[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1908369] Re: heap-use-after-free in in nic_reset ../hw/net/eepro100
From: |
Gaoning Pan |
Subject: |
[Bug 1908369] Re: heap-use-after-free in in nic_reset ../hw/net/eepro100.c:616 |
Date: |
Wed, 16 Dec 2020 10:29:37 -0000 |
** Changed in: qemu
Assignee: (unassigned) => Gaoning Pan (hades0506)
** Description changed:
Hello,
An heap-use-after-free issue was found in hw/net/eepro100.c:616 in
latest version 5.2.0.
This issue was found when I was debugging Qemu in monitor. When I attach
An eepro100 NIC, and reload the snapshot, the use-after-free triggers.
Qemu boot command is as follows:
./qemu-5.2.0-rc4/build/qemu-system-x86_64 -enable-kvm -boot c -m 2G -drive
format=qcow2,file=./ubuntu.img -display none -monitor stdio
(qemu) device_add i82559a,id=eepro
(qemu) device_del eepro
(qemu) savevm tag0
(qemu) loadvm tag0
-
Backtrace is as follows:
=================================================================
==32048==ERROR: AddressSanitizer: heap-use-after-free on address
0x6280000449f0 at pc 0x7f751f5eed1a bp 0x7ffcd01f2cf0 sp 0x7ffcd01f2498
WRITE of size 8 at 0x6280000449f0 thread T0
- #0 0x7f751f5eed19 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ed19)
- #1 0x55948f3c9287 in nic_reset ../hw/net/eepro100.c:616
- #2 0x5594900f481a in qemu_devices_reset ../hw/core/reset.c:69
- #3 0x55948fae72e7 in pc_machine_reset ../hw/i386/pc.c:1615
- #4 0x55948fda10af in qemu_system_reset ../softmmu/vl.c:1405
- #5 0x55948f1ce8ed in load_snapshot ../migration/savevm.c:3008
- #6 0x55948f7420e9 in hmp_loadvm ../monitor/hmp-cmds.c:1133
- #7 0x55948f7e4319 in handle_hmp_command ../monitor/hmp.c:1100
- #8 0x55948f7dbf1f in monitor_command_cb ../monitor/hmp.c:47
- #9 0x559490599854 in readline_handle_byte ../util/readline.c:408
- #10 0x55948f7e635a in monitor_read ../monitor/hmp.c:1340
- #11 0x5594900c25c5 in qemu_chr_be_write_impl ../chardev/char.c:201
- #12 0x5594900c266b in qemu_chr_be_write ../chardev/char.c:213
- #13 0x5594900df9ce in fd_chr_read ../chardev/char-fd.c:68
- #14 0x55949011f217 in qio_channel_fd_source_dispatch
../io/channel-watch.c:84
- #15 0x7f751e056284 in g_main_context_dispatch
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c284)
- #16 0x559490580e97 in glib_pollfds_poll ../util/main-loop.c:221
- #17 0x559490580fb3 in os_host_main_loop_wait ../util/main-loop.c:244
- #18 0x55949058124f in main_loop_wait ../util/main-loop.c:520
- #19 0x55948fda1e53 in qemu_main_loop ../softmmu/vl.c:1678
- #20 0x55948f183c76 in main ../softmmu/main.c:50
- #21 0x7f751a8e3b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
- #22 0x55948f183b69 in _start
(/home/zjusvn/qemu5-hypervisor/qemu-5.2.0-rc4/build/qemu-system-x86_64+0x19c6b69)
+ #0 0x7f751f5eed19 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ed19)
+ #1 0x55948f3c9287 in nic_reset ../hw/net/eepro100.c:616
+ #2 0x5594900f481a in qemu_devices_reset ../hw/core/reset.c:69
+ #3 0x55948fae72e7 in pc_machine_reset ../hw/i386/pc.c:1615
+ #4 0x55948fda10af in qemu_system_reset ../softmmu/vl.c:1405
+ #5 0x55948f1ce8ed in load_snapshot ../migration/savevm.c:3008
+ #6 0x55948f7420e9 in hmp_loadvm ../monitor/hmp-cmds.c:1133
+ #7 0x55948f7e4319 in handle_hmp_command ../monitor/hmp.c:1100
+ #8 0x55948f7dbf1f in monitor_command_cb ../monitor/hmp.c:47
+ #9 0x559490599854 in readline_handle_byte ../util/readline.c:408
+ #10 0x55948f7e635a in monitor_read ../monitor/hmp.c:1340
+ #11 0x5594900c25c5 in qemu_chr_be_write_impl ../chardev/char.c:201
+ #12 0x5594900c266b in qemu_chr_be_write ../chardev/char.c:213
+ #13 0x5594900df9ce in fd_chr_read ../chardev/char-fd.c:68
