qem-img Heap Buffer Overflow
qemu-img Heap Buffer Overflow
When the program input contains command "bs" and its value is 7.99E999, the program will cause heap buffer overflow error.
util/cutils.c Line 260:262
retval = qemu_strtod_finite(f, &endptr, &fraction);
if (retval) {
endptr++;
util/cutils.c Line 272
c = *endptr;
In Line 92, the program calls qemu_strtod_finite
to process float. By running the function, endptr
points to the next address of the end of endptr
, and endptr++ later. Therefore, when dereferencing endptr
, the program will cause heap buffer overflow error.
Test Environment
Ubuntu 20.04, 64 bit qemu (version: 7.2.0)
How to trigger
- Compile the program with AddressSanitizer
- Run command
$ ./qemu-img dd bs=7.99E99
Details
ASAN report
$ ./qemu-img dd bs=7.99E999
=================================================================
==115931==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000055fc at pc 0x555555cee1fb bp 0x7fffffffd1f0 sp 0x7fffffffd1e8
READ of size 1 at 0x6020000055fc thread T0
#0 0x555555cee1fa in do_strtosz /home/root/qemu-7.2.0/build/../util/cutils.c:272:9
#1 0x555555ced572 in qemu_strtosz /home/root/qemu-7.2.0/build/../util/cutils.c:329:12
#2 0x5555557b0d1c in cvtnum_full /home/root/qemu-7.2.0/build/../qemu-img.c:484:11
#3 0x5555557bdc56 in img_dd_bs /home/root/qemu-7.2.0/build/../qemu-img.c:4856:11
#4 0x5555557a3d62 in img_dd /home/root/qemu-7.2.0/build/../qemu-img.c:5016:13
#5 0x55555578edea in main /home/root/qemu-7.2.0/build/../qemu-img.c:5451:20
#6 0x7ffff762c082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x5555556dffad in _start (/home/root/origin_asan/install/bin/qemu-img+0x18bfad)
0x6020000055fc is located 0 bytes to the right of 12-byte region [0x6020000055f0,0x6020000055fc)
allocated by thread T0 here:
#0 0x55555575c75d in malloc (/home/root/origin_asan/install/bin/qemu-img+0x20875d)
#1 0x7ffff7ed6e98 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57e98)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/qemu-7.2.0/build/../util/cutils.c:272:9 in do_strtosz
Shadow bytes around the buggy address:
0x0c047fff8a60: fa fa 00 02 fa fa 00 07 fa fa 00 04 fa fa 00 04
0x0c047fff8a70: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 00
0x0c047fff8a80: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 07 fa
0x0c047fff8a90: fa fa 07 fa fa fa 07 fa fa fa fd fa fa fa 00 00
0x0c047fff8aa0: fa fa 07 fa fa fa 00 07 fa fa 00 02 fa fa 00 00
=>0x0c047fff8ab0: fa fa 00 07 fa fa 07 fa fa fa 00 07 fa fa 00[04]
0x0c047fff8ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==115931==ABORTING