Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload

["Philippe Mathieu-Daudé" <philmd@redhat.com>]

Hi Samuel,

On 8/26/19 12:54 AM, Samuel Thibault wrote:
> Hello,
> 
> Philippe Mathieu-Daudé, le ven. 23 août 2019 17:15:32 +0200, a ecrit:
>>> Did you make your test with commit 126c04acbabd ("Fix heap overflow in
>>> ip_reass on big packet input") applied?
>>
>> Yes, unfortunately it doesn't fix the issue.
> 
> Ok.
> 
> Could you try the attached patch?  There was a use-after-free.  Without
> it, I can indeed crash qemu with the given exploit.  With it I don't
> seem to be able to crash it (trying in a loop for several minutes).

No change with your patch applied:

Thread 4 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe94c4700 (LWP 14031)]
0x0000555555e835c5 in icmp_input (m=0x0, hlen=20) at
qemu/slirp/src/ip_icmp.c:130
130         register struct ip *ip = mtod(m, struct ip *);
(gdb) bt
#0  0x0000555555e835c5 in icmp_input (m=0x0, hlen=20) at
qemu/slirp/src/ip_icmp.c:130
#1  0x0000555555e85450 in ip_input (m=0x0) at qemu/slirp/src/ip_input.c:205
#2  0x0000555555e723d2 in slirp_input (slirp=0x555556708170,
pkt=0x55555727fab0 "", pkt_len=1314) at qemu/slirp/src/slirp.c:785
#3  0x0000555555c83961 in net_slirp_receive (nc=0x555556707fa0,
buf=0x55555727fab0 "", size=1314) at qemu/net/slirp.c:126
#4  0x0000555555c788cb in nc_sendv_compat (nc=0x555556707fa0,
iov=0x7fffe94c0930, iovcnt=1, flags=0) at qemu/net/net.c:700
#5  0x0000555555c7898d in qemu_deliver_packet_iov
(sender=0x5555566a6440, flags=0, iov=0x7fffe94c0930, iovcnt=1,
opaque=0x555556707fa0) at qemu/net/net.c:728
#6  0x0000555555c7b49d in qemu_net_queue_deliver_iov
(queue=0x5555566a6260, sender=0x5555566a6440, flags=0,
iov=0x7fffe94c0930, iovcnt=1) at qemu/net/queue.c:179
#7  0x0000555555c7b60c in qemu_net_queue_send_iov (queue=0x5555566a6260,
sender=0x5555566a6440, flags=0, iov=0x7fffe94c0930, iovcnt=1,
sent_cb=0x0) at qemu/net/queue.c:224
#8  0x0000555555c78ad2 in qemu_sendv_packet_async
(sender=0x5555566a6440, iov=0x7fffe94c0930, iovcnt=1, sent_cb=0x0) at
qemu/net/net.c:769
#9  0x0000555555c78aff in qemu_sendv_packet (nc=0x5555566a6440,
iov=0x7fffe94c0930, iovcnt=1) at qemu/net/net.c:777
#10 0x0000555555c7c038 in net_hub_receive_iov (hub=0x5555566b1ab0,
source_port=0x5555566a67a0, iov=0x7fffe94c0930, iovcnt=1) at
qemu/net/hub.c:74
#11 0x0000555555c7c232 in net_hub_port_receive_iov (nc=0x5555566a67a0,
iov=0x7fffe94c0930, iovcnt=1) at qemu/net/hub.c:125
#12 0x0000555555c78972 in qemu_deliver_packet_iov
(sender=0x555557292860, flags=0, iov=0x7fffe94c0930, iovcnt=1,
opaque=0x5555566a67a0) at qemu/net/net.c:726
#13 0x0000555555c7b421 in qemu_net_queue_deliver (queue=0x5555566a6940,
sender=0x555557292860, flags=0, data=0x55555727fab0 "", size=1314) at
qemu/net/queue.c:164
#14 0x0000555555c7b53d in qemu_net_queue_send (queue=0x5555566a6940,
sender=0x555557292860, flags=0, data=0x55555727fab0 "", size=1314,
sent_cb=0x0) at qemu/net/queue.c:199
#15 0x0000555555c78733 in qemu_send_packet_async_with_flags
