[PATCH v2] qtest/libqtest: fix heap-buffer-overflow in qtest_cb_for_every

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v2] qtest/libqtest: fix heap-buffer-overflow in qtest_cb_for_every_machine()
@ 2021-01-06  5:06 Gan Qixin
  2021-01-06 11:29 ` Laurent Vivier
  2021-01-06 12:24 ` Thomas Huth
  0 siblings, 2 replies; 3+ messages in thread
From: Gan Qixin @ 2021-01-06  5:06 UTC (permalink / raw)
  To: qemu-devel, qemu-trivial
  Cc: Laurent Vivier, Thomas Huth, zhang.zhanghailiang, Gan Qixin,
	Euler Robot, kuhn.chenqun

When the length of mname is less than 5, memcpy("xenfv", mname, 5) will cause
heap buffer overflow. Therefore, use strncmp to avoid this problem.

The asan showed stack:

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f2f4 at
pc 0x7f65d8cc2225 bp 0x7ffe93cc5a60 sp 0x7ffe93cc5208 READ of size 5 at
0x60200000f2f4 thread T0
    #0 0x7f65d8cc2224 in memcmp (/lib64/libasan.so.5+0xdf224)
    #1 0x5632c20be95b in qtest_cb_for_every_machine tests/qtest/libqtest.c:1282
    #2 0x5632c20b7995 in main tests/qtest/test-hmp.c:160
    #3 0x7f65d88fed42 in __libc_start_main (/lib64/libc.so.6+0x26d42)
    #4 0x5632c20b72cd in _start (build/tests/qtest/test-hmp+0x542cd)

Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Gan Qixin <ganqixin@huawei.com>
---
Cc: Thomas Huth <thuth@redhat.com>
Cc: Laurent Vivier <lvivier@redhat.com>

v2:
Changes suggested by Thomas Huth:
    Replace memcmp(..., 5) with strncmp(..., 5).
---
 tests/qtest/libqtest.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c
index e49f3a1e45..e93424ffdd 100644
--- a/tests/qtest/libqtest.c
+++ b/tests/qtest/libqtest.c
@@ -1281,7 +1281,7 @@ void qtest_cb_for_every_machine(void (*cb)(const char *machine),
         g_assert(qstr);
         mname = qstring_get_str(qstr);
         /* Ignore machines that cannot be used for qtests */
-        if (!memcmp("xenfv", mname, 5) || g_str_equal("xenpv", mname)) {
+        if (!strncmp("xenfv", mname, 5) || g_str_equal("xenpv", mname)) {
             continue;
         }
         if (!skip_old_versioned || !qtest_is_old_versioned_machine(mname)) {
-- 
2.27.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH v2] qtest/libqtest: fix heap-buffer-overflow in qtest_cb_for_every_machine()
  2021-01-06  5:06 [PATCH v2] qtest/libqtest: fix heap-buffer-overflow in qtest_cb_for_every_machine() Gan Qixin
@ 2021-01-06 11:29 ` Laurent Vivier
  2021-01-06 12:24 ` Thomas Huth
  1 sibling, 0 replies; 3+ messages in thread
From: Laurent Vivier @ 2021-01-06 11:29 UTC (permalink / raw)
  To: Gan Qixin, qemu-devel, qemu-trivial
  Cc: kuhn.chenqun, Thomas Huth, zhang.zhanghailiang, Euler Robot

