qemu/tests/qtest
Philippe Mathieu-Daudé 7d6a4f123e net/eth: Read ip6_ext_hdr_routing buffer before accessing it
We can't know the caller read enough data in the memory pointed
by ext_hdr to cast it as a ip6_ext_hdr_routing.
Declare rt_hdr on the stack and fill it again from the iovec.

Since we already checked there is enough data in the iovec buffer,
simply add an assert() call to consume the bytes_read variable.

This fix a 2 bytes buffer overrun in eth_parse_ipv6_hdr() reported
by QEMU fuzzer:

  $ cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 \
    -accel qtest -monitor none \
    -serial none -nographic -qtest stdio
  outl 0xcf8 0x80001010
  outl 0xcfc 0xe1020000
  outl 0xcf8 0x80001004
  outw 0xcfc 0x7
  write 0x25 0x1 0x86
  write 0x26 0x1 0xdd
  write 0x4f 0x1 0x2b
  write 0xe1020030 0x4 0x190002e1
  write 0xe102003a 0x2 0x0807
  write 0xe1020048 0x4 0x12077cdd
  write 0xe1020400 0x4 0xba077cdd
  write 0xe1020420 0x4 0x190002e1
  write 0xe1020428 0x4 0x3509d807
  write 0xe1020438 0x1 0xe2
  EOF
  =================================================================
  ==2859770==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdef904902 at pc 0x561ceefa78de bp 0x7ffdef904820 sp 0x7ffdef904818
  READ of size 1 at 0x7ffdef904902 thread T0
      #0 0x561ceefa78dd in _eth_get_rss_ex_dst_addr net/eth.c:410:17
      #1 0x561ceefa41fb in eth_parse_ipv6_hdr net/eth.c:532:17
      #2 0x561cef7de639 in net_tx_pkt_parse_headers hw/net/net_tx_pkt.c:228:14
      #3 0x561cef7dbef4 in net_tx_pkt_parse hw/net/net_tx_pkt.c:273:9
      #4 0x561ceec29f22 in e1000e_process_tx_desc hw/net/e1000e_core.c:730:29
      #5 0x561ceec28eac in e1000e_start_xmit hw/net/e1000e_core.c:927:9
      #6 0x561ceec1baab in e1000e_set_tdt hw/net/e1000e_core.c:2444:9
      #7 0x561ceebf300e in e1000e_core_write hw/net/e1000e_core.c:3256:9
      #8 0x561cef3cd4cd in e1000e_mmio_write hw/net/e1000e.c:110:5

  Address 0x7ffdef904902 is located in stack of thread T0 at offset 34 in frame
      #0 0x561ceefa320f in eth_parse_ipv6_hdr net/eth.c:486

    This frame has 1 object(s):
      [32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows this variable
  HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
        (longjmp and C++ exceptions *are* supported)
  SUMMARY: AddressSanitizer: stack-buffer-overflow net/eth.c:410:17 in _eth_get_rss_ex_dst_addr
  Shadow bytes around the buggy address:
    0x10003df188d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10003df188e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10003df188f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10003df18900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10003df18910: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  =>0x10003df18920:[02]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
    0x10003df18930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10003df18940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10003df18950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10003df18960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10003df18970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07
    Stack left redzone:      f1
    Stack right redzone:     f3
  ==2859770==ABORTING

Add the corresponding qtest case with the fuzzer reproducer.

FWIW GCC 11 similarly reported:

  net/eth.c: In function 'eth_parse_ipv6_hdr':
  net/eth.c:410:15: error: array subscript 'struct ip6_ext_hdr_routing[0]' is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds]
    410 |     if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) {
        |          ~~~~~^~~~~~~
  net/eth.c:485:24: note: while referencing 'ext_hdr'
    485 |     struct ip6_ext_hdr ext_hdr;
        |                        ^~~~~~~
  net/eth.c:410:38: error: array subscript 'struct ip6_ext_hdr_routing[0]' is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds]
    410 |     if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) {
        |                                 ~~~~~^~~~~~~~~
  net/eth.c:485:24: note: while referencing 'ext_hdr'
    485 |     struct ip6_ext_hdr ext_hdr;
        |                        ^~~~~~~

Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/qemu/+bug/1879531
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Miroslav Rezanina <mrezanin@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
Fixes: eb700029c7 ("net_pkt: Extend packet abstraction as required by e1000e functionality")
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22 17:34:31 +08:00
..
fuzz fuzz: Avoid deprecated misuse of -drive if=sd 2021-03-19 15:18:43 +01:00
libqos * Add some missing gitlab-CI job dependencies 2021-03-10 17:22:45 +00:00
ac97-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
acpi-utils.c
acpi-utils.h meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
ahci-test.c qtest: switch users back to qtest_qmp_receive 2020-10-12 11:50:49 -04:00
arm-cpu-features.c target/arm: Add cpu properties to control pauth 2021-01-19 14:38:51 +00:00
bios-tables-test-allowed-diff.h qtest/acpi/bios-tables-test: update acpi tables 2021-02-23 10:58:42 -05:00
bios-tables-test.c acpi: add test case for -no-hpet 2021-02-23 10:58:42 -05:00
boot-order-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
boot-sector.c tests/qtest/boot-sector: Check that the guest did not panic 2021-02-19 06:29:05 +01:00
boot-sector.h meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
boot-serial-test.c tests/qtest/boot-serial-test: Test Virt machine with 'max' 2021-02-19 06:29:04 +01:00
cdrom-test.c hw/mips: Remove the 'r4k' machine 2020-11-03 16:51:13 +01:00
cmsdk-apb-dualtimer-test.c tests: Add a simple test of the CMSDK APB dual timer 2021-01-29 15:54:42 +00:00
cmsdk-apb-timer-test.c tests: Add a simple test of the CMSDK APB timer 2021-01-29 15:54:42 +00:00
cmsdk-apb-watchdog-test.c tests/qtest/cmsdk-apb-watchdog-test: Test clock changes 2021-01-29 15:54:44 +00:00
cpu-plug-test.c cphp: remove deprecated cpu-add command(s) 2020-09-29 02:14:30 -04:00
dbus-vmstate1.xml
dbus-vmstate-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
device-introspect-test.c qtest: escape device name in device-introspect-test 2020-11-04 12:00:02 -05:00
device-plug-test.c device-plug-test: use qtest_qmp to send the device_del command 2020-10-12 11:50:49 -04:00
display-vga-test.c
drive_del-test.c qemu-iotests, qtest: rewrite test 067 as a qtest 2020-10-12 11:50:50 -04:00
ds1338-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
e1000-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
e1000e-test.c
eepro100-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
emc141x-test.c hw/misc: add an EMC141{3,4} device model 2020-12-10 12:11:03 +01:00
endianness-test.c hw/mips: Remove the 'r4k' machine 2020-11-03 16:51:13 +01:00
es1370-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
fdc-test.c
fuzz-e1000e-test.c net/eth: Read ip6_ext_hdr_routing buffer before accessing it 2021-03-22 17:34:31 +08:00
fuzz-megasas-test.c tests/qtest: Only run fuzz-megasas-test if megasas device is available 2021-03-16 14:19:54 -04:00
fuzz-virtio-scsi-test.c tests/qtest: Only run fuzz-virtio-scsi when virtio-scsi is available 2021-03-16 14:19:54 -04:00
fw_cfg-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
hd-geo-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
hexloader-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
i440fx-test.c
i82801b11-test.c
ide-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
intel-hda-test.c
ioh3420-test.c
ipmi-bt-test.c
ipmi-kcs-test.c tests/qtest/ipmi-kcs: Fix assert side-effect 2020-09-03 12:47:33 +02:00
ipoctal232-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
ivshmem-test.c ivshmem-test: do not use short-form boolean option 2020-11-04 12:00:02 -05:00
libqtest-single.h qtest: Update references to parse_escape() in comments 2020-11-10 08:51:30 +01:00
libqtest.c libqtest: add qtest_remove_abrt_handler() 2021-03-08 14:55:19 +01:00
lpc-ich9-test.c tests/qtest: cleanup the testcase for bug 1878642 2021-03-19 10:37:46 -04:00
m25p80-test.c tests: Rename PAGE_SIZE definitions 2021-01-20 10:46:54 +01:00
m48t59-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
machine-none-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
megasas-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
meson.build net/eth: Read ip6_ext_hdr_routing buffer before accessing it 2021-03-22 17:34:31 +08:00
microbit-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
migration-helpers.c tests/migration: fix memleak in wait_command/wait_command_fd 2020-10-24 07:23:19 +02:00
migration-helpers.h meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
migration-test.c migrate: remove QMP/HMP commands for speed, downtime and cache size 2021-03-18 09:22:55 +00:00
modules-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