(sender=0x555557292860, flags=0, buf=0x55555727fab0 "", size=1314,
sent_cb=0x0) at qemu/net/net.c:654
#16 0x0000555555c7876b in qemu_send_packet_async (sender=0x555557292860,
buf=0x55555727fab0 "", size=1314, sent_cb=0x0) at qemu/net/net.c:661
#17 0x0000555555c78798 in qemu_send_packet (nc=0x555557292860,
buf=0x55555727fab0 "", size=1314) at qemu/net/net.c:667
#18 0x0000555555b32b67 in e1000_send_packet (s=0x55555725ce00,
buf=0x55555727fab0 "", size=1314) at qemu/hw/net/e1000.c:552
#19 0x0000555555b32fd3 in xmit_seg (s=0x55555725ce00) at
qemu/hw/net/e1000.c:615
#20 0x0000555555b33503 in process_tx_desc (s=0x55555725ce00,
dp=0x7fffe94c0b70) at qemu/hw/net/e1000.c:702
#21 0x0000555555b336fb in start_xmit (s=0x55555725ce00) at
qemu/hw/net/e1000.c:757
#22 0x0000555555b347b5 in set_tctl (s=0x55555725ce00, index=3590, val=8)
at qemu/hw/net/e1000.c:1128
#23 0x0000555555b34932 in e1000_mmio_write (opaque=0x55555725ce00,
addr=14360, val=8, size=4) at qemu/hw/net/e1000.c:1304
#24 0x000055555585b126 in memory_region_write_accessor
(mr=0x55555725f700, addr=14360, value=0x7fffe94c0cd8, size=4, shift=0,
mask=4294967295, attrs=...) at qemu/memory.c:507
#25 0x000055555585b336 in access_with_adjusted_size (addr=14360,
value=0x7fffe94c0cd8, size=4, access_size_min=4, access_size_max=4,
access_fn=0x55555585b03d <memory_region_write_accessor>,
mr=0x55555725f700, attrs=...)
    at qemu/memory.c:573
#26 0x000055555585e315 in memory_region_dispatch_write
(mr=0x55555725f700, addr=14360, data=8, size=4, attrs=...) at
qemu/memory.c:1509
#27 0x00005555557fcee2 in flatview_write_continue (fv=0x7fffe02307f0,
addr=4273747992, attrs=..., buf=0x7ffff7fcb028 "\b", len=4, addr1=14360,
l=4, mr=0x55555725f700) at qemu/exec.c:3367
#28 0x00005555557fd027 in flatview_write (fv=0x7fffe02307f0,
addr=4273747992, attrs=..., buf=0x7ffff7fcb028 "\b", len=4) at
qemu/exec.c:3406
#29 0x00005555557fd32c in address_space_write (as=0x55555641e640
<address_space_memory>, addr=4273747992, attrs=..., buf=0x7ffff7fcb028
"\b", len=4) at qemu/exec.c:3496
#30 0x00005555557fd37e in address_space_rw (as=0x55555641e640
<address_space_memory>, addr=4273747992, attrs=..., buf=0x7ffff7fcb028
"\b", len=4, is_write=true) at qemu/exec.c:3507
#31 0x0000555555876629 in kvm_cpu_exec (cpu=0x55555670e860) at
qemu/accel/kvm/kvm-all.c:2288
#32 0x000055555584c1d8 in qemu_kvm_cpu_thread_fn (arg=0x55555670e860) at
qemu/cpus.c:1290
#33 0x0000555555e48991 in qemu_thread_start (args=0x5555567328a0) at
qemu/util/qemu-thread-posix.c:502

Note 1: To trigger this I have to build with:

   ./configure --extra-cflags=-ggdb --enable-debug --enable-sanitizers

Using different combinations I can not reproduce the crash.

Note 2: We miss some Makefile rules in QEMU with the libslirp split.

Checkouting branches in the slirp/ directory doesn't trigger recompiling
the slirp object, and even if I force the creation of the libslirp.a
archive, the QEMU binaries are not linked again with the refreshed archive.