+ #14 0x55949011f217 in qio_channel_fd_source_dispatch
../io/channel-watch.c:84
+ #15 0x7f751e056284 in g_main_context_dispatch
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c284)
+ #16 0x559490580e97 in glib_pollfds_poll ../util/main-loop.c:221
+ #17 0x559490580fb3 in os_host_main_loop_wait ../util/main-loop.c:244
+ #18 0x55949058124f in main_loop_wait ../util/main-loop.c:520
+ #19 0x55948fda1e53 in qemu_main_loop ../softmmu/vl.c:1678
+ #20 0x55948f183c76 in main ../softmmu/main.c:50
+ #21 0x7f751a8e3b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
+ #22 0x55948f183b69 in _start
(/home/zjusvn/qemu5-hypervisor/qemu-5.2.0-rc4/build/qemu-system-x86_64+0x19c6b69)
0x6280000449f0 is located 2288 bytes inside of 15616-byte region
[0x628000044100,0x628000047e00)
freed by thread T1 here:
- #0 0x7f751f66e7a8 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
- #1 0x5594900ade06 in object_finalize ../qom/object.c:689
- #2 0x5594900b04fe in object_unref ../qom/object.c:1183
- #3 0x5594900eae68 in bus_free_bus_child ../hw/core/qdev.c:56
- #4 0x55949055d2d7 in call_rcu_thread ../util/rcu.c:281
- #5 0x5594905ad296 in qemu_thread_start ../util/qemu-thread-posix.c:521
- #6 0x7f751acba6da in start_thread
(/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
+ #0 0x7f751f66e7a8 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
+ #1 0x5594900ade06 in object_finalize ../qom/object.c:689
+ #2 0x5594900b04fe in object_unref ../qom/object.c:1183
+ #3 0x5594900eae68 in bus_free_bus_child ../hw/core/qdev.c:56
+ #4 0x55949055d2d7 in call_rcu_thread ../util/rcu.c:281
+ #5 0x5594905ad296 in qemu_thread_start ../util/qemu-thread-posix.c:521
+ #6 0x7f751acba6da in start_thread
(/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
previously allocated by thread T0 here:
- #0 0x7f751f66eb40 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
- #1 0x7f751e05bab8 in g_malloc
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51ab8)
- #2 0x5594900ae04f in object_new ../qom/object.c:744
- #3 0x5594900ec0c3 in qdev_new ../hw/core/qdev.c:154
- #4 0x55948f37b084 in qdev_device_add ../softmmu/qdev-monitor.c:654
- #5 0x55948f37c36d in qmp_device_add ../softmmu/qdev-monitor.c:805
- #6 0x55948f37cd40 in hmp_device_add ../softmmu/qdev-monitor.c:916
- #7 0x55948f7e4319 in handle_hmp_command ../monitor/hmp.c:1100
- #8 0x55948f7dbf1f in monitor_command_cb ../monitor/hmp.c:47
- #9 0x559490599854 in readline_handle_byte ../util/readline.c:408
- #10 0x55948f7e635a in monitor_read ../monitor/hmp.c:1340
- #11 0x5594900c25c5 in qemu_chr_be_write_impl ../chardev/char.c:201
- #12 0x5594900c266b in qemu_chr_be_write ../chardev/char.c:213
- #13 0x5594900df9ce in fd_chr_read ../chardev/char-fd.c:68
- #14 0x55949011f217 in qio_channel_fd_source_dispatch
../io/channel-watch.c:84
- #15 0x7f751e056284 in g_main_context_dispatch
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c284)
+ #0 0x7f751f66eb40 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
+ #1 0x7f751e05bab8 in g_malloc
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51ab8)
+ #2 0x5594900ae04f in object_new ../qom/object.c:744
+ #3 0x5594900ec0c3 in qdev_new ../hw/core/qdev.c:154
+ #4 0x55948f37b084 in qdev_device_add ../softmmu/qdev-monitor.c:654
+ #5 0x55948f37c36d in qmp_device_add ../softmmu/qdev-monitor.c:805
+ #6 0x55948f37cd40 in hmp_device_add ../softmmu/qdev-monitor.c:916
+ #7 0x55948f7e4319 in handle_hmp_command ../monitor/hmp.c:1100
+ #8 0x55948f7dbf1f in monitor_command_cb ../monitor/hmp.c:47
+ #9 0x559490599854 in readline_handle_byte ../util/readline.c:408
+ #10 0x55948f7e635a in monitor_read ../monitor/hmp.c:1340
