system-x86_64(+0x6885a8)[0x55dc10c5d5a8]
./x86_64-softmmu/qemu-system-x86_64(+0x688717)[0x55dc10c5d717]
./x86_64-softmmu/qemu-system-x86_64(+0x685d27)[0x55dc10c5ad27]
./x86_64-softmmu/qemu-system-x86_64(+0x685d54)[0x55dc10c5ad54]
./x86_64-softmmu/qemu-system-x86_64(+0x586bb8)[0x55dc10b5bbb8]
./x86_64-softmmu/qemu-system-x86_64(+0x586d92)[0x55dc10b5bd92]
./x86_64-softmmu/qemu-system-x86_64(+0x586ecd)[0x55dc10b5becd]
./x86_64-softmmu/qemu-system-x86_64(+0x593ea8)[0x55dc10b68ea8]
./x86_64-softmmu/qemu-system-x86_64(+0x59419d)[0x55dc10b6919d]
./x86_64-softmmu/qemu-system-x86_64(+0x5947df)[0x55dc10b697df]
./x86_64-softmmu/qemu-system-x86_64(+0x597ddf)[0x55dc10b6cddf]
./x86_64-softmmu/qemu-system-x86_64(+0x5989e7)[0x55dc10b6d9e7]
./x86_64-softmmu/qemu-system-x86_64(+0x58ae11)[0x55dc10b5fe11]
./x86_64-softmmu/qemu-system-x86_64(+0x30d4f6)[0x55dc108e24f6]
./x86_64-softmmu/qemu-system-x86_64(+0x30d70e)[0x55dc108e270e]
./x86_64-softmmu/qemu-system-x86_64(+0x310336)[0x55dc108e5336]
./x86_64-softmmu/qemu-system-x86_64(+0x2ac368)[0x55dc10881368]
./x86_64-softmmu/qemu-system-x86_64(+0x2ac4b2)[0x55dc108814b2]
./x86_64-softmmu/qemu-system-x86_64(+0x2ac7b8)[0x55dc108817b8]
./x86_64-softmmu/qemu-system-x86_64(+0x2ac809)[0x55dc10881809]
./x86_64-softmmu/qemu-system-x86_64(+0x32b673)[0x55dc10900673]
./x86_64-softmmu/qemu-system-x86_64(+0x2f2875)[0x55dc108c7875]
./x86_64-softmmu/qemu-system-x86_64(+0x81b91c)[0x55dc10df091c]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7f66fbaf06ba]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7f66fb82641d]
======= Memory map: ========
55dc105d5000-55dc112a9000 r-xp 00000000 103:02 5767220 /home/biggerfish/src/qemu/x86_64-softmmu/qemu-system-x86_64
55dc114a9000-55dc115bd000 r--p 00cd4000 103:02 5767220 /home/biggerfish/src/qemu/x86_64-softmmu/qemu-system-x86_64
55dc115bd000-55dc11773000 rw-p 00de8000 103:02 5767220 /home/biggerfish/src/qemu/x86_64-softmmu/qemu-system-x86_64
55dc11773000-55dc117b5000 rw-p 00000000 00:00 0
55dc134d6000-55dc14e20000 rw-p 00000000 00:00 0 [heap]
7f6634000000-7f6634021000 rw-p 00000000 00:00 0
7f6634021000-7f6638000000 ---p 00000000 00:00 0
7f663c000000-7f663c021000 rw-p 00000000 00:00 0
7f663c021000-7f6640000000 ---p 00000000 00:00 0
7f6642000000-7f6644000000 rw-s 00000000 00:05 4882443 /SYSV00000000 (deleted)
7f6644000000-7f6644021000 rw-p 00000000 00:00 0
7f6644021000-7f6648000000 ---p 00000000 00:00 0
7f66491cc000-7f66491cd000 ---p 00000000 00:00 0
7f66491cd000-7f66499cd000 rw-p 00000000 00:00 0
7f66499cd000-7f66499ce000 ---p 00000000 00:00 0
7f66499ce000-7f664a1ce000 rw-p 00000000 00:00 0
7f664a1ce000-7f664a1cf000 ---p 00000000 00:00 0
7f664a1cf000-7f664a9cf000 rw-p 00000000 00:00 0
7f664a9cf000-7f664a9d0000 ---p 00000000 00:00 0
7f664a9d0000-7f664b1d0000 rw-p 00000000 00:00 0
7f664b1d0000-7f664b1d1000 ---p 00000000 00:00 0
7f664b1d1000-7f664b9d1000 rw-p 00000000 00:00 0
7f664b9d1000-7f664b9d2000 ---p 00000000 00:00 0
7f664b9d2000-7f664bad2000 rw-p 00000000 00:00 0
7f664bad2000-7f664bad3000 ---p 00000000 00:00 0
7f664bad3000-7f664bbd3000 rw-p 00000000 00:00 0
7f664bbd3000-7f664bbd4000 ---p 00000000 00:00 0
7f664bbd4000-7f664bcd4000 rw-p 00000000 00:00 0
7f664bcd4000-7f664bcd5000 ---p 00000000 00:00 0
7f664bcd5000-7f664c4d5000 rw-p 00000000 00:00 0
7f664c4d5000-7f664c4d6000 ---p 00000000 00:00 0
7f664c4d6000-7f664c5d6000 rw-p 00000000 00:00 0
7f664c5d6000-7f664c5d7000 ---p 00000000 00:00 0
