[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1661815] Re: Stack address is returned from function translate_one

From: Thomas Huth
Subject: [Bug 1661815] Re: Stack address is returned from function translate_one
Date: Tue, 11 Feb 2020 14:34:04 -0000

Fixed here:

** Changed in: qemu
       Status: New => Fix Committed

You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.

  Stack address is returned from function translate_one

Status in QEMU:
  Fix Committed

Bug description:
  The vulnerable version is qemu-2.8.0, and the vulnerable function is
  in "target-s390x/translate.c".

  The code snippet is as following.

  static ExitStatus translate_one(CPUS390XState *env, DisasContext *s)
      const DisasInsn *insn;
      ExitStatus ret = NO_EXIT;
      DisasFields f;
      s->fields = &f;
      s->pc = s->next_pc;
      return ret;

  A stack address, i.e. the address of local variable "f" is returned
  from current function through the output parameter "s->fields" as a
  side effect.

  This issue is one kind of undefined behaviors, according the C
  Standard, 6.2.4 [ISO/IEC 9899:2011]

  This dangerous defect may lead to an exploitable vulnerability.
  We suggest sanitizing "s->fields" as null before return.

  Note that this issue is reported by shqking and Zhenwei Zou together.

To manage notifications about this bug go to:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]