Heap-use-after-free in e1000e_receive_internal
Hello,
I'm guessing this might be related to the recent IGB patches, but I haven't had a chance to bisect. CC: @akihiko.odaki CC: @jasowang Maybe this is similar to the qemu_receive_packet() problems from a while back: https://lore.kernel.org/qemu-devel/1615529786-30763-1-git-send-email-jasowang@redhat.com/
Reproducer
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -M q35 -nodefaults -device e1000e,netdev=net0 -netdev user,id=net0 \
-qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0x06
outl 0xcf8 0x80000813
outl 0xcfc 0x46
write 0x46000100 0x4 0x56000302
write 0x4600011a 0x2 0x0111
write 0x46000120 0x1 0x28
write 0x4600042a 0x2 0x00c6
write 0x46000430 0x2 0x0100
write 0x250 0x1 0xff
write 0x251 0x1 0x01
write 0x259 0x1 0x98
write 0x1ff 0x1 0x01
write 0x1007 0x1 0x01
write 0x1010 0x1 0xff
write 0x1011 0x1 0x01
write 0x1013 0x1 0x46
write 0x6339 0x1 0xfa
write 0x67c9 0x1 0xff
write 0x6c59 0x1 0xff
write 0x6c5a 0x1 0x10
write 0x6c5b 0x1 0x01
write 0x70e0 0x1 0x01
write 0x70e2 0x1 0x46
write 0x70e9 0x1 0xfc
write 0x7579 0x1 0xff
write 0x7a09 0x1 0xff
write 0x7e99 0x1 0xff
write 0x8329 0x1 0xff
write 0x87b9 0x1 0xff
write 0x8c49 0x1 0xff
write 0x90d9 0x1 0xff
write 0x9569 0x1 0xff
write 0x99f9 0x1 0xff
write 0x99fa 0x1 0x10
write 0x99fb 0x1 0x01
write 0x460001 0x1 0x01
write 0x461202 0x1 0x02
write 0x46000403 0x1 0x02
EOF
Stack-Trace
==1000895==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000060958 at pc 0x55976ed0328c bp 0x7ffe3ad19cb0 sp 0x7ffe3ad19ca8
READ of size 8 at 0x611000060958 thread T0
#0 0x55976ed0328b in e1000e_write_packet_to_guest /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:1651:41
#1 0x55976ed0328b in e1000e_receive_internal /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:1776:9
#2 0x55976ecdd515 in net_tx_pkt_send_custom /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/net_tx_pkt.c:818:9
#3 0x55976ed2c4ed in e1000e_tx_pkt_send /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:682:16
#4 0x55976ed2c4ed in e1000e_process_tx_desc /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:762:17
#5 0x55976ed2c4ed in e1000e_start_xmit /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:953:9
#6 0x55976ed237e3 in e1000e_set_tctl /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:2496:9
#7 0x55976ed0579d in e1000e_core_write /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:3349:9
#8 0x55976fe793e8 in memory_region_write_accessor /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/memory.c:493:5
#9 0x55976fe78f3a in access_with_adjusted_size /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/memory.c:555:18
#10 0x55976fe788a3 in memory_region_dispatch_write /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/memory.c
#11 0x55976fec25b0 in flatview_write_continue /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/physmem.c:2641:23
#12 0x55976feb9a53 in flatview_write /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/physmem.c:2683:12
#13 0x55976feb9763 in address_space_write /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/physmem.c:2779:18
#14 0x55976fecfc1c in qtest_process_command /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/qtest.c:652:9
#15 0x55976fecbed8 in qtest_process_inbuf /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/qtest.c:801:9
#16 0x55977058ad64 in fd_chr_read /home/alxndr/Development/qemu-demo/qemu/build/../chardev/char-fd.c:72:9
#17 0x7f12e250667e in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5467e) (BuildId: 77a560369e4633278bc6e75ab0587491e11d5aac)
#18 0x5597707ef663 in glib_pollfds_poll /home/alxndr/Development/qemu-demo/qemu/build/../util/main-loop.c:290:9
#19 0x5597707ef663 in os_host_main_loop_wait /home/alxndr/Development/qemu-demo/qemu/build/../util/main-loop.c:313:5
