results/classifier/zero-shot/108/other/1908369


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

other: 0.771
performance: 0.766
permissions: 0.723
debug: 0.721
graphic: 0.713
semantic: 0.648
boot: 0.639
device: 0.634
network: 0.632
PID: 0.574
socket: 0.532
files: 0.503
KVM: 0.472
vnc: 0.444

deleted

Hello,

An heap-use-after-free issue was found in hw/net/eepro100.c:616 in latest version 5.2.0.

This issue was found when I was debugging Qemu in monitor. When I attach An eepro100 NIC, and reload the snapshot, the use-after-free triggers.

Qemu boot command is as follows:
./qemu-5.2.0-rc4/build/qemu-system-x86_64 -enable-kvm -boot c -m 2G -drive format=qcow2,file=./ubuntu.img -display none -monitor stdio
(qemu) device_add i82559a,id=eepro
(qemu) device_del eepro
(qemu) savevm tag0
(qemu) loadvm tag0


Backtrace is as follows:
=================================================================
==32048==ERROR: AddressSanitizer: heap-use-after-free on address 0x6280000449f0 at pc 0x7f751f5eed1a bp 0x7ffcd01f2cf0 sp 0x7ffcd01f2498
WRITE of size 8 at 0x6280000449f0 thread T0
    #0 0x7f751f5eed19  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ed19)
    #1 0x55948f3c9287 in nic_reset ../hw/net/eepro100.c:616
    #2 0x5594900f481a in qemu_devices_reset ../hw/core/reset.c:69
    #3 0x55948fae72e7 in pc_machine_reset ../hw/i386/pc.c:1615
    #4 0x55948fda10af in qemu_system_reset ../softmmu/vl.c:1405
    #5 0x55948f1ce8ed in load_snapshot ../migration/savevm.c:3008
    #6 0x55948f7420e9 in hmp_loadvm ../monitor/hmp-cmds.c:1133
    #7 0x55948f7e4319 in handle_hmp_command ../monitor/hmp.c:1100
    #8 0x55948f7dbf1f in monitor_command_cb ../monitor/hmp.c:47
    #9 0x559490599854 in readline_handle_byte ../util/readline.c:408
    #10 0x55948f7e635a in monitor_read ../monitor/hmp.c:1340
    #11 0x5594900c25c5 in qemu_chr_be_write_impl ../chardev/char.c:201
    #12 0x5594900c266b in qemu_chr_be_write ../chardev/char.c:213
    #13 0x5594900df9ce in fd_chr_read ../chardev/char-fd.c:68
    #14 0x55949011f217 in qio_channel_fd_source_dispatch ../io/channel-watch.c:84
    #15 0x7f751e056284 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c284)
    #16 0x559490580e97 in glib_pollfds_poll ../util/main-loop.c:221
    #17 0x559490580fb3 in os_host_main_loop_wait ../util/main-loop.c:244
    #18 0x55949058124f in main_loop_wait ../util/main-loop.c:520
    #19 0x55948fda1e53 in qemu_main_loop ../softmmu/vl.c:1678
    #20 0x55948f183c76 in main ../softmmu/main.c:50
    #21 0x7f751a8e3b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #22 0x55948f183b69 in _start (/home/zjusvn/qemu5-hypervisor/qemu-5.2.0-rc4/build/qemu-system-x86_64+0x19c6b69)

0x6280000449f0 is located 2288 bytes inside of 15616-byte region [0x628000044100,0x628000047e00)
freed by thread T1 here:
    #0 0x7f751f66e7a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x5594900ade06 in object_finalize ../qom/object.c:689
    #2 0x5594900b04fe in object_unref ../qom/object.c:1183
    #3 0x5594900eae68 in bus_free_bus_child ../hw/core/qdev.c:56
    #4 0x55949055d2d7 in call_rcu_thread ../util/rcu.c:281
    #5 0x5594905ad296 in qemu_thread_start ../util/qemu-thread-posix.c:521
    #6 0x7f751acba6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

previously allocated by thread T0 here:
    #0 0x7f751f66eb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x7f751e05bab8 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51ab8)
    #2 0x5594900ae04f in object_new ../qom/object.c:744
    #3 0x5594900ec0c3 in qdev_new ../hw/core/qdev.c:154
    #4 0x55948f37b084 in qdev_device_add ../softmmu/qdev-monitor.c:654
    #5 0x55948f37c36d in qmp_device_add ../softmmu/qdev-monitor.c:805
    #6 0x55948f37cd40 in hmp_device_add ../softmmu/qdev-monitor.c:916
    #7 0x55948f7e4319 in handle_hmp_command ../monitor/hmp.c:1100
    #8 0x55948f7dbf1f in monitor_command_cb ../monitor/hmp.c:47
    #9 0x559490599854 in readline_handle_byte ../util/readline.c:408
    #10 0x55948f7e635a in monitor_read ../monitor/hmp.c:1340
    #11 0x5594900c25c5 in qemu_chr_be_write_impl ../chardev/char.c:201
    #12 0x5594900c266b in qemu_chr_be_write ../chardev/char.c:213
    #13 0x5594900df9ce in fd_chr_read ../chardev/char-fd.c:68
    #14 0x55949011f217 in qio_channel_fd_source_dispatch ../io/channel-watch.c:84
    #15 0x7f751e056284 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c284)

Thread T1 created by T0 here:
    #0 0x7f751f5c7d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x5594905ad673 in qemu_thread_create ../util/qemu-thread-posix.c:558
    #2 0x55949055d8f0 in rcu_init_complete ../util/rcu.c:379
    #3 0x55949055dab9 in rcu_init ../util/rcu.c:435
    #4 0x55949068e5dc in __libc_csu_init (/home/zjusvn/qemu5-hypervisor/qemu-5.2.0-rc4/build/qemu-system-x86_64+0x2ed15dc)

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ed19)
Shadow bytes around the buggy address:
  0x0c50800008e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c50800008f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5080000900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5080000910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5080000920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5080000930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
  0x0c5080000940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5080000950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5080000960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5080000970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5080000980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32048==ABORTING


Thanks.