On 06/01/2021 06:06, Gan Qixin wrote:
> When the length of mname is less than 5, memcpy("xenfv", mname, 5) will cause
> heap buffer overflow. Therefore, use strncmp to avoid this problem.
> 
> The asan showed stack:
> 
> ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f2f4 at
> pc 0x7f65d8cc2225 bp 0x7ffe93cc5a60 sp 0x7ffe93cc5208 READ of size 5 at
> 0x60200000f2f4 thread T0
>     #0 0x7f65d8cc2224 in memcmp (/lib64/libasan.so.5+0xdf224)
>     #1 0x5632c20be95b in qtest_cb_for_every_machine tests/qtest/libqtest.c:1282
>     #2 0x5632c20b7995 in main tests/qtest/test-hmp.c:160
>     #3 0x7f65d88fed42 in __libc_start_main (/lib64/libc.so.6+0x26d42)
>     #4 0x5632c20b72cd in _start (build/tests/qtest/test-hmp+0x542cd)
> 
> Reported-by: Euler Robot <euler.robot@huawei.com>
> Signed-off-by: Gan Qixin <ganqixin@huawei.com>
> ---
> Cc: Thomas Huth <thuth@redhat.com>
> Cc: Laurent Vivier <lvivier@redhat.com>
> 
> v2:
> Changes suggested by Thomas Huth:
>     Replace memcmp(..., 5) with strncmp(..., 5).
> ---
>  tests/qtest/libqtest.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c
> index e49f3a1e45..e93424ffdd 100644
> --- a/tests/qtest/libqtest.c
> +++ b/tests/qtest/libqtest.c
> @@ -1281,7 +1281,7 @@ void qtest_cb_for_every_machine(void (*cb)(const char *machine),
>          g_assert(qstr);
>          mname = qstring_get_str(qstr);
>          /* Ignore machines that cannot be used for qtests */
> -        if (!memcmp("xenfv", mname, 5) || g_str_equal("xenpv", mname)) {
> +        if (!strncmp("xenfv", mname, 5) || g_str_equal("xenpv", mname)) {
>              continue;
>          }
>          if (!skip_old_versioned || !qtest_is_old_versioned_machine(mname)) {
> 

Reviewed-by: Laurent Vivier <lvivier@redhat.com>

Problem seem to have been introduced originally by
9a709f06c870 ("piix: fix xenfv regression, add compat machine xenfv-4.2")

Moved here by:
51b3ca975929 ("tests/qtest: Unify the test for the xenfv and xenpv machines"

Thanks,
Laurent



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v2] qtest/libqtest: fix heap-buffer-overflow in qtest_cb_for_every_machine()
  2021-01-06  5:06 [PATCH v2] qtest/libqtest: fix heap-buffer-overflow in qtest_cb_for_every_machine() Gan Qixin
  2021-01-06 11:29 ` Laurent Vivier
@ 2021-01-06 12:24 ` Thomas Huth
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Huth @ 2021-01-06 12:24 UTC (permalink / raw)
  To: Gan Qixin, qemu-devel, qemu-trivial
  Cc: Laurent Vivier, kuhn.chenqun, zhang.zhanghailiang, Euler Robot

On 06/01/2021 06.06, Gan Qixin wrote:
> When the length of mname is less than 5, memcpy("xenfv", mname, 5) will cause
> heap buffer overflow. Therefore, use strncmp to avoid this problem.
> 
> The asan showed stack:
> 
> ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f2f4 at
> pc 0x7f65d8cc2225 bp 0x7ffe93cc5a60 sp 0x7ffe93cc5208 READ of size 5 at
> 0x60200000f2f4 thread T0
>      #0 0x7f65d8cc2224 in memcmp (/lib64/libasan.so.5+0xdf224)
>      #1 0x5632c20be95b in qtest_cb_for_every_machine tests/qtest/libqtest.c:1282
>      #2 0x5632c20b7995 in main tests/qtest/test-hmp.c:160
>      #3 0x7f65d88fed42 in __libc_start_main (/lib64/libc.so.6+0x26d42)
>      #4 0x5632c20b72cd in _start (build/tests/qtest/test-hmp+0x542cd)
> 
> Reported-by: Euler Robot <euler.robot@huawei.com>
> Signed-off-by: Gan Qixin <ganqixin@huawei.com>
> ---
> Cc: Thomas Huth <thuth@redhat.com>
> Cc: Laurent Vivier <lvivier@redhat.com>
> 
> v2:
> Changes suggested by Thomas Huth:
>      Replace memcmp(..., 5) with strncmp(..., 5).
> ---
>   tests/qtest/libqtest.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)

Thanks, queued now to my qtest-next branch:

  https://gitlab.com/huth/qemu/-/commits/qtest-next/

  Thomas



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-01-06 12:26 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-01-06  5:06 [PATCH v2] qtest/libqtest: fix heap-buffer-overflow in qtest_cb_for_every_machine() Gan Qixin
2021-01-06 11:29 ` Laurent Vivier
2021-01-06 12:24 ` Thomas Huth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).