#20 0x5597707ef663 in main_loop_wait /home/alxndr/Development/qemu-demo/qemu/build/../util/main-loop.c:592:11
#21 0x55976f3e3706 in qemu_main_loop /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/runstate.c:731:9
#22 0x55976e71b375 in qemu_default_main /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/main.c:37:14
#23 0x7f12e1c46189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#24 0x7f12e1c46244 in __libc_start_main csu/../csu/libc-start.c:381:3
#25 0x55976e65b160 in _start (/home/alxndr/Development/qemu-demo/qemu/build/qemu-system-i386+0x2159160) (BuildId: 208c93ad7b1955805e38b5f0d70988050c2d2ca5)
0x611000060958 is located 24 bytes inside of 208-byte region [0x611000060940,0x611000060a10)
freed by thread T0 here:
#0 0x55976e6ddd02 in __interceptor_free (/home/alxndr/Development/qemu-demo/qemu/build/qemu-system-i386+0x21dbd02) (BuildId: 208c93ad7b1955805e38b5f0d70988050c2d2ca5)
#1 0x55976ecef306 in net_rx_pkt_iovec_realloc /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/net_rx_pkt.c:76:9
#2 0x55976ece219c in net_rx_pkt_pull_data /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/net_rx_pkt.c:99:9
#3 0x55976ece3466 in net_rx_pkt_attach_iovec_ex /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/net_rx_pkt.c:153:5
#4 0x55976ecfa68d in e1000e_receive_internal /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:1764:5
#5 0x55976ecdd515 in net_tx_pkt_send_custom /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/net_tx_pkt.c:818:9
#6 0x55976ed2c4ed in e1000e_tx_pkt_send /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:682:16
#7 0x55976ed2c4ed in e1000e_process_tx_desc /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:762:17
#8 0x55976ed2c4ed in e1000e_start_xmit /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:953:9
#9 0x55976ed237e3 in e1000e_set_tctl /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:2496:9
#10 0x55976ed0579d in e1000e_core_write /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:3349:9
#11 0x55976fe793e8 in memory_region_write_accessor /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/memory.c:493:5
#12 0x55976fe78f3a in access_with_adjusted_size /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/memory.c:555:18
previously allocated by thread T0 here:
#0 0x55976e6ddfae in malloc (/home/alxndr/Development/qemu-demo/qemu/build/qemu-system-i386+0x21dbfae) (BuildId: 208c93ad7b1955805e38b5f0d70988050c2d2ca5)
#1 0x7f12e250c678 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5a678) (BuildId: 77a560369e4633278bc6e75ab0587491e11d5aac)
#2 0x55976ece219c in net_rx_pkt_pull_data /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/net_rx_pkt.c:99:9
#3 0x55976ece3466 in net_rx_pkt_attach_iovec_ex /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/net_rx_pkt.c:153:5
#4 0x55976ecfa68d in e1000e_receive_internal /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:1764:5
#5 0x55976ecdd515 in net_tx_pkt_send_custom /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/net_tx_pkt.c:818:9
#6 0x55976ed2c4ed in e1000e_tx_pkt_send /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:682:16
#7 0x55976ed2c4ed in e1000e_process_tx_desc /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:762:17
#8 0x55976ed2c4ed in e1000e_start_xmit /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:953:9
#9 0x55976ed237e3 in e1000e_set_tctl /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:2496:9
#10 0x55976ed0579d in e1000e_core_write /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:3349:9
#11 0x55976fe793e8 in memory_region_write_accessor /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/memory.c:493:5
#12 0x55976fe78f3a in access_with_adjusted_size /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/memory.c:555:18
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57023
libqtest Reproducer: 57023.c
Thank you
Edited by Alexander Bulekov