summary refs log tree commit diff stats
path: root/results/classifier/108/other/1878043
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/108/other/1878043')
-rw-r--r--results/classifier/108/other/1878043102
1 files changed, 102 insertions, 0 deletions
diff --git a/results/classifier/108/other/1878043 b/results/classifier/108/other/1878043
new file mode 100644
index 000000000..3735c0953
--- /dev/null
+++ b/results/classifier/108/other/1878043
@@ -0,0 +1,102 @@
+graphic: 0.888
+other: 0.882
+device: 0.828
+KVM: 0.825
+performance: 0.793
+permissions: 0.787
+files: 0.778
+vnc: 0.766
+semantic: 0.764
+network: 0.750
+boot: 0.729
+PID: 0.723
+debug: 0.706
+socket: 0.689
+
+memcpy param-overlap in Slirp ip_stripoptions through e1000e
+
+Hello,
+While fuzzing, I found an input that triggers an overlapping memcpy (caught by AddressSanitizer).
+Overlapping memcpys are undefined behavior according to the POSIX and C standards, and can lead to bugs.
+
+==16666==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x625000264940,0x62500026699a) and [0x625000264948, 0x6250002669a2) overlap
+    #0 0x5622d7b6a3d4 in __asan_memcpy (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0x96c3d4)
+    #1 0x5622d896a2d2 in ip_stripoptions /home/alxndr/Development/qemu/slirp/src/ip_input.c:457:5
+    #2 0x5622d8963378 in udp_input /home/alxndr/Development/qemu/slirp/src/udp.c:86:9
+    #3 0x5622d89351ea in slirp_input /home/alxndr/Development/qemu/slirp/src/slirp.c:840:13
+    #4 0x5622d852e162 in net_slirp_receive /home/alxndr/Development/qemu/net/slirp.c:126:5
+    #5 0x5622d8515851 in nc_sendv_compat /home/alxndr/Development/qemu/net/net.c:700:15
+    #6 0x5622d8515851 in qemu_deliver_packet_iov /home/alxndr/Development/qemu/net/net.c:728:15
+    #7 0x5622d851786d in qemu_net_queue_deliver_iov /home/alxndr/Development/qemu/net/queue.c:179:11
+    #8 0x5622d851786d in qemu_net_queue_send_iov /home/alxndr/Development/qemu/net/queue.c:224:11
+    #9 0x5622d851b1c1 in net_hub_receive_iov /home/alxndr/Development/qemu/net/hub.c:74:9
+    #10 0x5622d851b1c1 in net_hub_port_receive_iov /home/alxndr/Development/qemu/net/hub.c:125:12
+    #11 0x5622d851572b in qemu_deliver_packet_iov /home/alxndr/Development/qemu/net/net.c:726:15
+    #12 0x5622d851786d in qemu_net_queue_deliver_iov /home/alxndr/Development/qemu/net/queue.c:179:11
+    #13 0x5622d851786d in qemu_net_queue_send_iov /home/alxndr/Development/qemu/net/queue.c:224:11
+    #14 0x5622d828bf87 in net_tx_pkt_sendv /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:546:9
+    #15 0x5622d828bf87 in net_tx_pkt_send /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:620:9
+    #16 0x5622d82b5f22 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/hw/net/e1000e_core.c:666:16
+    #17 0x5622d82b5f22 in e1000e_process_tx_desc /home/alxndr/Development/qemu/hw/net/e1000e_core.c:743:17
+    #18 0x5622d82b5f22 in e1000e_start_xmit /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934:9
+    #19 0x5622d82b2be0 in e1000e_set_tdt /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451:9
+    #20 0x5622d82a30fc in e1000e_core_write /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261:9
+    #21 0x5622d7c9e336 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5
+    #22 0x5622d7c9dcdf in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18
+    #23 0x5622d7c9dcdf in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16
+    #24 0x5622d7bb31d3 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3137:23
+    #25 0x5622d7babb97 in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14
+    #26 0x5622d7babb97 in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18
+
+0x625000264940 is located 64 bytes inside of 8354-byte region [0x625000264900,0x6250002669a2)
+allocated by thread T0 here:
+    #0 0x5622d7b6b06d in malloc (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0x96d06d)
+    #1 0x7f724b932500 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54500)
+
+0x625000264948 is located 72 bytes inside of 8354-byte region [0x625000264900,0x6250002669a2)
+allocated by thread T0 here:
+    #0 0x5622d7b6b06d in malloc (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0x96d06d)
+    #1 0x7f724b932500 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54500)
+
+I can reproduce it in qemu 5.0 built with --enable-sanitizers using:
+cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -nographic -monitor none -serial none
+outl 0xcf8 0x80001010
+outl 0xcfc 0xe1020000
+outl 0xcf8 0x80001014
+outl 0xcf8 0x80001004
+outw 0xcfc 0x7
+outl 0xcf8 0x800010a2
+outl 0xcf8 0x8000fa24
+outl 0xcfc 0xe1069000
+outl 0xcf8 0x8000fa04
+outw 0xcfc 0x7
+outl 0xcf8 0x8000fb20
+write 0xe1069100 0xe 0xff810000000000008420f9e10019
+write 0x820b 0xc 0x080047bb0c02e10000004011
+write 0xe1020403 0x36 0xb700000000e1000f009006e100000000625c5e0000b700000000e1000f009006e100000000625c5e0000b700000000e1000f009006e1
+EOF
+
+I also attached the trace to this launchpad report, in case the formatting is broken:
+
+qemu-system-i386 -M pc-q35-5.0 -accel qtest -qtest stdio -nographic -monitor none -serial none < attachment
+
+Please let me know if I can provide any further info.
+-Alex
+
+
+
+Created patch and merge request in upstream libslirp:
+
+https://gitlab.freedesktop.org/dgilbert/libslirp/-/commit/d620bac888923524f8b8407dbf35f6d2b3b7ddb2
+
+Committed in upstream libslirp:
+
+commit d620bac888923524f8b8407dbf35f6d2b3b7ddb2 (origin/lp1878043, lp1878043)
+Author: Dr. David Alan Gilbert <email address hidden>
+Date:   Fri Jul 17 18:17:41 2020 +0100
+
+    ip_stripoptions use memmove
+
+
+Released with QEMU v5.2.0.
+