83e33300a2
ASAN complains about: ==8856==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd8a1fe168 at pc 0x561136cb4451 bp 0x7ffd8a1fe130 sp 0x7ffd8a1fd8e0 READ of size 16 at 0x7ffd8a1fe168 thread T0 #0 0x561136cb4450 in __asan_memcpy (/home/elmarco/src/qq/build/tests/test-crypto-ivgen+0x110450) #1 0x561136d2a6a7 in qcrypto_ivgen_essiv_calculate /home/elmarco/src/qq/crypto/ivgen-essiv.c:83:5 #2 0x561136d29af8 in qcrypto_ivgen_calculate /home/elmarco/src/qq/crypto/ivgen.c:72:12 #3 0x561136d07c8e in test_ivgen /home/elmarco/src/qq/tests/test-crypto-ivgen.c:148:5 #4 0x7f77772c3b04 in test_case_run /home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2237 #5 0x7f77772c3ec4 in g_test_run_suite_internal /home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2321 #6 0x7f77772c3f6d in g_test_run_suite_internal /home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2333 #7 0x7f77772c3f6d in g_test_run_suite_internal /home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2333 #8 0x7f77772c3f6d in g_test_run_suite_internal /home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2333 #9 0x7f77772c4184 in g_test_run_suite /home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2408 #10 0x7f77772c2e0d in g_test_run /home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:1674 #11 0x561136d0799b in main /home/elmarco/src/qq/tests/test-crypto-ivgen.c:173:12 #12 0x7f77756e6039 in __libc_start_main (/lib64/libc.so.6+0x21039) #13 0x561136c13d89 in _start (/home/elmarco/src/qq/build/tests/test-crypto-ivgen+0x6fd89) Address 0x7ffd8a1fe168 is located in stack of thread T0 at offset 40 in frame #0 0x561136d2a40f in qcrypto_ivgen_essiv_calculate /home/elmarco/src/qq/crypto/ivgen-essiv.c:76 This frame has 1 object(s): [32, 40) 'sector.addr' <== Memory access at offset 40 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/elmarco/src/qq/build/tests/test-crypto-ivgen+0x110450) in __asan_memcpy Shadow bytes around the buggy address: 0x100031437bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100031437be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100031437bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100031437c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100031437c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x100031437c20: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[f3]f3 f3 0x100031437c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100031437c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100031437c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100031437c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100031437c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb It looks like the rest of the code copes with ndata being larger than sizeof(sector), so limit the memcpy() range. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Message-Id: <20180104160523.22995-13-marcandre.lureau@redhat.com> Tested-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
||
---|---|---|
accel | ||
audio | ||
backends | ||
block | ||
bsd-user | ||
capstone@22ead3e0bf | ||
chardev | ||
contrib | ||
crypto | ||
default-configs | ||
disas | ||
docs | ||
dtc@e54388015a | ||
fpu | ||
fsdev | ||
gdb-xml | ||
hw | ||
include | ||
io | ||
libdecnumber | ||
linux-headers | ||
linux-user | ||
migration | ||
nbd | ||
net | ||
pc-bios | ||
po | ||
qapi | ||
qga | ||
qobject | ||
qom | ||
replay | ||
roms | ||
scripts | ||
scsi | ||
slirp | ||
stubs | ||
target | ||
tcg | ||
tests | ||
trace | ||
ui | ||
util | ||
.dir-locals.el | ||
.editorconfig | ||
.exrc | ||
.gdbinit | ||
.gitignore | ||
.gitmodules | ||
.mailmap | ||
.shippable.yml | ||
.travis.yml | ||
arch_init.c | ||
balloon.c | ||
block.c | ||
blockdev-nbd.c | ||
blockdev.c | ||
blockjob.c | ||
bootdevice.c | ||
bt-host.c | ||
bt-vhci.c | ||
Changelog | ||
CODING_STYLE | ||
configure | ||
COPYING | ||
COPYING.LIB | ||
COPYING.PYTHON | ||
cpus-common.c | ||
cpus.c | ||
device_tree.c | ||
device-hotplug.c | ||
disas.c | ||
dma-helpers.c | ||
dump.c | ||
exec.c | ||
gdbstub.c | ||
HACKING | ||
hmp-commands-info.hx | ||
hmp-commands.hx | ||
hmp.c | ||
hmp.h | ||
ioport.c | ||
iothread.c | ||
LICENSE | ||
MAINTAINERS | ||
Makefile | ||
Makefile.objs | ||
Makefile.target | ||
memory_ldst.inc.c | ||