7f664c5d7000-7f664c6d7000 rw-p 00000000 00:00 0
7f664c6d7000-7f664c6d8000 ---p 00000000 00:00 0
7f664c6d8000-7f664c7d8000 rw-p 00000000 00:00 0
7f664c7d8000-7f664c7d9000 ---p 00000000 00:00 0
7f664c7d9000-7f664c8d9000 rw-p 00000000 00:00 0
7f664c8d9000-7f664c8da000 ---p 00000000 00:00 0
7f664c8da000-7f664c9da000 rw-p 00000000 00:00 0
7f664c9da000-7f664c9db000 ---p 00000000 00:00 0
7f664c9db000-7f664cadb000 rw-p 00000000 00:00 0
7f664cadb000-7f664cadc000 ---p 00000000 00:00 0
7f664cadc000-7f664cbdc000 rw-p 00000000 00:00 0
7f664cbdc000-7f664cbdd000 ---p 00000000 00:00 0
7f664cbdd000-7f664ccdd000 rw-p 00000000 00:00 0
7f664ccdd000-7f664ccde000 ---p 00000000 00:00 0
7f664ccde000-7f664cdde000 rw-p 00000000 00:00 0
7f664cdde000-7f664cddf000 ---p 00000000 00:00 0
7f664cddf000-7f664cedf000 rw-p 00000000 00:00 0
7f664cedf000-7f664cee0000 ---p 00000000 00:00 0
7f664cee0000-7f664cfe0000 rw-p 00000000 00:00 0
7f664cfe0000-7f664cfe1000 ---p 00000000 00:00 0
7f664cfe1000-7f664d0e1000 rw-p 00000000 00:00 0
7f664d0e1000-7f664d0e2000 ---p 00000000 00:00 0
7f664d0e2000-7f664d1e2000 rw-p 00000000 00:00 0
7f664d1e2000-7f664d1e3000 ---p 00000000 00:00 0
7f664d1e3000-7f664d2e3000 rw-p 00000000 00:00 0
7f664d2e3000-7f664d2e4000 ---p 00000000 00:00 0
7f664d2e4000-7f664d3e4000 rw-p 00000000 00:00 0
7f664d3e4000-7f664d3e5000 ---p 00000000 00:00 0
7f664d3e5000-7f664d4e5000 rw-p 00000000 00:00 0
7f664d4e5000-7f664d4e6000 ---p 00000000 00:00 0
7f664d4e6000-7f664d5e6000 rw-p 00000000 00:00 0
7f664d5e6000-7f664d5e7000 ---p 00000000 00:00 0
7f664d5e7000-7f664d6e7000 rw-p 00000000 00:00 0
7f664d6e7000-7f664d6e8000 ---p 00000000 00:00 0
7f664d6e8000-7f664d7e8000 rw-p 00000000 00:00 0
7f664d7e8000-7f664d7e9000 ---p 00000000 00:00 0
7f664d7e9000-7f664d8e9000 rw-p 00000000 00:00 0
7f664d8e9000-7f664d8ea000 ---p 00000000 00:00 0
7f664d8ea000-7f664d9ea000 rw-p 00000000 00:00 0
7f664d9ea000-7f664d9eb000 ---p 00000000 00:00 0
7f664d9eb000-7f664daeb000 rw-p 00000000 00:00 0
7f664daeb000-7f664daec000 ---p 00000000 00:00 0
7f664daec000-7f664dbec000 rw-p 00000000 00:00 0
7f664dbec000-7f664dbed000 ---p 00000000 00:00 0
7f664dbed000-7f664dced000 rw-p 00000000 00:00 0
7f664dced000-7f664dcee000 ---p 00000000 00:00 0
7f664dcee000-7f664ddee000 rw-p 00000000 00:00 0
7f664ddee000-7f664ddef000 ---p 00000000 00:00 0
7f664ddef000-7f664deef000 rw-p 00000000 00:00 0
7f664deef000-7f664def0000 ---p 00000000 00:00 0
7f664def0000-7f664dff0000 rw-p 00000000 00:00 0
7f664dff0000-7f664dff1000 ---p 00000000 00:00 0
7f664dff1000-7f664e0f1000 rw-p 00000000 00:00 0
7f664e0f1000-7f664e0f2000 ---p 00000000 00:00 0
7f664e0f2000-7f664e1f2000 rw-p 00000000 00:00 0
7f664e1f2000-7f664e1f3000 ---p 00000000 00:00 0
7f664e1f3000-7f664e2f3000 rw-p 00000000 00:00 0
7f664e2f3000-7f664e2f4000 ---p 00000000 00:00 0
7f664e2f4000-7f664e3f4000 rw-p 00000000 00:00 0
7f664e3f4000-7f664e3f5000 ---p 00000000 00:00 0
7f664e3f5000-7f664e4f5000 rw-p 00000000 00:00 0
7f664e4f5000-7f664e4f6000 ---p 00000000 00:00 0
7f664e4f6000-7f664e5f6000 rw-p 00000000 00:00 0
7f664e5f6000-7f664e5f7000 ---p 00000000 00:00 0
7f664e5f7000-7f664e6f7000 rw-p 00000000 00:00 0
7f664e6f7000-7f664e6f8000 ---p 00000000 00:00 0
7f664e6f8000-7f664e7f8000 rw-p 00000000 00:00 0
7f664e7f8000-7f664e7f9000 ---p 00000000 00:00 0
7f664e7f9000-7f664e8f9000 rw-p 00000000 00:00 0
7f664e8f9000-7f664e8fa000 ---p 00000000 00:00 0
7f664e8fa000-7f664e9fa000 rw-p 00000000 00:00 0
