summary refs log tree commit diff stats
path: root/results/classifier/zero-shot/118/peripherals/2440
blob: d104a0e241fa7ef7cb2c0a0658d0a20e4a795d5d (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

peripherals: 0.865
ppc: 0.823
x86: 0.814
hypervisor: 0.804
TCG: 0.803
user-level: 0.792
VMM: 0.787
vnc: 0.785
risc-v: 0.780
mistranslation: 0.778
KVM: 0.776
graphic: 0.774
register: 0.772
semantic: 0.757
i386: 0.757
device: 0.755
architecture: 0.745
performance: 0.742
permissions: 0.738
virtual: 0.735
debug: 0.727
arm: 0.706
network: 0.702
assembly: 0.698
socket: 0.688
PID: 0.687
kernel: 0.669
boot: 0.646
files: 0.619

virtio-net: Use-After-Free during unrealization of virtio-net
Description of problem:
When hotplugging `virtio-net` device, mishandling of `failover` option may leads to use-after-free.
More specifically, if we try to hotplug virtio-net device with `failover=on` and other invalid option (e.g. `rx_queue_size=0`), the device listner callback is registered but not unregistered before being freed, leading to UAF.
Steps to reproduce:
```sh
cat <<EOF | qemu-system-i386 -M q35 -nodefaults -chardev stdio,id=char0 -mon char0 -device pcie-pci-bridge,id=br1,bus=pcie.0
device_add virtio-net,failover=on,rx_queue_size=0,bus=br1,id=dev0
device_add virtio-net,failover=on,bus=br1,id=dev0
quit
EOF
```

