From nobody Wed Nov 19 08:46:08 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1615392146; cv=none; d=zohomail.com; s=zohoarc; b=Mqba2ar+dCpLgRBsCKpwR0MIw/b8NYVMgtTqVwyD/GsMRwR5cpDnpKyJn0A+CWZziIYBqLrO0M9Mxmph+ZVLP00920AD9A3mK7zUrNDUJR4iF5hqRe0rshcnb31z/wm1fXwLhOjo5tHrLxOvr/QSeYNibv5B3KfeUsmKbvL+5pc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1615392146; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=25ztEiZcqxp+zOkHWGr4v893OqwgDdVjRchgWM6TO/U=; b=LppOEYGJ/O/UxdYgoGx0mLlqOi/GywvLaXCALJL8Sn+6BhRnTGnj18BLplb5JioJ285DBjaUXvNN4XnlwH75K4Z4u7Tr4ff6OOeBGbTfyWpIZMo1+TWUKcQC59yNONkGxlrPkeysIzDK0/TmZUmQhouA9WS7D+kqnIAXaRoXIs8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1615392146575103.3128956708988; Wed, 10 Mar 2021 08:02:26 -0800 (PST) Received: from mail-ej1-f69.google.com (mail-ej1-f69.google.com [209.85.218.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-1-Cvo42pg7Pr-8lVbuh2s90w-1; Wed, 10 Mar 2021 11:02:18 -0500 Received: by mail-ej1-f69.google.com with SMTP id bg7so1376853ejb.12 for ; Wed, 10 Mar 2021 08:02:17 -0800 (PST) Return-Path: Return-Path: Received: from x1w.redhat.com (68.red-83-57-175.dynamicip.rima-tde.net. [83.57.175.68]) by smtp.gmail.com with ESMTPSA id c20sm10105473eja.22.2021.03.10.08.02.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Mar 2021 08:02:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1615392145; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=25ztEiZcqxp+zOkHWGr4v893OqwgDdVjRchgWM6TO/U=; b=Qyc66GipSfOrquO+AqWtoCf+qtSza9i7x5ca/xXNS3SpFq5ecSaSg1+XLZ6xH8szAnb0Ty LvNHtccJORjHf+as4nGcFDWLqKqybJTrbtS86UGsVL/LTTUuWUeqanV4o1CHahiHkGZWCj CLNwLQkWU/Na7hTOx4rC5adQQwwLaY4= X-MC-Unique: Cvo42pg7Pr-8lVbuh2s90w-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=25ztEiZcqxp+zOkHWGr4v893OqwgDdVjRchgWM6TO/U=; b=Ta5v+QPUfyhu/qZZIyr0PlXQSAXmEP+4J2/KdfVDsllDVWAbP+LlGGyfrCY/320PkN yMCYs/IJwGaFIFyqur9e9dV24bWsdzAuc9I82GbOW+unuC4bSIY7JWWKpw6+7OLv1yI7 p0ZYS5Bh8VuP92L4ZGcEFLdlwBbE0jk/eIsrEKYpgM3OzumvlwAjmTmKqMj3OoMI6GUX RFE6nw8S/PRvGW4IQqL5HzYs90L7eqrorfdZP1XUyLWtXzMm69jQqmnGdVMEa/KGV0Wj PyQ8MLV2LcgxKf37z18GtTDbVPNLpp0vkzCyhbPrxw9bEjh0tRNmhWrc2so/JFPTuECa zL5w== X-Gm-Message-State: AOAM5322GNcFRKh9K/WXd2xWTxDmB43iVZmG5QEBizadttNY6TrHZ4DT fHiaPOEfLYkDyfEQoNPxYKl9Xh2Q7O1ffsEvgvKXzkM0V7wzG/4hWJyfFe5x5hgjhGW0U/GlrFh n7UCM3YqG5Es5WQ== X-Received: by 2002:aa7:dd05:: with SMTP id i5mr4105698edv.300.1615392131991; Wed, 10 Mar 2021 08:02:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJwM7Jp38llrDD25N/CSY/X/zqHnyqgFL8Mvg0Lzi5yNnXm3x0VX9AxyKopqzyoCFJzGnptr6w== X-Received: by 2002:aa7:dd05:: with SMTP id i5mr4105503edv.300.1615392130339; Wed, 10 Mar 2021 08:02:10 -0800 (PST) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Stefano Garzarella , Dmitry Fleytman , Paolo Bonzini , Miroslav Rezanina , Jason Wang , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-stable@nongnu.org, Alexander Bulekov , Thomas Huth , Laurent Vivier Subject: [PATCH v5 6/7] net/eth: Read ip6_ext_hdr_routing buffer before accessing it Date: Wed, 10 Mar 2021 17:01:34 +0100 Message-Id: <20210310160135.1148272-7-philmd@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210310160135.1148272-1-philmd@redhat.com> References: <20210310160135.1148272-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) We can't know the caller read enough data in the memory pointed by ext_hdr to cast it as a ip6_ext_hdr_routing. Declare rt_hdr on the stack and fill it again from the iovec. Since we already checked there is enough