7f664e9fa000-7f664e9fb000 ---p 00000000 00:00 0
7f664e9fb000-7f664eafb000 rw-p 00000000 00:00 0
7f664eafb000-7f664eafc000 ---p 00000000 00:00 0
7f664eafc000-7f664ebfc000 rw-p 00000000 00:00 0
7f664ebfc000-7f664ebfd000 ---p 00000000 00:00 0
7f664ebfd000-7f664ecfd000 rw-p 00000000 00:00 0
7f664ecfd000-7f664ecfe000 ---p 00000000 00:00 0
7f664ecfe000-7f664edfe000 rw-p 00000000 00:00 0
7f664edfe000-7f664edff000 ---p 00000000 00:00 0
7f664edff000-7f664eeff000 rw-p 00000000 00:00 0
7f664eeff000-7f664ef00000 ---p 00000000 00:00 0
7f664ef00000-7f664f000000 rw-p 00000000 00:00 0
7f664f6fe000-7f664f6ff000 ---p 00000000 00:00 0
7f664f6ff000-7f664f7ff000 rw-p 00000000 00:00 0
7f664f7ff000-7f664f800000 ---p 00000000 00:00 0
7f664f800000-7f6650000000 rw-p 00000000 00:00 0
7f6650000000-7f6650022000 rw-p 00000000 00:00 0
7f6650022000-7f6654000000 ---p 00000000 00:00 0
7f66540f5000-7f66540f6000 ---p 00000000 00:00 0
7f66540f6000-7f66541f6000 rw-p 00000000 00:00 0
7f66541f6000-7f66541f7000 ---p 00000000 00:00 0
7f66541f7000-7f66542f7000 rw-p 00000000 00:00 0
7f66542f7000-7f66542f8000 ---p 00000000 00:00 0
7f66542f8000-7f66543f8000 rw-p 00000000 00:00 0
7f66543f8000-7f66543f9000 ---p 00000000 00:00 0
7f66543f9000-7f66544f9000 rw-p 00000000 00:00 0
7f66544f9000-7f66544fa000 ---p 00000000 00:00 0
7f66544fa000-7f66545fa000 rw-p 00000000 00:00 0
7f66545fa000-7f66545fb000 ---p 00000000 00:00 0
7f66545fb000-7f66546fb000 rw-p 00000000 00:00 0
7f66546fb000-7f66546fc000 ---p 00000000 00:00 0
7f66546fc000-7f66547fc000 rw-p 00000000 00:00 0
7f66547fc000-7f66547fd000 ---p 00000000 00:00 0
7f66547fd000-7f66548fd000 rw-p 00000000 00:00 0
7f66548fd000-7f66548fe000 ---p 00000000 00:00 0
7f66548fe000-7f66549fe000 rw-p 00000000 00:00 0
7f66549fe000-7f66549ff000 ---p 00000000 00:00 0
7f66549ff000-7f6654aff000 rw-p 00000000 00:00 0
7f6654aff000-7f6654b00000 ---p 00000000 00:00 0
7f6654b00000-7f6654c00000 rw-p 00000000 00:00 0
7f6654c00000-7f6654c01000 rw-p 00000000 00:00 0
7f6654c01000-7f6654c02000 ---p 00000000 00:00 0
7f6654cff000-7f6654d00000 ---p 00000000 00:00 0
7f6654d00000-7f6654e00000 rw-p 00000000 00:00 0
7f6654e00000-7f6654e01000 rw-p 00000000 00:00 0
7f6654e01000-7f6654e02000 ---p 00000000 00:00 0
7f6654eff000-7f6654f00000 ---p 00000000 00:00 0
7f6654f00000-7f6655000000 rw-p 00000000 00:00 0
7f6655000000-7f6655200000 rw-p 00000000 00:00 0
7f6655200000-7f6655201000 ---p 00000000 00:00 0
7f665523b000-7f6656af1000 r-xp 00000000 103:02 2233416 /usr/lib/x86_64-linux-gnu/libicudata.so.55.1
7f6656af1000-7f6656cf0000 ---p 018b6000 103:02 2233416 /usr/lib/x86_64-linux-gnu/libicudata.so.55.1
7f6656cf0000-7f6656cf1000 r--p 018b5000 103:02 2233416 /usr/lib/x86_64-linux-gnu/libicudata.so.55.1
7f6656cf1000-7f6656cf2000 rw-p 018b6000 103:02 2233416 /usr/lib/x86_64-linux-gnu/libicudata.so.55.1
7f6656cf2000-7f6656e71000 r-xp 00000000 103:02 2233420 /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1
7f6656e71000-7f6657071000 ---p 0017f000 103:02 2233420 /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1
7f6657071000-7f6657081000 r--p 0017f000 103:02 2233420 /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1
7f6657081000-7f6657082000 rw-p 0018f000 103:02 2233420 /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1
7f6657082000-7f6657086000 rw-p 00000000 00:00 0
7f6657086000-7f6657237000 r-xp 00000000 103:02 2237922 /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3