+ #11 0x5594900c25c5 in qemu_chr_be_write_impl ../chardev/char.c:201
+ #12 0x5594900c266b in qemu_chr_be_write ../chardev/char.c:213
+ #13 0x5594900df9ce in fd_chr_read ../chardev/char-fd.c:68
+ #14 0x55949011f217 in qio_channel_fd_source_dispatch
../io/channel-watch.c:84
+ #15 0x7f751e056284 in g_main_context_dispatch
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c284)
Thread T1 created by T0 here:
- #0 0x7f751f5c7d2f in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
- #1 0x5594905ad673 in qemu_thread_create ../util/qemu-thread-posix.c:558
- #2 0x55949055d8f0 in rcu_init_complete ../util/rcu.c:379
- #3 0x55949055dab9 in rcu_init ../util/rcu.c:435
- #4 0x55949068e5dc in __libc_csu_init
(/home/zjusvn/qemu5-hypervisor/qemu-5.2.0-rc4/build/qemu-system-x86_64+0x2ed15dc)
+ #0 0x7f751f5c7d2f in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
+ #1 0x5594905ad673 in qemu_thread_create ../util/qemu-thread-posix.c:558
+ #2 0x55949055d8f0 in rcu_init_complete ../util/rcu.c:379
+ #3 0x55949055dab9 in rcu_init ../util/rcu.c:435
+ #4 0x55949068e5dc in __libc_csu_init
(/home/zjusvn/qemu5-hypervisor/qemu-5.2.0-rc4/build/qemu-system-x86_64+0x2ed15dc)
SUMMARY: AddressSanitizer: heap-use-after-free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ed19)
Shadow bytes around the buggy address:
- 0x0c50800008e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c50800008f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c5080000900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c5080000910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c5080000920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x0c50800008e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x0c50800008f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x0c5080000900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x0c5080000910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x0c5080000920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5080000930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
- 0x0c5080000940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c5080000950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c5080000960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c5080000970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c5080000980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x0c5080000940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x0c5080000950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x0c5080000960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x0c5080000970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x0c5080000980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
- Addressable: 00
- Partially addressable: 01 02 03 04 05 06 07
- Heap left redzone: fa
- Freed heap region: fd
- Stack left redzone: f1
- Stack mid redzone: f2
- Stack right redzone: f3
- Stack after return: f5
- Stack use after scope: f8
- Global redzone: f9
- Global init order: f6
- Poisoned by user: f7
- Container overflow: fc
- Array cookie: ac
- Intra object redzone: bb
- ASan internal: fe
- Left alloca redzone: ca
- Right alloca redzone: cb
+ Addressable: 00
+ Partially addressable: 01 02 03 04 05 06 07
+ Heap left redzone: fa
+ Freed heap region: fd
+ Stack left redzone: f1
+ Stack mid redzone: f2
+ Stack right redzone: f3
+ Stack after return: f5
+ Stack use after scope: f8
+ Global redzone: f9
+ Global init order: f6
+ Poisoned by user: f7
+ Container overflow: fc
+ Array cookie: ac
+ Intra object redzone: bb
+ ASan internal: fe
+ Left alloca redzone: ca
+ Right alloca redzone: cb
==32048==ABORTING
-
Thanks.
