Skip to content

qem-img Heap Buffer Overflow

qemu-img Heap Buffer Overflow

When the program input contains command "bs" and its value is 7.99E999, the program will cause heap buffer overflow error.

util/cutils.c Line 260:262

retval = qemu_strtod_finite(f, &endptr, &fraction);
if (retval) {
    endptr++;

util/cutils.c Line 272

c = *endptr;

In Line 92, the program calls qemu_strtod_finite to process float. By running the function, endptr points to the next address of the end of endptr, and endptr++ later. Therefore, when dereferencing endptr, the program will cause heap buffer overflow error.

Test Environment

Ubuntu 20.04, 64 bit qemu (version: 7.2.0)

How to trigger

  1. Compile the program with AddressSanitizer
  2. Run command $ ./qemu-img dd bs=7.99E99

Details

ASAN report

$ ./qemu-img dd bs=7.99E999

=================================================================
==115931==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000055fc at pc 0x555555cee1fb bp 0x7fffffffd1f0 sp 0x7fffffffd1e8
READ of size 1 at 0x6020000055fc thread T0
    #0 0x555555cee1fa in do_strtosz /home/root/qemu-7.2.0/build/../util/cutils.c:272:9
    #1 0x555555ced572 in qemu_strtosz /home/root/qemu-7.2.0/build/../util/cutils.c:329:12
    #2 0x5555557b0d1c in cvtnum_full /home/root/qemu-7.2.0/build/../qemu-img.c:484:11
    #3 0x5555557bdc56 in img_dd_bs /home/root/qemu-7.2.0/build/../qemu-img.c:4856:11
    #4 0x5555557a3d62 in img_dd /home/root/qemu-7.2.0/build/../qemu-img.c:5016:13
    #5 0x55555578edea in main /home/root/qemu-7.2.0/build/../qemu-img.c:5451:20
    #6 0x7ffff762c082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #7 0x5555556dffad in _start (/home/root/origin_asan/install/bin/qemu-img+0x18bfad)

0x6020000055fc is located 0 bytes to the right of 12-byte region [0x6020000055f0,0x6020000055fc)
allocated by thread T0 here:
    #0 0x55555575c75d in malloc (/home/root/origin_asan/install/bin/qemu-img+0x20875d)
    #1 0x7ffff7ed6e98 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57e98)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/qemu-7.2.0/build/../util/cutils.c:272:9 in do_strtosz
Shadow bytes around the buggy address:
  0x0c047fff8a60: fa fa 00 02 fa fa 00 07 fa fa 00 04 fa fa 00 04
  0x0c047fff8a70: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 00
  0x0c047fff8a80: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 07 fa
  0x0c047fff8a90: fa fa 07 fa fa fa 07 fa fa fa fd fa fa fa 00 00
  0x0c047fff8aa0: fa fa 07 fa fa fa 00 07 fa fa 00 02 fa fa 00 00
=>0x0c047fff8ab0: fa fa 00 07 fa fa 07 fa fa fa 00 07 fa fa 00[04]
  0x0c047fff8ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==115931==ABORTING
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information