From: Jason Wang <jasowang@redhat.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>, qemu-devel@nongnu.org
Subject: Re: QEMU | Heap-overflow in virtio_net_queue_enable (#1309)
Date: Thu, 10 Nov 2022 13:18:54 +0800 [thread overview]
Message-ID: <CACGkMEte5t6iRJm7V0rPGSZeXbmdK88FBM9BU75XwUJdXkQuLQ@mail.gmail.com> (raw)
In-Reply-To: <20221110000943-mutt-send-email-mst@kernel.org>
On Thu, Nov 10, 2022 at 1:12 PM Michael S. Tsirkin <mst@redhat.com> wrote:
>
> Xuan Zhuo pls take a look ASAP.
>
> On Thu, Nov 10, 2022 at 03:04:41AM +0000, Alexander Bulekov (@a1xndr) wrote:
> Alexander Bulekov created an issue: #1309
>
> Hello,
>
> I bisected this to 7f863302 ("virtio-net: support queue_enable"). CC:
> @mstredhat @jasowang (could not find Kangjie Xu or Xuan Zhuo gitlab accounts).
Looks like we need to validate queue_index or queue_sel before calling
device specific queue enable here.
Thanks
>
> Reproducer
>
> cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
> 512M -M q35 -nodefaults -device virtio-net,netdev=net0 -netdev \
> user,id=net0 -qtest stdio
> outl 0xcf8 0x80000810
> outl 0xcfc 0xc000
> outl 0xcf8 0x80000804
> outl 0xcfc 0x01
> outl 0xc00d 0x0200
> outl 0xcf8 0x80000890
> outb 0xcfc 0x4
> outl 0xcf8 0x80000889
> outl 0xcfc 0x1c000000
> outl 0xcf8 0x80000893
> outw 0xcfc 0x100
> EOF
>
> Stack-Trace
>
> ==3742222==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400001a9f8 at pc 0x55db851032b1 bp 0x7ffe639914c0 sp 0x7ffe639914b8
> READ of size 8 at 0x61400001a9f8 thread T0
> #0 0x55db851032b0 in virtio_net_queue_enable /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/net/virtio-net.c:572:14
> #1 0x55db85361748 in memory_region_write_accessor /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c:493:5
> #2 0x55db8536129a in access_with_adjusted_size /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c:555:18
> #3 0x55db85360c03 in memory_region_dispatch_write /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c
> #4 0x55db8485e11f in virtio_address_space_write /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/virtio/virtio-pci.c:592:5
> #5 0x55db8485e11f in virtio_write_config /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/virtio/virtio-pci.c:670:13
> #6 0x55db844de82a in pci_host_config_write_common /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/pci/pci_host.c:85:5
> #7 0x55db85361748 in memory_region_write_accessor /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c:493:5
> #8 0x55db8536129a in access_with_adjusted_size /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c:555:18
> #9 0x55db85360c03 in memory_region_dispatch_write /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/memory.c
> #10 0x55db853ad390 in flatview_write_continue /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/physmem.c:2825:23
> #11 0x55db853a4833 in flatview_write /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/physmem.c:2867:12
> #12 0x55db853a4543 in address_space_write /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/physmem.c:2963:18
> #13 0x55db85354567 in cpu_outw /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/ioport.c:70:5
> #14 0x55db853b8129 in qtest_process_command /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/qtest.c:480:13
> #15 0x55db853b6cb8 in qtest_process_inbuf /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/qtest.c:802:9
> #16 0x55db85a3e284 in fd_chr_read /home/alxndr/Development/qemu-demo/qemu/build-asan/../chardev/char-fd.c:72:9
> #17 0x7f7f528c8a9e in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x53a9e) (BuildId: 1697a734f1bc7448cd8772689a1c439343f062f7)
> #18 0x55db85cc1f33 in glib_pollfds_poll /home/alxndr/Development/qemu-demo/qemu/build-asan/../util/main-loop.c:297:9
> #19 0x55db85cc1f33 in os_host_main_loop_wait /home/alxndr/Development/qemu-demo/qemu/build-asan/../util/main-loop.c:320:5