7f6657237000-7f6657436000 ---p 001b1000 103:02 2237922 /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3
7f6657436000-7f665743e000 r--p 001b0000 103:02 2237922 /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3
7f665743e000-7f6657440000 rw-p 001b8000 103:02 2237922 /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3
7f6657440000-7f6657441000 rw-p 00000000 00:00 0
7f6657441000-7f6657e00000 r--p 00000000 103:02 2235565 /usr/lib/locale/locale-archive
7f6657e00000-7f66d7e00000 rw-p 00000000 00:00 0
7f66d7e00000-7f66d7e01000 ---p 00000000 00:00 0
7f66d7eff000-7f66d7f00000 ---p 00000000 00:00 0
7f66d7f00000-7f66d8000000 rw-p 00000000 00:00 0
7f66d8000000-7f66d8b29000 rw-p 00000000 00:00 0
7f66d8b29000-7f66dc000000 ---p 00000000 00:00 0
7f66dc000000-7f66dc022000 rw-p 00000000 00:00 0
7f66dc022000-7f66e0000000 ---p 00000000 00:00 0
7f66e008a000-7f66e008b000 ---p 00000000 00:00 0
7f66e008b000-7f66e018b000 rw-p 00000000 00:00 0
7f66e018b000-7f66e01c2000 r-xp 00000000 103:02 2236734 /usr/lib/x86_64-linux-gnu/libcroco-0.6.so.3.0.1
7f66e01c2000-7f66e03c2000 ---p 00037000 103:02 2236734 /usr/lib/x86_64-linux-gnu/libcroco-0.6.so.3.0.1
7f66e03c2000-7f66e03c5000 r--p 00037000 103:02 2236734 /usr/lib/x86_64-linux-gnu/libcroco-0.6.so.3.0.1
7f66e03c5000-7f66e03c6000 rw-p 0003a000 103:02 2236734 /usr/lib/x86_64-linux-gnu/libcroco-0.6.so.3.0.1
7f66e03c6000-7f66e03fb000 r-xp 00000000 103:02 2237572 /usr/lib/x86_64-linux-gnu/librsvg-2.so.2.40.13
7f66e03fb000-7f66e05fb000 ---p 00035000 103:02 2237572 /usr/lib/x86_64-linux-gnu/librsvg-2.so.2.40.13
7f66e05fb000-7f66e05fc000 r--p 00035000 103:02 2237572 /usr/lib/x86_64-linux-gnu/librsvg-2.so.2.40.13
7f66e05fc000-7f66e05fd000 rw-p 00036000 103:02 2237572 /usr/lib/x86_64-linux-gnu/librsvg-2.so.2.40.13
7f66e05fd000-7f66e05ff000 r-xp 00000000 103:02 2493292 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so
7f66e05ff000-7f66e07fe000 ---p 00002000 103:02 2493292 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so
7f66e07fe000-7f66e07ff000 r--p 00001000 103:02 2493292 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so
7f66e07ff000-7f66e0800000 rw-p 00002000 103:02 2493292 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so
7f66e0800000-7f66e0840000 rw-p 00000000 00:00 0
7f66e0840000-7f66e0841000 ---p 00000000 00:00 0
7f66e08ff000-7f66e0900000 ---p 00000000 00:00 0
7f66e0900000-7f66e0a00000 rw-p 00000000 00:00 0
7f66e0a00000-7f66e0a10000 rw-p 00000000 00:00 0
7f66e0a10000-7f66e0a11000 ---p 00000000 00:00 0
7f66e0aff000-7f66e0b00000 ---p 00000000 00:00 0
7f66e0b00000-7f66e0c00000 rw-p 00000000 00:00 0
7f66e0c00000-7f66e1c00000 rw-p 00000000 00:00 0
7f66e1c00000-7f66e1c01000 ---p 00000000 00:00 0
7f66e1cff000-7f66e1d00000 ---p 00000000 00:00 0
7f66e1d00000-7f66e1e00000 rw-p 00000000 00:00 0
7f66e1e00000-7f66e1e20000 rw-p 00000000 00:00 0
7f66e1e20000-7f66e1e21000 ---p 00000000 00:00 0
7f66e1e5c000-7f66e1eb3000 r--p 00000000 103:02 3277771 /usr/share/fonts/truetype/ubuntu-font-family/Ubuntu-R.ttf
7f66e1eb3000-7f66e1ebe000 r--s 00000000 103:02 3019418 /var/cache/fontconfig/945677eb7aeaf62f1d50efc3fb3ec7d8-le64.cache-6
7f66e1ebe000-7f66e1ed3000 r--s 00000000 103:02 3019394 /var/cache/fontconfig/04aabc0a78ac019cf9454389977116d2-le64.cache-6
7f66e1eff000-7f66e1f00000 ---p 00000000 00:00 0
7f66e1f00000-7f66e2000000 rw-p 00000000 00:00 0
7f66e2000000-7f66e2040000 rw-p 00000000 00:00 0
7f66e2040000-7f66e2041000 ---p 00000000 00:00 0
