[Qemu-devel] [PULL 20/52] crypto: fix stack-buffer-overflow error

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PULL 20/52] crypto: fix stack-buffer-overflow error

From:	Paolo Bonzini
Subject:	[Qemu-devel] [PULL 20/52] crypto: fix stack-buffer-overflow error
Date:	Fri, 12 Jan 2018 12:30:44 +0100

From: Marc-André Lureau <address@hidden>

ASAN complains about:

==8856==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffd8a1fe168 at pc 0x561136cb4451 bp 0x7ffd8a1fe130 sp 0x7ffd8a1fd8e0
READ of size 16 at 0x7ffd8a1fe168 thread T0
    #0 0x561136cb4450 in __asan_memcpy 
(/home/elmarco/src/qq/build/tests/test-crypto-ivgen+0x110450)
    #1 0x561136d2a6a7 in qcrypto_ivgen_essiv_calculate 
/home/elmarco/src/qq/crypto/ivgen-essiv.c:83:5
    #2 0x561136d29af8 in qcrypto_ivgen_calculate 
/home/elmarco/src/qq/crypto/ivgen.c:72:12
    #3 0x561136d07c8e in test_ivgen 
/home/elmarco/src/qq/tests/test-crypto-ivgen.c:148:5
    #4 0x7f77772c3b04 in test_case_run 
/home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2237
    #5 0x7f77772c3ec4 in g_test_run_suite_internal 
/home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2321
    #6 0x7f77772c3f6d in g_test_run_suite_internal 
/home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2333
    #7 0x7f77772c3f6d in g_test_run_suite_internal 
/home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2333
    #8 0x7f77772c3f6d in g_test_run_suite_internal 
/home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2333
    #9 0x7f77772c4184 in g_test_run_suite 
/home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2408
    #10 0x7f77772c2e0d in g_test_run 
/home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:1674
    #11 0x561136d0799b in main 
/home/elmarco/src/qq/tests/test-crypto-ivgen.c:173:12
    #12 0x7f77756e6039 in __libc_start_main (/lib64/libc.so.6+0x21039)
    #13 0x561136c13d89 in _start 
(/home/elmarco/src/qq/build/tests/test-crypto-ivgen+0x6fd89)

Address 0x7ffd8a1fe168 is located in stack of thread T0 at offset 40 in frame
    #0 0x561136d2a40f in qcrypto_ivgen_essiv_calculate 
/home/elmarco/src/qq/crypto/ivgen-essiv.c:76

  This frame has 1 object(s):
    [32, 40) 'sector.addr' <== Memory access at offset 40 overflows this 
variable
HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow 
(/home/elmarco/src/qq/build/tests/test-crypto-ivgen+0x110450) in __asan_memcpy
Shadow bytes around the buggy address:
  0x100031437bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100031437be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100031437bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100031437c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100031437c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100031437c20: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[f3]f3 f3
  0x100031437c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100031437c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100031437c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100031437c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100031437c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

It looks like the rest of the code copes with ndata being larger than
sizeof(sector), so limit the memcpy() range.

Signed-off-by: Marc-André Lureau <address@hidden>
Reviewed-by: Daniel P. Berrange <address@hidden>
Message-Id: <address@hidden>
Tested-by: Thomas Huth <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
 crypto/ivgen-essiv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/ivgen-essiv.c b/crypto/ivgen-essiv.c
index cba20bd..ad4d926 100644
--- a/crypto/ivgen-essiv.c
+++ b/crypto/ivgen-essiv.c
@@ -79,7 +79,7 @@ static int qcrypto_ivgen_essiv_calculate(QCryptoIVGen *ivgen,
     uint8_t *data = g_new(uint8_t, ndata);
 
     sector = cpu_to_le64(sector);
-    memcpy(data, (uint8_t *)&sector, ndata);
+    memcpy(data, (uint8_t *)&sector, MIN(sizeof(sector), ndata));
     if (sizeof(sector) < ndata) {
         memset(data + sizeof(sector), 0, ndata - sizeof(sector));
     }
-- 
1.8.3.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PULL 15/52] build-sys: add some sanitizers when --enable-debug if possible, (continued)
- [Qemu-devel] [PULL 15/52] build-sys: add some sanitizers when --enable-debug if possible, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 10/52] build-sys: silence make by default or V=0, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 12/52] build-sys: compile with -Og or -O1 when --enable-debug, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 09/52] build-sys: fix qemu-ga -pthread linking, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 14/52] tests/docker: add test-debug, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 16/52] tests: fix check-qobject leak, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 13/52] tests/docker: add some sanitizers to fedora dockerfile, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 11/52] build-sys: add a rule to print a variable, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 17/52] vl: fix direct firmware directories leak, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 18/52] readline: add a free function, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 20/52] crypto: fix stack-buffer-overflow error, Paolo Bonzini <=
- [Qemu-devel] [PULL 19/52] tests: fix migration-test leak, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 23/52] ucontext: annotate coroutine stack for ASAN, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 25/52] mips: fix potential fopen(NULL,...), Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 21/52] qemu-config: fix leak in query-command-line-options, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 22/52] tests: fix qmp-test leak, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 26/52] disas/s390: fix global-buffer-overflow, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 27/52] scsi-disk: release AioContext in unaligned WRITE SAME case, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 24/52] tests: fix coroutine leak in /basic/entered, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 28/52] tests/boot-serial-test: Add tests for microblaze boards, Paolo Bonzini, 2018/01/12
- [Qemu-devel] [PULL 29/52] tests/boot-serial-test: Add a test for the moxiesim machine, Paolo Bonzini, 2018/01/12

Prev by Date: [Qemu-devel] [PULL 18/52] readline: add a free function
Next by Date: [Qemu-devel] [PULL 19/52] tests: fix migration-test leak
Previous by thread: [Qemu-devel] [PULL 18/52] readline: add a free function
Next by thread: [Qemu-devel] [PULL 19/52] tests: fix migration-test leak
Index(es):
- Date
- Thread