** Description changed:
- Hello,
-
- An heap-use-after-free issue was found in hw/net/eepro100.c:616 in
- latest version 5.2.0.
-
- This issue was found when I was debugging Qemu in monitor. When I attach
- An eepro100 NIC, and reload the snapshot, the use-after-free triggers.
-
- Qemu boot command is as follows:
- ./qemu-5.2.0-rc4/build/qemu-system-x86_64 -enable-kvm -boot c -m 2G -drive
format=qcow2,file=./ubuntu.img -display none -monitor stdio
- (qemu) device_add i82559a,id=eepro
- (qemu) device_del eepro
- (qemu) savevm tag0
- (qemu) loadvm tag0
-
- Backtrace is as follows:
- =================================================================
- ==32048==ERROR: AddressSanitizer: heap-use-after-free on address
0x6280000449f0 at pc 0x7f751f5eed1a bp 0x7ffcd01f2cf0 sp 0x7ffcd01f2498
- WRITE of size 8 at 0x6280000449f0 thread T0
- #0 0x7f751f5eed19 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ed19)
- #1 0x55948f3c9287 in nic_reset ../hw/net/eepro100.c:616
- #2 0x5594900f481a in qemu_devices_reset ../hw/core/reset.c:69
- #3 0x55948fae72e7 in pc_machine_reset ../hw/i386/pc.c:1615
- #4 0x55948fda10af in qemu_system_reset ../softmmu/vl.c:1405
- #5 0x55948f1ce8ed in load_snapshot ../migration/savevm.c:3008
- #6 0x55948f7420e9 in hmp_loadvm ../monitor/hmp-cmds.c:1133
- #7 0x55948f7e4319 in handle_hmp_command ../monitor/hmp.c:1100
- #8 0x55948f7dbf1f in monitor_command_cb ../monitor/hmp.c:47
- #9 0x559490599854 in readline_handle_byte ../util/readline.c:408
- #10 0x55948f7e635a in monitor_read ../monitor/hmp.c:1340
- #11 0x5594900c25c5 in qemu_chr_be_write_impl ../chardev/char.c:201
- #12 0x5594900c266b in qemu_chr_be_write ../chardev/char.c:213
- #13 0x5594900df9ce in fd_chr_read ../chardev/char-fd.c:68
- #14 0x55949011f217 in qio_channel_fd_source_dispatch
../io/channel-watch.c:84
- #15 0x7f751e056284 in g_main_context_dispatch
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c284)
- #16 0x559490580e97 in glib_pollfds_poll ../util/main-loop.c:221
- #17 0x559490580fb3 in os_host_main_loop_wait ../util/main-loop.c:244
- #18 0x55949058124f in main_loop_wait ../util/main-loop.c:520
- #19 0x55948fda1e53 in qemu_main_loop ../softmmu/vl.c:1678
- #20 0x55948f183c76 in main ../softmmu/main.c:50
- #21 0x7f751a8e3b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
- #22 0x55948f183b69 in _start
(/home/zjusvn/qemu5-hypervisor/qemu-5.2.0-rc4/build/qemu-system-x86_64+0x19c6b69)
-
- 0x6280000449f0 is located 2288 bytes inside of 15616-byte region
[0x628000044100,0x628000047e00)
- freed by thread T1 here:
- #0 0x7f751f66e7a8 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
- #1 0x5594900ade06 in object_finalize ../qom/object.c:689
- #2 0x5594900b04fe in object_unref ../qom/object.c:1183
- #3 0x5594900eae68 in bus_free_bus_child ../hw/core/qdev.c:56
- #4 0x55949055d2d7 in call_rcu_thread ../util/rcu.c:281
- #5 0x5594905ad296 in qemu_thread_start ../util/qemu-thread-posix.c:521
- #6 0x7f751acba6da in start_thread
(/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
-
- previously allocated by thread T0 here:
- #0 0x7f751f66eb40 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
- #1 0x7f751e05bab8 in g_malloc