> #20 0x55db85cc1f33 in main_loop_wait /home/alxndr/Development/qemu-demo/qemu/build-asan/../util/main-loop.c:606:11
> #21 0x55db849163a6 in qemu_main_loop /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/runstate.c:739:9
> #22 0x55db83d54105 in qemu_default_main /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/main.c:37:14
> #23 0x7f7f520c6209 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
> #24 0x7f7f520c62bb in __libc_start_main csu/../csu/libc-start.c:389:3
> #25 0x55db83c93ef0 in _start (/home/alxndr/Development/qemu-demo/qemu/build-asan/qemu-system-i386+0x1f9cef0) (BuildId: 574fb9ebea37c72f33a18ee7cda64eaf34590574)
>
> 0x61400001a9f8 is located 32 bytes to the right of 408-byte region [0x61400001a840,0x61400001a9d8)
> allocated by thread T0 here:
> #0 0x55db83d16f28 in __interceptor_calloc (/home/alxndr/Development/qemu-demo/qemu/build-asan/qemu-system-i386+0x201ff28) (BuildId: 574fb9ebea37c72f33a18ee7cda64eaf34590574)
> #1 0x7f7f528ceb30 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x59b30) (BuildId: 1697a734f1bc7448cd8772689a1c439343f062f7)
> #2 0x55db850f8d11 in virtio_net_device_realize /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/net/virtio-net.c:3621:18
> #3 0x55db85250321 in virtio_device_realize /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/virtio/virtio.c:4168:9
> #4 0x55db85658931 in device_set_realized /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/core/qdev.c:566:13
> #5 0x55db85679238 in property_set_bool /home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/object.c:2285:5
> #6 0x55db8567442c in object_property_set /home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/object.c:1420:5
> #7 0x55db8568012c in object_property_set_qobject /home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/qom-qobject.c:28:10
> #8 0x55db844cef9a in pci_qdev_realize /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/pci/pci.c:2218:9
> #9 0x55db85658931 in device_set_realized /home/alxndr/Development/qemu-demo/qemu/build-asan/../hw/core/qdev.c:566:13
> #10 0x55db85679238 in property_set_bool /home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/object.c:2285:5
> #11 0x55db8567442c in object_property_set /home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/object.c:1420:5
> #12 0x55db8568012c in object_property_set_qobject /home/alxndr/Development/qemu-demo/qemu/build-asan/../qom/qom-qobject.c:28:10
> #13 0x55db8490f344 in qdev_device_add /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/qdev-monitor.c:733:11
> #14 0x55db849172b2 in qemu_create_cli_devices /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/vl.c:2536:5
> #15 0x55db849172b2 in qmp_x_exit_preconfig /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/vl.c:2604:5
> #16 0x55db8491db5f in qemu_init /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/vl.c:3601:9
> #17 0x55db83d54125 in main /home/alxndr/Development/qemu-demo/qemu/build-asan/../softmmu/main.c:47:5
>
> OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53186
>
> libqtest Reproducer: repro.c
>
> Thank you
>
> —
> Reply to this email directly or view it on GitLab.
> You're receiving this email because you have been mentioned on gitlab.com.
> Unsubscribe from this thread · Manage all notifications · Help
>
>
next prev parent reply other threads:[~2022-11-10 5:20 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <reply-1e4f06160b70f0d5d43fb528773581e4@gitlab.com>
[not found] ` <issue_118462359@gitlab.com>
2022-11-10 5:11 ` QEMU | Heap-overflow in virtio_net_queue_enable (#1309) Michael S. Tsirkin
2022-11-10 5:18 ` Jason Wang [this message]
2022-11-10 7:41 ` Xuan Zhuo
2022-11-10 6:53 ` Xuan Zhuo
2022-11-10 15:50 ` Alexander Bulekov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACGkMEte5t6iRJm7V0rPGSZeXbmdK88FBM9BU75XwUJdXkQuLQ@mail.gmail.com \
--to=jasowang@redhat.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=xuanzhuo@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).