blob: fd41e975c8e36934e40aa5c583d01246fc6e7a7f (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
id = 2742
title = "heap-buffer-overflow in smc91c111_do_tx()"
state = "closed"
created_at = "2024-12-23T06:20:28.277Z"
closed_at = "2025-03-13T07:03:14.247Z"
labels = ["Fuzzer", "Networking", "workflow::Patch available"]
url = "https://gitlab.com/qemu-project/qemu/-/issues/2742"
host-os = "Ubuntu"
host-arch = "x86_64"
qemu-version = "commit aa3a285b5"
guest-os = "n/a"
guest-arch = "ARM"
description = """A buffer-overflow bug was triggered by my fuzzer at smc91c111_do_tx().
I've patched hw/net/smc91c111.c with:
```
diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
index 702d0e8e83..286298bf06 100644
--- a/hw/net/smc91c111.c
+++ b/hw/net/smc91c111.c
@@ -429,7 +429,7 @@ static void smc91c111_writeb(void *opaque, hwaddr offset,
/* Ignore. */
return;
case 2: /* Packet Number Register */
- s->packet_num = value;
+ s->packet_num = value & (NUM_PACKETS - 1);
return;
case 3: case 4: case 5:
/* Should be readonly, but linux writes to them anyway. Ignore. */
```
The error is:
```
==2724739==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000022941 at pc 0x595ebbed687b bp 0x7fffa0098a50 sp 0x7fffa0098a48
READ of size 1 at 0x629000022941 thread T0
#0 0x595ebbed687a in smc91c111_do_tx hw/net/smc91c111.c:240:19
#1 0x595ebbed687a in smc91c111_queue_tx hw/net/smc91c111.c:284:5
#2 0x595ebbed687a in smc91c111_writeb hw/net/smc91c111.c:419:17
#3 0x595ebbed687a in smc91c111_writefn hw/net/smc91c111.c:666:9
#4 0x595ebd174d33 in memory_region_write_accessor system/memory.c:497:5
#5 0x595ebd1744aa in access_with_adjusted_size system/memory.c:573:18
#6 0x595ebd1738d8 in memory_region_dispatch_write system/memory.c
#7 0x595ebd1cc984 in flatview_write_continue_step system/physmem.c:2786:18
#8 0x595ebd1b9880 in flatview_write_continue system/physmem.c:2816:19
#9 0x595ebd1b9880 in flatview_write system/physmem.c:2847:12
#10 0x595ebd1b9517 in address_space_write system/physmem.c:2967:18
#11 0x595ebc77d5c3 in qtest_process_command system/qtest.c:522:13
#12 0x595ebc77b83b in qtest_process_inbuf system/qtest.c:776:9
...
```"""
reproduce = """```
export QEMU_ARGS="-display none -machine accel=qtest, -m 512M -machine realview-eb"
cat << EOF | ./qemu-system-arm $QEMU_ARGS -qtest /dev/null -qtest stdio
clock_step
clock_step
writel 0x4e000000 0x2b1e08f5
writew 0x4e000000 0x2b1e08f5
writel 0x4e00000c 0x66027d24
clock_step
readb 0x4e000000
writel 0x4e000008 0x238e1f29
writew 0x4e000000 0x41d9fe3b
writel 0x4e00000c 0x27022a2d
clock_step
readw 0x4e000004
clock_step
readb 0x4e000008
clock_step
writew 0x4e000000 0x620c5fdf
EOF
```"""
additional = """"""
|