If above command is not working, let me know so that I provide more information.
Additional information:
The following log leveals bug location:

```sh
$ cat <<EOF | qemu-system-i386 -M q35 -nodefaults -chardev stdio,id=char0 -mon char0 -device pcie-pci-bridge,id=br1,bus=pcie.0
device_add virtio-net,failover=on,rx_queue_size=0,bus=br1,id=dev0
device_add virtio-net,failover=on,bus=br1,id=dev0
quit
EOF
==836681==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
QEMU 8.1.93 monitor - type 'help' for more information
VNC server running on 127.0.0.1:5900
(qemu) device_add virtio-net,failover=on,rx_queue_size=0,bus=br1,id=dev0
Error: Invalid rx_queue_size (= 0), must be a power of 2 between 256 and 1024.
(qemu) device_add virtio-net,failover=on,bus=br1,id=dev0
=================================================================
==836681==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e00000ab58 at pc 0x5577bbb8fe22 bp 0x7ffeb03fca50 sp 0x7ffeb03fca48
READ of size 8 at 0x62e00000ab58 thread T0
    #0 0x5577bbb8fe21 in qdev_should_hide_device /home/XXX/qemu/build/../hw/core/qdev.c:233:23
    #1 0x5577bb14aac4 in qdev_device_add_from_qdict /home/XXX/qemu/build/../system/qdev-monitor.c:662:9
    #2 0x5577bb14c364 in qdev_device_add /home/XXX/qemu/build/../system/qdev-monitor.c:738:11
    #3 0x5577bb14d6eb in qmp_device_add /home/XXX/qemu/build/../system/qdev-monitor.c:860:11
    #4 0x5577bb14e11d in hmp_device_add /home/XXX/qemu/build/../system/qdev-monitor.c:968:5
    #5 0x5577bb29aef4 in handle_hmp_command_exec /home/XXX/qemu/build/../monitor/hmp.c:1106:9
    #6 0x5577bb298fa3 in handle_hmp_command /home/XXX/qemu/build/../monitor/hmp.c:1158:9
    #7 0x5577bb2949ee in monitor_command_cb /home/XXX/qemu/build/../monitor/hmp.c:47:5
    #8 0x5577bc2b0c3a in readline_handle_byte /home/XXX/qemu/build/../util/readline.c:419:13
    #9 0x5577bb29d261 in monitor_read /home/XXX/qemu/build/../monitor/hmp.c:1390:13
    #10 0x5577bbfda644 in fd_chr_read /home/XXX/qemu/build/../chardev/char-fd.c:72:9
    #11 0x7f53d36e5c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) (BuildId: 224ac2a88b72bc8e2fe8566ee28fae789fc69241)
    #12 0x5577bc2536db in glib_pollfds_poll /home/XXX/qemu/build/../util/main-loop.c:290:9
    #13 0x5577bc2536db in os_host_main_loop_wait /home/XXX/qemu/build/../util/main-loop.c:313:5
    #14 0x5577bc2536db in main_loop_wait /home/XXX/qemu/build/../util/main-loop.c:592:11
    #15 0x5577bb15dd06 in qemu_main_loop /home/XXX/qemu/build/../system/runstate.c:782:9
    #16 0x5577bbb81115 in qemu_default_main /home/XXX/qemu/build/../system/main.c:37:14
    #17 0x7f53d2c3fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #18 0x7f53d2c3fe3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #19 0x5577ba4c3584 in _start (/usr/local/bin/qemu-system-i386+0x1ada584) (BuildId: c7ca543ea41d3478bc13cdf604d47805b990620e)

0x62e00000ab58 is located 42840 bytes inside of 43008-byte region [0x62e000000400,0x62e00000ac00)
freed by thread T1 here:
    #0 0x5577ba546122 in __interceptor_free (/usr/local/bin/qemu-system-i386+0x1b5d122) (BuildId: c7ca543ea41d3478bc13cdf604d47805b990620e)
    #1 0x5577bbba5135 in object_finalize /home/XXX/qemu/build/../qom/object.c:714:9
    #2 0x5577bbba5135 in object_unref /home/XXX/qemu/build/../qom/object.c:1217:9
    #3 0x5577bbb91ac3 in bus_free_bus_child /home/XXX/qemu/build/../hw/core/qdev.c:55:5

previously allocated by thread T0 here:
    #0 0x5577ba5463ce in malloc (/usr/local/bin/qemu-system-i386+0x1b5d3ce) (BuildId: c7ca543ea41d3478bc13cdf604d47805b990620e)
    #1 0x7f53d36ee738 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e738) (BuildId: 224ac2a88b72bc8e2fe8566ee28fae789fc69241)
    #2 0x5577bb14c364 in qdev_device_add /home/XXX/qemu/build/../system/qdev-monitor.c:738:11
    #3 0x5577bb29aef4 in handle_hmp_command_exec /home/XXX/qemu/build/../monitor/hmp.c:1106:9
    #4 0x5577bb298fa3 in handle_hmp_command /home/XXX/qemu/build/../monitor/hmp.c:1158:9
    #5 0x5577bb2949ee in monitor_command_cb /home/XXX/qemu/build/../monitor/hmp.c:47:5

Thread T1 created by T0 here:
    #0 0x5577ba52f84c in pthread_create (/usr/local/bin/qemu-system-i386+0x1b4684c) (BuildId: c7ca543ea41d3478bc13cdf604d47805b990620e)
    #1 0x5577bc1fcc24 in qemu_thread_create /home/XXX/qemu/build/../util/qemu-thread-posix.c:581:11
    #2 0x5577bc229970 in rcu_init_complete /home/XXX/qemu/build/../util/rcu.c:415:5
    #3 0x5577bc229970 in rcu_init /home/XXX/qemu/build/../util/rcu.c:471:5
    #4 0x7f53d2c3feba in call_init csu/../csu/libc-start.c:145:3
    #5 0x7f53d2c3feba in __libc_start_main csu/../csu/libc-start.c:379:5

SUMMARY: AddressSanitizer: heap-use-after-free /home/XXX/qemu/build/../hw/core/qdev.c:233:23 in qdev_should_hide_device
Shadow bytes around the buggy address:
  0x0c5c7fff9510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5c7fff9560: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x0c5c7fff9570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==836681==ABORTING
```

#