memory_mapping.c | ||
memory.c | ||
module-common.c | ||
monitor.c | ||
numa.c | ||
os-posix.c | ||
os-win32.c | ||
qapi-schema.json | ||
qdev-monitor.c | ||
qdict-test-data.txt | ||
qemu-bridge-helper.c | ||
qemu-doc.texi | ||
qemu-ga.texi | ||
qemu-img-cmds.hx | ||
qemu-img.c | ||
qemu-img.texi | ||
qemu-io-cmds.c | ||
qemu-io.c | ||
qemu-keymap.c | ||
qemu-nbd.c | ||
qemu-nbd.texi | ||
qemu-option-trace.texi | ||
qemu-options-wrapper.h | ||
qemu-options.h | ||
qemu-options.hx | ||
qemu-seccomp.c | ||
qemu-tech.texi | ||
qemu.nsi | ||
qemu.sasl | ||
qmp.c | ||
qtest.c | ||
README | ||
replication.c | ||
replication.h | ||
rules.mak | ||
thunk.c | ||
tpm.c | ||
trace-events | ||
VERSION | ||
version.rc | ||
vl.c |
QEMU README =========== QEMU is a generic and open source machine & userspace emulator and virtualizer. QEMU is capable of emulating a complete machine in software without any need for hardware virtualization support. By using dynamic translation, it achieves very good performance. QEMU can also integrate with the Xen and KVM hypervisors to provide emulated hardware while allowing the hypervisor to manage the CPU. With hypervisor support, QEMU can achieve near native performance for CPUs. When QEMU emulates CPUs directly it is capable of running operating systems made for one machine (e.g. an ARMv7 board) on a different machine (e.g. an x86_64 PC board). QEMU is also capable of providing userspace API virtualization for Linux and BSD kernel interfaces. This allows binaries compiled against one architecture ABI (e.g. the Linux PPC64 ABI) to be run on a host using a different architecture ABI (e.g. the Linux x86_64 ABI). This does not involve any hardware emulation, simply CPU and syscall emulation. QEMU aims to fit into a variety of use cases. It can be invoked directly by users wishing to have full control over its behaviour and settings. It also aims to facilitate integration into higher level management layers, by providing a stable command line interface and monitor API. It is commonly invoked indirectly via the libvirt library when using open source applications such as oVirt, OpenStack and virt-manager. QEMU as a whole is released under the GNU General Public License, version 2. For full licensing details, consult the LICENSE file. Building ======== QEMU is multi-platform software intended to be buildable on all modern Linux platforms, OS-X, Win32 (via the Mingw64 toolchain) and a variety of other UNIX targets. The simple steps to build QEMU are: mkdir build cd build ../configure make Additional information can also be found online via the QEMU website: https://qemu.org/Hosts/Linux https://qemu.org/Hosts/Mac https://qemu.org/Hosts/W32 Submitting patches ================== The QEMU source code is maintained under the GIT version control system. git clone git://git.qemu.org/qemu.git When submitting patches, the preferred approach is to use 'git format-patch' and/or 'git send-email' to format & send the mail to the qemu-devel@nongnu.org mailing list. All patches submitted must contain a 'Signed-off-by' line from the author. Patches should follow the guidelines set out in the HACKING and CODING_STYLE files. Additional information on submitting patches can be found online via the QEMU website https://qemu.org/Contribute/SubmitAPatch https://qemu.org/Contribute/TrivialPatches Bug reporting ============= The QEMU project uses Launchpad as its primary upstream bug tracker. Bugs found when running code built from QEMU git or upstream released sources should be reported via: https://bugs.launchpad.net/qemu/ If using QEMU via an operating system vendor pre-built binary package, it is preferable to report bugs to the vendor's own bug tracker first. If the bug is also known to affect latest upstream code, it can also be reported via launchpad. For additional information on bug reporting consult: https://qemu.org/Contribute/ReportABug Contact ======= The QEMU community can be contacted in a number of ways, with the two main methods being email and IRC - qemu-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/qemu-devel - #qemu on irc.oftc.net Information on additional methods of contacting the community can be found online via the QEMU website: https://qemu.org/Contribute/StartHere -- End