7f66e204a000-7f66e204b000 rw-p 00000000 00:00 0
7f66e204b000-7f66e2051000 r--s 00000000 103:02 3019400 /var/cache/fontconfig/2cd17615ca594fa2959ae173292e504c-le64.cache-6
7f66e2051000-7f66e2052000 r--s 00000000 103:02 3019397 /var/cache/fontconfig/0d8c3b2ac0904cb8a57a757ad11a4a08-le64.cache-6
7f66e2052000-7f66e2053000 r--s 00000000 103:02 3019399 /var/cache/fontconfig/1ac9eb803944fde146138c791f5cc56a-le64.cache-6
7f66e2053000-7f66e2057000 r--s 00000000 103:02 3019404 /var/cache/fontconfig/385c0604a188198f04d133e54aba7fe7-le64.cache-6
7f66e2057000-7f66e2058000 r--s 00000000 103:02 3019431 /var/cache/fontconfig/dc05db6664285cc2f12bf69c139ae4c3-le64.cache-6
7f66e2058000-7f66e205b000 r--s 00000000 103:02 3019414 /var/cache/fontconfig/767a8244fc0220cfb567a839d0392e0b-le64.cache-6
7f66e205b000-7f66e2060000 r--s 00000000 103:02 3019417 /var/cache/fontconfig/8801497958630a81b71ace7c5f9b32a8-le64.cache-6
7f66e2060000-7f66e2067000 r--s 00000000 103:02 3019401 /var/cache/fontconfig/3047814df9a2f067bd2d96a2b9c36e5a-le64.cache-6
7f66e2067000-7f66e206d000 r--s 00000000 103:02 3019422 /var/cache/fontconfig/b47c4e1ecd0709278f4910c18777a504-le64.cache-6
7f66e206d000-7f66e2080000 r--s 00000000 103:02 3019428 /var/cache/fontconfig/d52a8644073d54c13679302ca1180695-le64.cache-6
7f66e2080000-7f66e208b000 r--s 00000000 103:02 3019416 /var/cache/fontconfig/83bf95040141907cd45bb53cf7c1c148-le64.cache-6
7f66e208b000-7f66e209d000 r--s 00000000 103:02 3019420 /var/cache/fontconfig/9b89f8e3dae116d678bbf48e5f21f69b-le64.cache-6
7f66e209d000-7f66e20bc000 r--s 00000000 103:02 2752558 /usr/share/mime/mime.cache
7f66e20bc000-7f66e20bd000 ---p 00000000 00:00 0
7f66e20bd000-7f66e21bd000 rw-p 00000000 00:00 0
7f66e21bd000-7f66e21be000 ---p 00000000 00:00 0
7f66e21be000-7f66e2ca2000 rw-p 00000000 00:00 0
7f66e2ca2000-7f66e2ca3000 ---p 00000000 00:00 0
7f66e2ca3000-7f66e2da3000 rw-p 00000000 00:00 0
7f66e2da3000-7f66e2da4000 ---p 00000000 00:00 0
7f66e2da4000-7f66e35a4000 rw-p 00000000 00:00 0
7f66e35a4000-7f66e35ab000 r-xp 00000000 103:02 2237425 /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2
7f66e35ab000-7f66e37ab000 ---p 00007000 103:02 2237425 /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2
7f66e37ab000-7f66e37ac000 r--p 00007000 103:02 2237425 /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2
7f66e37ac000-7f66e37ad000 rw-p 00008000 103:02 2237425 /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2
7f66e37ad000-7f66e37d7000 r-xp 00000000 103:02 2233113 /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f66e37d7000-7f66e39d6000 ---p 0002a000 103:02 2233113 /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f66e39d6000-7f66e39d7000 r--p 00029000 103:02 2233113 /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f66e39d7000-7f66e39d8000 rw-p 0002a000 103:02 2233113 /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f66e39d8000-7f66e39e1000 r-xp 00000000 103:02 2237286 /usr/lib/x86_64-linux-gnu/libltdl.so.7.3.1
7f66e39e1000-7f66e3be0000 ---p 00009000 103:02 2237286 /usr/lib/x86_64-linux-gnu/libltdl.so.7.3.1
7f66e3be0000-7f66e3be1000 r--p 00008000 103:02 2237286 /usr/lib/x86_64-linux-gnu/libltdl.so.7.3.1
7f66e3be1000-7f66e3be2000 rw-p 00009000 103:02 2237286 /usr/lib/x86_64-linux-gnu/libltdl.so.7.3.1
7f66e3be2000-7f66e3bf6000 r-xp 00000000 103:02 2237676 /usr/lib/x86_64-linux-gnu/libtdb.so.1.3.8Aborted (core dumped)
I can recreate this here.