ne2000-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
npcm7xx_adc-test.c npcm7xx_adc-test: Fix memleak in adc_qom_set 2021-01-19 15:45:14 +00:00
npcm7xx_emc-test.c tests/qtests: Add npcm7xx emc model test 2021-03-05 15:17:34 +00:00
npcm7xx_gpio-test.c hw/gpio: Add GPIO model for Nuvoton NPCM7xx 2020-10-27 11:10:32 +00:00
npcm7xx_pwm-test.c tests/qtest: Test PWM fan RPM using MFT in PWM test 2021-03-12 12:50:36 +00:00
npcm7xx_rng-test.c tests/qtest/npcm7xx_rng-test: dump random data on failure 2020-12-10 11:30:44 +00:00
npcm7xx_smbus-test.c hw/i2c: Implement NPCM7XX SMBus Module FIFO Mode 2021-02-16 14:12:54 +00:00
npcm7xx_timer-test.c tests/qtest: variable defined by g_autofree need to be initialized 2020-11-20 13:34:22 +01:00
npcm7xx_watchdog_timer-test.c tests/qtest: fix memleak in npcm7xx_watchdog_timer-test 2020-11-20 13:35:33 +01:00
numa-test.c machine: remove 'query-cpus' QMP command 2021-03-18 09:22:55 +00:00
nvme-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
pca9552-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
pci-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
pcnet-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
pflash-cfi02-test.c treewide: do not use short-form boolean options 2020-12-10 12:15:11 -05:00
pnv-xscom-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
prom-env-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
pvpanic-pci-test.c tests/qtest: add a test case for pvpanic-pci 2021-01-29 10:47:28 +00:00
pvpanic-test.c qtest/pvpanic: Test panic option that allows VM to continue 2020-12-15 12:51:59 -05:00
pxe-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
q35-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
qmp-cmd-test.c tests: Drop 'props' from object-add calls 2021-03-19 10:15:06 +01:00
qmp-test.c machine: remove 'query-cpus' QMP command 2021-03-18 09:22:55 +00:00
qom-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
qos-test.c tests/qtest/qos-test: dump QEMU command if verbose 2021-02-16 17:15:39 +01:00
rtas-test.c meson: link emulators without Makefile.target 2020-08-21 06:30:40 -04:00
rtc-test.c tests/qtest: Replace magic value by NANOSECONDS_PER_SECOND definition 2020-10-13 08:08:55 +02:00
rtl8139-test.c
sdhci-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
spapr-phb-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
sse-timer-test.c tests/qtest/sse-timer-test: Test counter scaling changes 2021-03-08 17:20:03 +00:00
tco-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
test-arm-mptimer.c
test-filter-mirror.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
test-filter-redirector.c treewide: do not use short-form boolean options 2020-12-10 12:15:11 -05:00
test-hmp.c migrate: remove QMP/HMP commands for speed, downtime and cache size 2021-03-18 09:22:55 +00:00
test-netfilter.c tests: Drop 'props' from object-add calls 2021-03-19 10:15:06 +01:00
test-query-netdev.c tests: Add tests for query-netdev command 2021-03-15 16:41:22 +08:00
test-x86-cpuid-compat.c machine: remove 'query-cpus' QMP command 2021-03-18 09:22:55 +00:00
tmp105-test.c
tpm-crb-swtpm-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
tpm-crb-test.c
tpm-emu.c
tpm-emu.h
tpm-tests.c tests/qtest/tpm: Remove redundant check in the tpm_test_swtpm_test() 2020-11-09 18:34:21 +01:00
tpm-tests.h
tpm-tis-device-swtpm-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
tpm-tis-device-test.c
tpm-tis-swtpm-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
tpm-tis-test.c
tpm-tis-util.c
tpm-tis-util.h
tpm-util.c tests: Fix memory leak in tpm-util.c 2021-01-20 10:46:54 +01:00
tpm-util.h
tulip-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
usb-hcd-ehci-test.c libqos: usb-hcd-ehci: use 32-bit write for config register 2020-06-26 06:45:29 -04:00
usb-hcd-ohci-test.c
usb-hcd-uhci-test.c
usb-hcd-xhci-test.c
vhost-user-test.c migrate: remove QMP/HMP commands for speed, downtime and cache size 2021-03-18 09:22:55 +00:00
virtio-9p-test.c tests/9pfs: Mark "local" tests as "slow" 2020-11-24 12:44:25 +01:00
virtio-blk-test.c
virtio-ccw-test.c
virtio-net-test.c
virtio-rng-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
virtio-scsi-test.c virtio-scsi-test: Test writing to scsi-cd device 2021-01-27 20:45:20 +01:00
virtio-serial-test.c
virtio-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
vmgenid-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
vmxnet3-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
wdt_ib700-test.c meson: convert tests/qtest to meson 2020-08-21 06:30:20 -04:00
xlnx-can-test.c arm: rename xlnx-zcu102.canbusN properties 2021-01-29 10:47:28 +00:00