device: 0.780
network: 0.733
instruction: 0.725
semantic: 0.679
graphic: 0.677
socket: 0.620
other: 0.543
vnc: 0.531
KVM: 0.530
boot: 0.492
mistranslation: 0.463
assembly: 0.356

UndefinedBehaviorSanitizer crash around slirp::ip_reass()

tag: v4.1.0-rc1

./configure --enable-sanitizers --extra-cflags=-O1

==26130==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000046d588 bp 0x7fff6ee9f940 sp 0x7fff6ee9f8e8 T26130)
==26130==The signal is caused by a WRITE memory access.
==26130==Hint: address points to the zero page.
    #0 0x0000561ad346d587 in ip_deq() at slirp/src/ip_input.c:411:55
    #1 0x0000561ad346cffb in ip_reass() at slirp/src/ip_input.c:304:9
    #2 0x0000561ad346cb6f in ip_input() at slirp/src/ip_input.c:184:18

I only had access to the last packet which isn't the culprit, I'm now seeing how to log the network traffic of the guest to provide more useful information.

Recent libslirp patch 126c04ac (explained in e0be8043) changed ip_reass(), so this bug might be fixed.

https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04ac
https://gitlab.freedesktop.org/slirp/libslirp/commit/e0be8043

And

https://gitlab.freedesktop.org/slirp/libslirp/commit/d203c81b

I apologize for not understanding this bug was a security issue, and not insisting on it.

It has been fixed in SLiRP by "Fix use-afte-free in ip_reass() (CVE-2020-1983)":
https://gitlab.freedesktop.org/slirp/libslirp/commit/9bd6c591

And in QEMU by commit 7769c23774 "slirp: update to fix CVE-2020-1983".

Fixed in QEMU release v5.0.0