#0 0x00007fffec275feb in raise () at /lib64/libc.so.6
#1 0x00007fffec2605c1 in abort () at /lib64/libc.so.6
#2 0x00007fffec2b89d7 in __libc_message () at /lib64/libc.so.6
#3 0x00007fffec2beeac in () at /lib64/libc.so.6
#4 0x00007fffec2c091c in _int_free () at /lib64/libc.so.6
#5 0x00007ffff725b4d2 in g_free () at /lib64/libglib-2.0.so.0
#6 0x0000555555b49551 in m_free (m=0x7fffc44b0dd0) at /home/dgilbert/git/qemu/slirp/mbuf.c:114
#7 0x0000555555b4a33d in sbappend (so=<optimized out>, m=<optimized out>) at /home/dgilbert/git/qemu/slirp/sbuf.c:82
#8 0x0000555555b4d6ae in tcp_input (m=0x7fffc44b0dd0, iphlen=<optimized out>, inso=<optimized out>, af=<optimized out>)
at /home/dgilbert/git/qemu/slirp/tcp_input.c:1300
#9 0x0000555555b48d98 in slirp_input (slirp=<optimized out>, pkt=0x7fffc44ad900 "RU\n", pkt_len=pkt_len@entry=66)
at /home/dgilbert/git/qemu/slirp/slirp.c:875
#10 0x0000555555b378e0 in net_slirp_receive (nc=<optimized out>, buf=<optimized out>, size=66) at /home/dgilbert/git/qemu/net/slirp.c:121
#11 0x0000555555b2ff4e in nc_sendv_compat (flags=<optimized out>, iovcnt=3, iov=0x7fffceff9a40, nc=0x5555567d5e60)
at /home/dgilbert/git/qemu/net/net.c:701
#12 0x0000555555b2ff4e in qemu_deliver_packet_iov (sender=<optimized out>, flags=<optimized out>, iov=0x7fffceff9a40, iovcnt=3, opaque=0x5555567d5e60)
at /home/dgilbert/git/qemu/net/net.c:728
#13 0x0000555555b32744 in qemu_net_queue_deliver_iov (iovcnt=3, iov=0x7fffceff9a40, flags=0, sender=0x555557a70ae0, queue=0x5555567d6010)
at /home/dgilbert/git/qemu/net/queue.c:179
#14 0x0000555555b32744 in qemu_net_queue_send_iov (queue=0x5555567d6010, sender=0x555557a70ae0, flags=0, iov=0x7fffceff9a40, iovcnt=3, sent_cb=<optimized out>) at /home/dgilbert/git/qemu/net/queue.c:224
#15 0x0000555555a6ec61 in net_tx_pkt_sendv (pkt=0x555557a71010, iov_cnt=3, iov=0x7fffceff9a40, nc=0x555557a70ae0)
at /home/dgilbert/git/qemu/hw/net/net_tx_pkt.c:546
#16 0x0000555555a6ec61 in net_tx_pkt_do_sw_fragmentation (pkt=pkt@entry=0x555557a71010, nc=nc@entry=0x555557a70ae0)
at /home/dgilbert/git/qemu/hw/net/net_tx_pkt.c:588
#17 0x0000555555a6f87f in net_tx_pkt_send (pkt=0x555557a71010, nc=nc@entry=0x555557a70ae0) at /home/dgilbert/git/qemu/hw/net/net_tx_pkt.c:625
#18 0x0000555555a78ff8 in e1000e_tx_pkt_send (queue_index=<optimized out>, tx=0x555557a1d1e8, core=0x5555579fcf80)
at /home/dgilbert/git/qemu/hw/net/e1000e_core.c:665
#19 0x0000555555a78ff8 in e1000e_process_tx_desc (queue_index=<optimized out>, dp=0x7fffceff9f30, tx=0x555557a1d1e8, core=0x5555579fcf80)
at /home/dgilbert/git/qemu/hw/net/e1000e_core.c:742
#20 0x0000555555a78ff8 in e1000e_start_xmit (core=0x5555579fcf80, txr=<optimized out>, txr=<optimized out>)
at /home/dgilbert/git/qemu/hw/net/e1000e_core.c:933
#21 0x0000555555a792b9 in e1000e_set_tdt (core=<optimized out>, index=<optimized out>, val=<optimized out>)
at /home/dgilbert/git/qemu/hw/net/e1000e_core.c:2450
#22 0x0000555555a7c0a5 in e1000e_core_write (core=0x5555579fcf80, addr=<optimized out>, val=220, size=4)
at /home/dgilbert/git/qemu/hw/net/e1000e_core.c:3255
#23 0x0000555555876c37 in memory_region_write_accessor (mr=0x5555579fcbb0, addr=14360, value=<optimized out>, size=4, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/dgilbert/git/qemu/memory.c:527
