mirror of
https://gitlab.com/qemu-project/qemu
synced 2024-11-05 20:35:44 +00:00
1153cf9f5b
The tulip networking card emulation has an OOB issue in
'tulip_copy_tx_buffers' when the guest provide malformed descriptor.
This test will trigger a ASAN heap overflow crash. To trigger this
issue we can construct the data as following:
1. construct a 'tulip_descriptor'. Its control is set to
'0x7ff | 0x7ff << 11', this will make the 'tulip_copy_tx_buffers's
'len1' and 'len2' to 0x7ff(2047). So 'len1+len2' will overflow
'TULIPState's 'tx_frame' field. This descriptor's 'buf_addr1' and
'buf_addr2' should set to a guest address.
2. write this descriptor to tulip device's CSR4 register. This will
set the 'TULIPState's 'current_tx_desc' field.
3. write 'CSR6_ST' to tulip device's CSR6 register. This will trigger
'tulip_xmit_list_update' and finally calls 'tulip_copy_tx_buffers'.
Following shows the backtrack of crash:
==31781==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x628000007cd0 at pc 0x7fe03c5a077a bp 0x7fff05b46770 sp 0x7fff05b45f18
WRITE of size 2047 at 0x628000007cd0 thread T0
#0 0x7fe03c5a0779 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79779)
#1 0x5575fb6daa6a in flatview_read_continue /home/test/qemu/exec.c:3194
#2 0x5575fb6daccb in flatview_read /home/test/qemu/exec.c:3227
#3 0x5575fb6dae66 in address_space_read_full /home/test/qemu/exec.c:3240
#4 0x5575fb6db0cb in address_space_rw /home/test/qemu/exec.c:3268
#5 0x5575fbdfd460 in dma_memory_rw_relaxed /home/test/qemu/include/sysemu/dma.h:87
#6 0x5575fbdfd4b5 in dma_memory_rw /home/test/qemu/include/sysemu/dma.h:110
#7 0x5575fbdfd866 in pci_dma_rw /home/test/qemu/include/hw/pci/pci.h:787
#8 0x5575fbdfd8a3 in pci_dma_read /home/test/qemu/include/hw/pci/pci.h:794
#9 0x5575fbe02761 in tulip_copy_tx_buffers hw/net/tulip.c:585
#10 0x5575fbe0366b in tulip_xmit_list_update hw/net/tulip.c:678
#11 0x5575fbe04073 in tulip_write hw/net/tulip.c:783
Signed-off-by: Li Qiang <liq3ea@163.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||
|---|---|---|
| .. | ||
| acceptance | ||
| data | ||
| decode | ||
| docker | ||
| fp | ||
| guest-debug | ||
| image-fuzzer | ||
| keys | ||
| migration | ||
| multiboot | ||
| perf/block/qcow2 | ||
| plugin | ||
| qapi-schema | ||
| qemu-iotests | ||
| qtest | ||
| rocker | ||
| tcg | ||
| uefi-test-tools | ||
| vm | ||
| vmstate-static-checker-data | ||
| .gitignore | ||
| atomic64-bench.c | ||
| atomic_add-bench.c | ||
| benchmark-crypto-cipher.c | ||
| benchmark-crypto-hash.c | ||
| benchmark-crypto-hmac.c | ||
| check-block-qdict.c | ||
| check-block.sh | ||
| check-qdict.c | ||
| check-qjson.c | ||
| check-qlist.c | ||
| check-qlit.c | ||
| check-qnull.c | ||
| check-qnum.c | ||
| check-qobject.c | ||
| check-qom-interface.c | ||
| check-qom-proplist.c | ||
| check-qstring.c | ||
| crypto-tls-psk-helpers.c | ||
| crypto-tls-psk-helpers.h | ||
| crypto-tls-x509-helpers.c | ||
| crypto-tls-x509-helpers.h | ||
| dbus-vmstate-daemon.sh | ||
| io-channel-helpers.c | ||
| io-channel-helpers.h | ||
| iothread.c | ||
| iothread.h | ||
| Makefile.include | ||
| pkix_asn1_tab.c | ||
| ptimer-test-stubs.c | ||
| ptimer-test.c | ||
| ptimer-test.h | ||
| qht-bench.c | ||
| rcutorture.c | ||
| requirements.txt | ||
| socket-helpers.c | ||
| socket-helpers.h | ||
| test-aio-multithread.c | ||
| test-aio.c | ||
| test-authz-list.c | ||
| test-authz-listfile.c | ||
| test-authz-pam.c | ||
| test-authz-simple.c | ||
| test-base64.c | ||
| test-bdrv-drain.c | ||
| test-bdrv-graph-mod.c | ||
| test-bitcnt.c | ||
| test-bitmap.c | ||
| test-bitops.c | ||
| test-block-backend.c | ||
| test-block-iothread.c | ||
| test-blockjob-txn.c | ||
| test-blockjob.c | ||
| test-bufferiszero.c | ||
| test-char.c | ||
| test-clone-visitor.c | ||
| test-coroutine.c | ||
| test-crypto-afsplit.c | ||
| test-crypto-block.c | ||
| test-crypto-cipher.c | ||
| test-crypto-hash.c | ||
| test-crypto-hmac.c | ||
| test-crypto-ivgen.c | ||
| test-crypto-pbkdf.c | ||
| test-crypto-secret.c | ||
| test-crypto-tlscredsx509.c | ||
| test-crypto-tlssession.c | ||
| test-crypto-xts.c | ||
| test-cutils.c | ||
| test-hbitmap.c | ||
| test-image-locking.c | ||
| test-int128.c | ||
| test-io-channel-buffer.c | ||
| test-io-channel-command.c | ||
| test-io-channel-file.c | ||
| test-io-channel-socket.c | ||
| test-io-channel-tls.c | ||
| test-io-task.c | ||
| test-iov.c | ||
| test-keyval.c | ||
| test-logging.c | ||
| test-mul64.c | ||
| test-opts-visitor.c | ||
| test-qapi-util.c | ||
| test-qdev-global-props.c | ||
| test-qdist.c | ||
| test-qemu-opts.c | ||
| test-qga.c | ||
| test-qgraph.c | ||
| test-qht-par.c | ||
| test-qht.c | ||
| test-qmp-cmds.c | ||
| test-qmp-event.c | ||
| test-qobject-input-visitor.c | ||
| test-qobject-output-visitor.c | ||
| test-rcu-list.c | ||
| test-rcu-simpleq.c | ||
| test-rcu-slist.c | ||
| test-rcu-tailq.c | ||
| test-replication.c | ||
| test-shift128.c | ||
| test-string-input-visitor.c | ||
| test-string-output-visitor.c | ||
| test-thread-pool.c | ||
| test-throttle.c | ||
| test-timed-average.c | ||
| test-util-filemonitor.c | ||
| test-util-sockets.c | ||
| test-uuid.c | ||
| test-visitor-serialization.c | ||
| test-vmstate.c | ||
| test-write-threshold.c | ||
| test-x86-cpuid.c | ||
| test-xbzrle.c | ||
| vhost-user-bridge.c | ||