data in the iovec buffer, simply add an assert() call to consume the bytes_read variable. This fix a 2 bytes buffer overrun in eth_parse_ipv6_hdr() reported by QEMU fuzzer: $ cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 \ -accel qtest -monitor none \ -serial none -nographic -qtest stdio outl 0xcf8 0x80001010 outl 0xcfc 0xe1020000 outl 0xcf8 0x80001004 outw 0xcfc 0x7 write 0x25 0x1 0x86 write 0x26 0x1 0xdd write 0x4f 0x1 0x2b write 0xe1020030 0x4 0x190002e1 write 0xe102003a 0x2 0x0807 write 0xe1020048 0x4 0x12077cdd write 0xe1020400 0x4 0xba077cdd write 0xe1020420 0x4 0x190002e1 write 0xe1020428 0x4 0x3509d807 write 0xe1020438 0x1 0xe2 EOF =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D2859770=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on addr= ess 0x7ffdef904902 at pc 0x561ceefa78de bp 0x7ffdef904820 sp 0x7ffdef904818 READ of size 1 at 0x7ffdef904902 thread T0 #0 0x561ceefa78dd in _eth_get_rss_ex_dst_addr net/eth.c:410:17 #1 0x561ceefa41fb in eth_parse_ipv6_hdr net/eth.c:532:17 #2 0x561cef7de639 in net_tx_pkt_parse_headers hw/net/net_tx_pkt.c:228= :14 #3 0x561cef7dbef4 in net_tx_pkt_parse hw/net/net_tx_pkt.c:273:9 #4 0x561ceec29f22 in e1000e_process_tx_desc hw/net/e1000e_core.c:730:= 29 #5 0x561ceec28eac in e1000e_start_xmit hw/net/e1000e_core.c:927:9 #6 0x561ceec1baab in e1000e_set_tdt hw/net/e1000e_core.c:2444:9 #7 0x561ceebf300e in e1000e_core_write hw/net/e1000e_core.c:3256:9 #8 0x561cef3cd4cd in e1000e_mmio_write hw/net/e1000e.c:110:5 Address 0x7ffdef904902 is located in stack of thread T0 at offset 34 in f= rame #0 0x561ceefa320f in eth_parse_ipv6_hdr net/eth.c:486 This frame has 1 object(s): [32, 34) 'ext_hdr' (line 487) <=3D=3D Memory access at offset 34 over= flows this variable HINT: this may be a false positive if your program uses some custom stack= unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow net/eth.c:410:17 in _eth= _get_rss_ex_dst_addr Shadow bytes around the buggy address: 0x10003df188d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df188e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df188f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18910: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 =3D>0x10003df18920:[02]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Stack left redzone: f1 Stack right redzone: f3 =3D=3D2859770=3D=3DABORTING Add the corresponding qtest case with the fuzzer reproducer. FWIW GCC 11 similarly reported: net/eth.c: In function 'eth_parse_ipv6_hdr': net/eth.c:410:15: error: array subscript 'struct ip6_ext_hdr_routing[0]' = is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=3Darray-= bounds] 410 | if ((rthdr->rtype =3D=3D 2) && (rthdr->segleft =3D=3D 1)) { | ~~~~~^~~~~~~ net/eth.c:485:24: note: while referencing 'ext_hdr' 485 | struct ip6_ext_hdr ext_hdr; | ^~~~~~~ net/eth.c:410:38: error: array subscript 'struct ip6_ext_hdr_routing[0]' = is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=3Darray-= bounds] 410 | if ((rthdr->rtype =3D=3D 2) && (rthdr->segleft =3D=3D 1)) { | ~~~~~^~~~~~~~~ net/eth.c:485:24: note: while referencing 'ext_hdr' 485 | struct ip6_ext_hdr ext_hdr; | ^~~~~~~ Cc: qemu-stable@nongnu.org Buglink: https://bugs.launchpad.net/qemu/+bug/1879531 Reported-by: Alexander Bulekov Reported-by: Miroslav Rezanina Fixes: eb700029c78 ("net_pkt: Extend packet abstraction as required by e100= 0e functionality") Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Stefano Garzarella --- net/eth.c | 10 +++++-- tests/qtest/fuzz-e1000e-test.c | 53 ++++++++++++++++++++++++++++++++++ MAINTAINERS | 1 + tests/qtest/meson.build | 1 + 4 files changed, 62 insertions(+), 3 deletions(-) create mode 100644 tests/qtest/fuzz-e1000e-test.c diff --git a/net/eth.c b/net/eth.c index 28cdc843a69..b150d73c13a 100644 --- a/net/eth.c +++ b/net/eth.c @@ -405,15 +405,19 @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int= pkt_frags, const struct ip6_ext_hdr *ext_hdr, struct in6_address *dst_addr) { - struct ip6_ext_hdr_routing *rthdr =3D (struct ip6_ext_hdr_routing *) e= xt_hdr; + struct ip6_ext_hdr_routing rt_hdr; size_t input_size =3D iov_size(pkt, pkt_frags); size_t bytes_read; =20 - if (input_size < ext_hdr_offset + sizeof(*rthdr) + sizeof(*dst_addr)) { + if (input_size < ext_hdr_offset + sizeof(rt_hdr) + sizeof(*dst_addr)) { return false; } =20 - if ((rthdr->rtype =3D=3D 2) && (rthdr->segleft =3D=3D 1)) { + bytes_read =3D iov_to_buf(pkt, pkt_frags, ext_hdr_offset, + &rt_hdr, sizeof(rt_hdr)); + assert(bytes_read =3D=3D sizeof(rt_hdr)); + + if ((rt_hdr.rtype =3D=3D 2) && (rt_hdr.segleft =3D=3D 1)) { bytes_read =3D iov_to_buf(pkt, pkt_frags, ext_hdr_offset + sizeof(*ext_hdr), dst_addr, sizeof(*dst_addr)); diff --git a/tests/qtest/fuzz-e1000e-test.c b/tests/qtest/fuzz-e1000e-test.c new file mode 100644 index 00000000000..66229e60964 --- /dev/null +++ b/tests/qtest/fuzz-e1000e-test.c @@ -0,0 +1,53 @@ +/* + * QTest testcase for e1000e device generated by fuzzer + * + * Copyright (c) 2021 Red Hat, Inc. + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" + +#include "libqos/libqtest.h" + +/* + * https://bugs.launchpad.net/qemu/+bug/1879531 + */ +static void test_lp1879531_eth_get_rss_ex_dst_addr(void) +{ + QTestState *s; + + s =3D qtest_init("-nographic -monitor none -serial none -M pc-q35-5.0"= ); + + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xe1020000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x7); + qtest_writeb(s, 0x25, 0x86); + qtest_writeb(s, 0x26, 0xdd); + qtest_writeb(s, 0x4f, 0x2b); + + qtest_writel(s, 0xe1020030, 0x190002e1); + qtest_writew(s, 0xe102003a, 0x0807); + qtest_writel(s, 0xe1020048, 0x12077cdd); + qtest_writel(s, 0xe1020400, 0xba077cdd); + qtest_writel(s, 0xe1020420, 0x190002e1); + qtest_writel(s, 0xe1020428, 0x3509d807); + qtest_writeb(s, 0xe1020438, 0xe2); + qtest_writeb(s, 0x4f, 0x2b); + qtest_quit(s); +} + +int main(int argc, char **argv) +{ + const char *arch =3D qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") =3D=3D 0 || strcmp(arch, "x86_64") =3D=3D 0) { + qtest_add_func("fuzz/test_lp1879531_eth_get_rss_ex_dst_addr", + test_lp1879531_eth_get_rss_ex_dst_addr); + } + + return g_test_run(); +} diff --git a/MAINTAINERS b/MAINTAINERS index 738786146d6..cc5f3aa6b60 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -2003,6 +2003,7 @@ e1000e M: Dmitry Fleytman S: Maintained F: hw/net/e1000e* +F: tests/qtest/fuzz-e1000e-test.c =20 eepro100 M: Stefan Weil diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build index 58efc46144e..7997d895449 100644 --- a/tests/qtest/meson.build +++ b/tests/qtest/meson.build @@ -60,6 +60,7 @@ (config_all_devices.has_key('CONFIG_TPM_TIS_ISA') ? ['tpm-tis-test'] : [= ]) + \ (config_all_devices.has_key('CONFIG_TPM_TIS_ISA') ? ['tpm-tis-swtpm-test= '] : []) + \ (config_all_devices.has_key('CONFIG_RTL8139_PCI') ? ['rtl8139-test'] : [= ]) + \ + (config_all_devices.has_key('CONFIG_E1000E_PCI_EXPRESS') ? ['fuzz-e1000e= -test'] : []) + \ qtests_pci + = \ ['fdc-test', 'ide-test', --=20 2.26.2