From: P J P <ppandit@redhat.com>
To: Jan Kiszka <jan.kiszka@siemens.com>
Cc: wjjzhang <wjjzhang@tencent.com>,
qemu-devel@nongnu.org,
Samuel Thibault <samuel.thibault@ens-lyon.org>
Subject: [Qemu-devel] A use-after-free in slirp
Date: Thu, 3 Aug 2017 17:45:06 +0530 (IST) [thread overview]
Message-ID: <alpine.LFD.2.20.1708031718030.16909@wniryva> (raw)
Hello Jan, Samuel
Wjjzhang(CC'd) has reported a use-after-free issue which seems to occur while
responding to a packet, after the socket has been closed by another thread.
===
==31922==ERROR: AddressSanitizer: heap-use-after-free on address 0x61400001ff8c at pc 0x56485de28ea0 bp 0x7f00f44fc950 sp 0x7f00f44fc940
READ of size 4 at 0x61400001ff8c thread T2
#0 0x56485de28e9f in if_start slirp/if.c:230
#1 0x56485de28a58 in if_output slirp/if.c:141
#2 0x56485de35173 in ip_output slirp/ip_output.c:85
#3 0x56485de57c48 in tcp_respond slirp/tcp_subr.c:218
#4 0x56485de52440 in tcp_input slirp/tcp_input.c:1392
#5 0x56485de329ef in ip_input slirp/ip_input.c:206
#6 0x56485de3cf93 in slirp_input slirp/slirp.c:872
#7 0x56485de0726d in net_slirp_receive net/slirp.c:119
#8 0x56485ddee24d in nc_sendv_compat net/net.c:707
#9 0x56485ddee3dd in qemu_deliver_packet_iov net/net.c:734
#10 0x56485ddf422c in qemu_net_queue_deliver_iov net/queue.c:179
...
===
A full trace output can be seen
here -> https://paste.fedoraproject.org/paste/gh~hDctqUQ8uVt6UdG~zbg
I tried to debug how the 'so' and 'slirp' objects are connected and why it's
leading to a UAF issue, but couldn't quite fix it.
Could you please help with an appropriate patch for this one?
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
next reply other threads:[~2017-08-03 12:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-03 12:15 P J P [this message]
2017-08-23 20:27 ` [Qemu-devel] A use-after-free in slirp Samuel Thibault
2017-08-24 11:18 ` P J P
2017-08-24 23:42 ` Samuel Thibault
2017-08-25 2:51 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LFD.2.20.1708031718030.16909@wniryva \
--to=ppandit@redhat.com \
--cc=jan.kiszka@siemens.com \
--cc=qemu-devel@nongnu.org \
--cc=samuel.thibault@ens-lyon.org \
--cc=wjjzhang@tencent.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).