---Type <return> to continue, or q <return> to quit---
out>, access_size_max=<optimized out>, access_fn=0x555555876bc0 <memory_region_write_accessor>, mr=0x5555579fcbb0, attrs=...) at /home/dgilbert/git/qemu/memory.c:594
#25 0x00005555558794c1 in memory_region_dispatch_write (mr=mr@entry=0x5555579fcbb0, addr=14360, data=<optimized out>, size=4, attrs=attrs@entry=...) at /home/dgilbert/git/qemu/memory.c:1479
#26 0x0000555555823833 in flatview_write_continue (fv=fv@entry=0x7fffc50aebc0, addr=addr@entry=4273485848, attrs=..., buf=buf@entry=0x7ffff7ff3028 <incomplete sequence \334>, len=len@entry=4, addr1=<optimized out>, l=<optimized out>, mr=0x5555579fcbb0) at /home/dgilbert/git/qemu/exec.c:3255
#27 0x0000555555823a59 in flatview_write (fv=0x7fffc50aebc0, addr=4273485848, attrs=..., buf=0x7ffff7ff3028 <incomplete sequence \334>, len=4) at /home/dgilbert/git/qemu/exec.c:3294
#28 0x000055555582737f in address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., buf=buf@entry=0x7ffff7ff3028 <incomplete sequence \334>, len=<optimized out>) at /home/dgilbert/git/qemu/exec.c:3384
#29 0x000055555582740a in address_space_rw (as=<optimized out>, addr=<optimized out>, attrs=..., attrs@entry=..., buf=buf@entry=0x7ffff7ff3028 <incomplete sequence \334>, len=<optimized out>, is_write=<optimized out>)
at /home/dgilbert/git/qemu/exec.c:3395
#30 0x000055555588b7b8 in kvm_cpu_exec (cpu=cpu@entry=0x55555683ddf0) at /home/dgilbert/git/qemu/accel/kvm/kvm-all.c:1979
#31 0x0000555555862896 in qemu_kvm_cpu_thread_fn (arg=0x55555683ddf0) at /home/dgilbert/git/qemu/cpus.c:1215
#32 0x00007fffec605594 in start_thread () at /lib64/libpthread.so.0
#33 0x00007fffec3390df in clone () at /lib64/libc.so.6
(This is with a fedora guest, so that's irrelevant)
Looks like it might be e1000e specific?
I can recreate it with either q35 with no extra options (it has e1000e by default), pc or q35 specifying e1000e, but plain pc works fine.
Simple test; scp bigfile from guest to user@10.0.2.2: (i.e. host)
Dave
It's indeed e1000e specific, when I change e1000e to e1000, I can upload file freely. Looks like there is an overflow somewhere in e1000e that corrupted the heap chunk header.
Hi,
I have find the overflow point using ASAN.
void
m_cat(struct mbuf *m, struct mbuf *n)
{
/*
* If there's no room, realloc
*/
if (M_FREEROOM(m) < n->m_len)
m_inc(m, m->m_len + n->m_len);
memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
m->m_len += n->m_len;
m_free(n);
}
/* make m 'size' bytes large from m_data */
void
m_inc(struct mbuf *m, int size)
{
int datasize;
/* some compilers throw up on gotos. This one we can fake. */
if (m->m_size > size) {
return;
}
if (m->m_flags & M_EXT) {
datasize = m->m_data - m->m_ext;
m->m_ext = g_realloc(m->m_ext, size + datasize);
} else {
datasize = m->m_data - m->m_dat;
m->m_ext = g_malloc(size + datasize);
memcpy(m->m_ext, m->m_dat, m->m_size);
m->m_flags |= M_EXT;
}
m->m_data = m->m_ext + datasize;
m->m_size = size + datasize;
}
Here m_cat catenates two mbuf, when the first has no buffer, it allocates an M_EXT.
In m_inc, g_malloc called, then return m_cat, the next call to m_cat will trigger oob write.
Seems the m_len is too big.
In my debug, I see the m->m_len is 0x5b0, but datasize in m_inc is 0x40. Is this right?
