diff options
Diffstat (limited to 'results/classifier/108/other/1837094')
| -rw-r--r-- | results/classifier/108/other/1837094 | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/results/classifier/108/other/1837094 b/results/classifier/108/other/1837094 new file mode 100644 index 000000000..741c981be --- /dev/null +++ b/results/classifier/108/other/1837094 @@ -0,0 +1,48 @@ +device: 0.780 +network: 0.733 +semantic: 0.679 +graphic: 0.677 +socket: 0.620 +PID: 0.620 +debug: 0.553 +files: 0.544 +other: 0.543 +permissions: 0.542 +vnc: 0.531 +KVM: 0.530 +boot: 0.492 +performance: 0.380 + +UndefinedBehaviorSanitizer crash around slirp::ip_reass() + +tag: v4.1.0-rc1 + +./configure --enable-sanitizers --extra-cflags=-O1 + +==26130==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000046d588 bp 0x7fff6ee9f940 sp 0x7fff6ee9f8e8 T26130) +==26130==The signal is caused by a WRITE memory access. +==26130==Hint: address points to the zero page. + #0 0x0000561ad346d587 in ip_deq() at slirp/src/ip_input.c:411:55 + #1 0x0000561ad346cffb in ip_reass() at slirp/src/ip_input.c:304:9 + #2 0x0000561ad346cb6f in ip_input() at slirp/src/ip_input.c:184:18 + +I only had access to the last packet which isn't the culprit, I'm now seeing how to log the network traffic of the guest to provide more useful information. + +Recent libslirp patch 126c04ac (explained in e0be8043) changed ip_reass(), so this bug might be fixed. + +https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04ac +https://gitlab.freedesktop.org/slirp/libslirp/commit/e0be8043 + +And + +https://gitlab.freedesktop.org/slirp/libslirp/commit/d203c81b + +I apologize for not understanding this bug was a security issue, and not insisting on it. + +It has been fixed in SLiRP by "Fix use-afte-free in ip_reass() (CVE-2020-1983)": +https://gitlab.freedesktop.org/slirp/libslirp/commit/9bd6c591 + +And in QEMU by commit 7769c23774 "slirp: update to fix CVE-2020-1983". + +Fixed in QEMU release v5.0.0 + |