Re: [PATCH v2 2/2] net/eth: Fix stack-buffer-overflow in _eth_get_rss_ex_dst_addr()

2021-01-25 Thread Philippe Mathieu-Daudé 
On 1/25/21 6:07 AM, Jason Wang wrote:
> 
> On 2021/1/15 下午11:11, Philippe Mathieu-Daudé wrote:
>> QEMU fuzzer reported a buffer overflow in _eth_get_rss_ex_dst_addr()
>> reproducible as:
> 
> 
> Want to apply but it doesn't apply on master:
> 
> Applying: net/eth: Fix stack-buffer-overflow in _eth_get_rss_ex_dst_addr()
> error: sha1 information is lacking or useless (MAINTAINERS).
> error: could not build fake ancestor
> Patch failed at 0002 net/eth: Fix stack-buffer-overflow in
> _eth_get_rss_ex_dst_addr()

>From the cover:

Based-on: <20210115150936.282-1-phi...@redhat.com>
  "tests/qtest: Fixes fuzz-tests"

I'll check/ping the other series.

Thanks,

Phil.

Re: [PATCH v2 2/2] net/eth: Fix stack-buffer-overflow in _eth_get_rss_ex_dst_addr()

2021-01-24 Thread Jason Wang 



On 2021/1/15 下午11:11, Philippe Mathieu-Daudé wrote:

QEMU fuzzer reported a buffer overflow in _eth_get_rss_ex_dst_addr()
reproducible as:



Want to apply but it doesn't apply on master:

Applying: net/eth: Fix stack-buffer-overflow in _eth_get_rss_ex_dst_addr()
error: sha1 information is lacking or useless (MAINTAINERS).
error: could not build fake ancestor
Patch failed at 0002 net/eth: Fix stack-buffer-overflow in 
_eth_get_rss_ex_dst_addr()


Thanks

Re: [PATCH v2 2/2] net/eth: Fix stack-buffer-overflow in _eth_get_rss_ex_dst_addr()

2021-01-20 Thread Thomas Huth 

On 15/01/2021 16.11, Philippe Mathieu-Daudé wrote:

QEMU fuzzer reported a buffer overflow in _eth_get_rss_ex_dst_addr()
reproducible as:

   $ cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 \
 -accel qtest -monitor none \
 -serial none -nographic -qtest stdio
   outl 0xcf8 0x80001010
   outl 0xcfc 0xe102
   outl 0xcf8 0x80001004
   outw 0xcfc 0x7
   write 0x25 0x1 0x86
   write 0x26 0x1 0xdd
   write 0x4f 0x1 0x2b
   write 0xe1020030 0x4 0x190002e1
   write 0xe102003a 0x2 0x0807
   write 0xe1020048 0x4 0x12077cdd
   write 0xe1020400 0x4 0xba077cdd
   write 0xe1020420 0x4 0x190002e1
   write 0xe1020428 0x4 0x3509d807
   write 0xe1020438 0x1 0xe2
   EOF
   =
   ==2859770==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffdef904902 at pc 0x561ceefa78de bp 0x7ffdef904820 sp 0x7ffdef904818
   READ of size 1 at 0x7ffdef904902 thread T0
   #0 0x561ceefa78dd in _eth_get_rss_ex_dst_addr net/eth.c:410:17
   #1 0x561ceefa41fb in eth_parse_ipv6_hdr net/eth.c:532:17
   #2 0x561cef7de639 in net_tx_pkt_parse_headers hw/net/net_tx_pkt.c:228:14
   #3 0x561cef7dbef4 in net_tx_pkt_parse hw/net/net_tx_pkt.c:273:9
   #4 0x561ceec29f22 in e1000e_process_tx_desc hw/net/e1000e_core.c:730:29
   #5 0x561ceec28eac in e1000e_start_xmit hw/net/e1000e_core.c:927:9
   #6 0x561ceec1baab in e1000e_set_tdt hw/net/e1000e_core.c:2444:9
   #7 0x561ceebf300e in e1000e_core_write hw/net/e1000e_core.c:3256:9
   #8 0x561cef3cd4cd in e1000e_mmio_write hw/net/e1000e.c:110:5

   Address 0x7ffdef904902 is located in stack of thread T0 at offset 34 in frame
   #0 0x561ceefa320f in eth_parse_ipv6_hdr net/eth.c:486

 This frame has 1 object(s):
   [32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows 
this variable
   HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism, swapcontext or vfork
 (longjmp and C++ exceptions *are* supported)
   SUMMARY: AddressSanitizer: stack-buffer-overflow net/eth.c:410:17 in 
_eth_get_rss_ex_dst_addr
   Shadow bytes around the buggy address:
 0x10003df188d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x10003df188e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x10003df188f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x10003df18900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x10003df18910: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
   =>0x10003df18920:[02]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
 0x10003df18930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x10003df18940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x10003df18950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x10003df18960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x10003df18970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   Shadow byte legend (one shadow byte represents 8 application bytes):
 Addressable:   00
 Partially addressable: 01 02 03 04 05 06 07
 Stack left redzone:  f1
 Stack right redzone: f3
   ==2859770==ABORTING

Similarly GCC 11 reports:

   net/eth.c: In function 'eth_parse_ipv6_hdr':
   net/eth.c:410:15: error: array subscript 'struct ip6_ext_hdr_routing[0]' is 
partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds]
 410 | if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) {
 |  ~^~~
   net/eth.c:485:24: note: while referencing 'ext_hdr'
 485 | struct ip6_ext_hdr ext_hdr;
 |^~~
   net/eth.c:410:38: error: array subscript 'struct ip6_ext_hdr_routing[0]' is 
partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds]
 410 | if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) {
 | ~^
   net/eth.c:485:24: note: while referencing 'ext_hdr'
 485 | struct ip6_ext_hdr ext_hdr;
 |^~~

In eth_parse_ipv6_hdr() we called iov_to_buf() to fill the 2 bytes of
the 'ext_hdr' buffer, then _eth_get_rss_ex_dst_addr() tries to access
beside the 2 filled bytes.

Fix by reworking the function, filling the full rt_hdr buffer on the
stack calling iov_to_buf() again.

Add the corresponding qtest case with the fuzzer reproducer.

Cc: qemu-sta...@nongnu.org
Buglink: https://bugs.launchpad.net/qemu/+bug/1879531
Reported-by: Alexander Bulekov 
Reported-by: Miroslav Rezanina 
Fixes: eb700029c78 ("net_pkt: Extend packet abstraction as required by e1000e 
functionality")
Reviewed-by: Miroslav Rezanina 
Signed-off-by: Philippe Mathieu-Daudé 
---
v2: Do no run test if device not available
---
  net/eth.c  | 25 +++-
  tests/qtest/fuzz-e1000e-test.c | 53 ++
  MAINTAINERS|  1 +
  tests/qtest/meson.build|  1 +
  4 files changed, 66