[Qemu-devel] [PATCH] crypto/ivgen-essiv: Fix problem with address sanitizer of Clang

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] crypto/ivgen-essiv: Fix problem with address sanitizer of Clang
@ 2018-01-02 15:37 Thomas Huth
  2018-01-10 12:36 ` Daniel P. Berrange
  0 siblings, 1 reply; 2+ messages in thread
From: Thomas Huth @ 2018-01-02 15:37 UTC (permalink / raw)
  To: qemu-devel, Daniel P. Berrange; +Cc: qemu-trivial

When compiling QEMU with clang and -fsanitize=address, I get the
following error:

==9185==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc7e9adf2f at pc 0x564cba001d88 bp 0x7ffc7e9adeb0 sp 0x7ffc7e9adea8
READ of size 16 at 0x7ffc7e9adf2f thread T0
    #0 0x564cba001d87 in qcrypto_ivgen_essiv_calculate .../crypto/ivgen-essiv.c:83
    #1 0x564cba001367 in qcrypto_ivgen_calculate .../crypto/ivgen.c:72
    #2 0x564cb9fec630 in test_ivgen .../tests/test-crypto-ivgen.c:148
    #3 0x7f98f4224b39 (/lib64/libglib-2.0.so.0+0x6fb39)
    #4 0x7f98f4224d02 (/lib64/libglib-2.0.so.0+0x6fd02)
    #5 0x7f98f4224d02 (/lib64/libglib-2.0.so.0+0x6fd02)
    #6 0x7f98f4224d02 (/lib64/libglib-2.0.so.0+0x6fd02)
    #7 0x7f98f4224f0d (/lib64/libglib-2.0.so.0+0x6ff0d)
    #8 0x7f98f4224f30 (/lib64/libglib-2.0.so.0+0x6ff30)
    #9 0x564cb9fec446 in main .../tests/test-crypto-ivgen.c:173
    #10 0x7f98f294fc04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
    #11 0x564cb9fec1ac in _start (.../tests/test-crypto-ivgen+0xdb1ac)

Address 0x7ffc7e9adf2f is located in stack of thread T0 at offset 47 in frame
    #0 0x564cba00192f in qcrypto_ivgen_essiv_calculate .../crypto/ivgen-essiv.c:76

And indeed, the code is doing a "memcpy(data, (uint8_t *)&sector, ndata)"
here with "sector" being a uint64_t variable and ndata = 16.

Fix it by limiting the size of the memcpy correctly.

Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 crypto/ivgen-essiv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/ivgen-essiv.c b/crypto/ivgen-essiv.c
index cba20bd..8944609 100644
--- a/crypto/ivgen-essiv.c
+++ b/crypto/ivgen-essiv.c
@@ -79,7 +79,7 @@ static int qcrypto_ivgen_essiv_calculate(QCryptoIVGen *ivgen,
     uint8_t *data = g_new(uint8_t, ndata);
 
     sector = cpu_to_le64(sector);
-    memcpy(data, (uint8_t *)&sector, ndata);
+    memcpy(data, (uint8_t *)&sector, MIN(ndata, sizeof(sector)));
     if (sizeof(sector) < ndata) {
         memset(data + sizeof(sector), 0, ndata - sizeof(sector));
     }
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [Qemu-devel] [PATCH] crypto/ivgen-essiv: Fix problem with address sanitizer of Clang
  2018-01-02 15:37 [Qemu-devel] [PATCH] crypto/ivgen-essiv: Fix problem with address sanitizer of Clang Thomas Huth
@ 2018-01-10 12:36 ` Daniel P. Berrange
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel P. Berrange @ 2018-01-10 12:36 UTC (permalink / raw)
  To: Thomas Huth; +Cc: qemu-devel, qemu-trivial

On Tue, Jan 02, 2018 at 04:37:45PM +0100, Thomas Huth wrote:
> When compiling QEMU with clang and -fsanitize=address, I get the
> following error:
> 
> ==9185==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc7e9adf2f at pc 0x564cba001d88 bp 0x7ffc7e9adeb0 sp 0x7ffc7e9adea8
> READ of size 16 at 0x7ffc7e9adf2f thread T0
>     #0 0x564cba001d87 in qcrypto_ivgen_essiv_calculate .../crypto/ivgen-essiv.c:83
>     #1 0x564cba001367 in qcrypto_ivgen_calculate .../crypto/ivgen.c:72
>     #2 0x564cb9fec630 in test_ivgen .../tests/test-crypto-ivgen.c:148
>     #3 0x7f98f4224b39 (/lib64/libglib-2.0.so.0+0x6fb39)
>     #4 0x7f98f4224d02 (/lib64/libglib-2.0.so.0+0x6fd02)
>     #5 0x7f98f4224d02 (/lib64/libglib-2.0.so.0+0x6fd02)
>     #6 0x7f98f4224d02 (/lib64/libglib-2.0.so.0+0x6fd02)
>     #7 0x7f98f4224f0d (/lib64/libglib-2.0.so.0+0x6ff0d)
>     #8 0x7f98f4224f30 (/lib64/libglib-2.0.so.0+0x6ff30)
>     #9 0x564cb9fec446 in main .../tests/test-crypto-ivgen.c:173
>     #10 0x7f98f294fc04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
>     #11 0x564cb9fec1ac in _start (.../tests/test-crypto-ivgen+0xdb1ac)
> 
> Address 0x7ffc7e9adf2f is located in stack of thread T0 at offset 47 in frame
>     #0 0x564cba00192f in qcrypto_ivgen_essiv_calculate .../crypto/ivgen-essiv.c:76
> 
> And indeed, the code is doing a "memcpy(data, (uint8_t *)&sector, ndata)"
> here with "sector" being a uint64_t variable and ndata = 16.
> 
> Fix it by limiting the size of the memcpy correctly.
> 
> Signed-off-by: Thomas Huth <thuth@redhat.com>
> ---
>  crypto/ivgen-essiv.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

FYI, this is a dupe of the same fix posted  Marc-André Lureau last
year with subject "crypto: fix stack-buffer-overflow error", which I
already have queued.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-01-10 12:37 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-01-02 15:37 [Qemu-devel] [PATCH] crypto/ivgen-essiv: Fix problem with address sanitizer of Clang Thomas Huth
2018-01-10 12:36 ` Daniel P. Berrange

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).