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51ab8)
- #2 0x5594900ae04f in object_new ../qom/object.c:744
- #3 0x5594900ec0c3 in qdev_new ../hw/core/qdev.c:154
- #4 0x55948f37b084 in qdev_device_add ../softmmu/qdev-monitor.c:654
- #5 0x55948f37c36d in qmp_device_add ../softmmu/qdev-monitor.c:805
- #6 0x55948f37cd40 in hmp_device_add ../softmmu/qdev-monitor.c:916
- #7 0x55948f7e4319 in handle_hmp_command ../monitor/hmp.c:1100
- #8 0x55948f7dbf1f in monitor_command_cb ../monitor/hmp.c:47
- #9 0x559490599854 in readline_handle_byte ../util/readline.c:408
- #10 0x55948f7e635a in monitor_read ../monitor/hmp.c:1340
- #11 0x5594900c25c5 in qemu_chr_be_write_impl ../chardev/char.c:201
- #12 0x5594900c266b in qemu_chr_be_write ../chardev/char.c:213
- #13 0x5594900df9ce in fd_chr_read ../chardev/char-fd.c:68
- #14 0x55949011f217 in qio_channel_fd_source_dispatch
../io/channel-watch.c:84
- #15 0x7f751e056284 in g_main_context_dispatch
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c284)
-
- Thread T1 created by T0 here:
- #0 0x7f751f5c7d2f in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
- #1 0x5594905ad673 in qemu_thread_create ../util/qemu-thread-posix.c:558
- #2 0x55949055d8f0 in rcu_init_complete ../util/rcu.c:379
- #3 0x55949055dab9 in rcu_init ../util/rcu.c:435
- #4 0x55949068e5dc in __libc_csu_init
(/home/zjusvn/qemu5-hypervisor/qemu-5.2.0-rc4/build/qemu-system-x86_64+0x2ed15dc)
-
- SUMMARY: AddressSanitizer: heap-use-after-free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ed19)
- Shadow bytes around the buggy address:
- 0x0c50800008e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c50800008f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c5080000900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c5080000910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c5080000920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- =>0x0c5080000930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
- 0x0c5080000940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c5080000950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c5080000960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c5080000970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c5080000980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- Shadow byte legend (one shadow byte represents 8 application bytes):
- Addressable: 00
- Partially addressable: 01 02 03 04 05 06 07
- Heap left redzone: fa
- Freed heap region: fd
- Stack left redzone: f1
- Stack mid redzone: f2
- Stack right redzone: f3
- Stack after return: f5
- Stack use after scope: f8
- Global redzone: f9
- Global init order: f6
- Poisoned by user: f7
- Container overflow: fc
- Array cookie: ac
- Intra object redzone: bb
- ASan internal: fe
- Left alloca redzone: ca
- Right alloca redzone: cb
- ==32048==ABORTING
-
- Thanks.
+ sorry
** Summary changed:
- heap-use-after-free in in nic_reset ../hw/net/eepro100.c:616
+ deleted
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1908369
Title:
deleted
Status in QEMU:
New
Bug description:
sorry
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1908369/+subscriptions