Thanks,
Li Qiang
==17835==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000041dd0 at pc 0x7ffff6e9ad7b bp 0x7fffc6b215d0 sp 0x7fffc6b20d80
WRITE of size 28 at 0x61f000041dd0 thread T4
#0 0x7ffff6e9ad7a (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
#1 0x55555663fa71 in m_cat slirp/mbuf.c:143
#2 0x555556632cdd in ip_reass slirp/ip_input.c:341
#3 0x555556631609 in ip_input slirp/ip_input.c:190
#4 0x55555663bd91 in slirp_input slirp/slirp.c:874
#5 0x555556600d6f in net_slirp_receive net/slirp.c:121
#6 0x5555565e8192 in nc_sendv_compat net/net.c:701
#7 0x5555565e8322 in qemu_deliver_packet_iov net/net.c:728
#8 0x5555565edda2 in qemu_net_queue_deliver_iov net/queue.c:179
#9 0x5555565edfaa in qemu_net_queue_send_iov net/queue.c:224
#10 0x5555565e8547 in qemu_sendv_packet_async net/net.c:764
#11 0x5555565e8574 in qemu_sendv_packet net/net.c:772
#12 0x55555636657c in net_tx_pkt_sendv hw/net/net_tx_pkt.c:546
#13 0x5555563668f3 in net_tx_pkt_do_sw_fragmentation hw/net/net_tx_pkt.c:588
#14 0x555556366c93 in net_tx_pkt_send hw/net/net_tx_pkt.c:625
#15 0x55555638586c in e1000e_tx_pkt_send hw/net/e1000e_core.c:665
#16 0x555556385fca in e1000e_process_tx_desc hw/net/e1000e_core.c:742
#17 0x555556387680 in e1000e_start_xmit hw/net/e1000e_core.c:933
#18 0x55555638f390 in e1000e_set_tdt hw/net/e1000e_core.c:2450
#19 0x5555563911cb in e1000e_core_write hw/net/e1000e_core.c:3255
#20 0x555556370524 in e1000e_mmio_write hw/net/e1000e.c:105
#21 0x555555d4ec07 in memory_region_write_accessor /home/liqiang02/qemu-devel/qemu/memory.c:527
#22 0x555555d4eee3 in access_with_adjusted_size /home/liqiang02/qemu-devel/qemu/memory.c:594
#23 0x555555d54d16 in memory_region_dispatch_write /home/liqiang02/qemu-devel/qemu/memory.c:1473
#24 0x555555c94b76 in flatview_write_continue /home/liqiang02/qemu-devel/qemu/exec.c:3255
#25 0x555555c94da1 in flatview_write /home/liqiang02/qemu-devel/qemu/exec.c:3294
#26 0x555555c95354 in address_space_write /home/liqiang02/qemu-devel/qemu/exec.c:3384
#27 0x555555c953a5 in address_space_rw /home/liqiang02/qemu-devel/qemu/exec.c:3395
#28 0x555555d92c4d in kvm_cpu_exec /home/liqiang02/qemu-devel/qemu/accel/kvm/kvm-all.c:1979
#29 0x555555d18936 in qemu_kvm_cpu_thread_fn /home/liqiang02/qemu-devel/qemu/cpus.c:1215
#30 0x5555569afef1 in qemu_thread_start util/qemu-thread-posix.c:504
#31 0x7fffdadbd493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
#32 0x7fffdaafface in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8ace)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
Shadow bytes around the buggy address:
0x0c3e80000360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e80000370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e80000380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e80000390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e800003a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3e800003b0: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa
0x0c3e800003c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e800003d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e800003e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e800003f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e80000400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Thread T4 created by T0 here:
#0 0x7ffff6e6ef59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
#1 0x5555569b012f in qemu_thread_create util/qemu-thread-posix.c:534
#2 0x555555d1b7b9 in qemu_kvm_start_vcpu /home/liqiang02/qemu-devel/qemu/cpus.c:1935
#3 0x555555d1bf6c in qemu_init_vcpu /home/liqiang02/qemu-devel/qemu/cpus.c:2001
#4 0x555555f682de in x86_cpu_realizefn /home/liqiang02/qemu-devel/qemu/target/i386/cpu.c:4996
#5 0x55555621c00c in device_set_realized hw/core/qdev.c:826
#6 0x5555566f962f in property_set_bool qom/object.c:1984
#7 0x5555566f5bfc in object_property_set qom/object.c:1176
#8 0x5555566fbdce in object_property_set_qobject qom/qom-qobject.c:27
#9 0x5555566f5f19 in object_property_set_bool qom/object.c:1242
#10 0x555555edf7d7 in pc_new_cpu /home/liqiang02/qemu-devel/qemu/hw/i386/pc.c:1107
#11 0x555555edfc98 in pc_cpus_init /home/liqiang02/qemu-devel/qemu/hw/i386/pc.c:1155
#12 0x555555ef2451 in pc_q35_init /home/liqiang02/qemu-devel/qemu/hw/i386/pc_q35.c:130
#13 0x555555ef37f4 in pc_init_v3_0 /home/liqiang02/qemu-devel/qemu/hw/i386/pc_q35.c:320
#14 0x55555622ca6d in machine_run_board_init hw/core/machine.c:830
#15 0x555556099045 in main /home/liqiang02/qemu-devel/qemu/vl.c:4516
#16 0x7fffdaa372e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
For me:
c22098c74a fails
864036e251 fails
3835c310bd doesn't crash, but sometimes the outbound connection hangs.
So perhaps the crash is 864036e251f54c99d31df124aad7f34f01f5344c
http://patchwork.ozlabs.org/patch/954491/ is a patch which should fix this crash.
Glad to see such a quick fix, and ASAN looks like a great tool :)
Fix has been included here:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=09b94ac0f29db3b022a77
|