heap-buffer-overflow in virtio-sound
Host environment
-
Operating system: Ubuntu 22.04.4 LTS
-
OS/kernel version: Linux 6.5.0-25-generic
-
Architecture: x86_64
-
QEMU flavor: 9.0.0-rc4
-
QEMU version: commit 62dbe54c
-
QEMU command line:
./qemu-system-x86_64 -display none -machine accel=qtest -m 512M -machine q35 -device virtio-sound,audiodev=my_audiodev,streams=2 -audiodev alsa,id=my_audiodev -qtest stdio
Description of problem
The following log reveals it:
==3191578==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000068620 at pc 0x55dadcde4ec5 bp 0x7ffe7f18aef0 sp 0x7ffe7f18aee0
READ of size 8 at 0x602000068620 thread T0
#0 0x55dadcde4ec4 in virtio_snd_handle_rx_xfer ../hw/audio/virtio-snd.c:988
#1 0x55daddffbf5e in virtio_queue_notify ../hw/virtio/virtio.c:2296
#2 0x55dadd6cff4a in virtio_pci_notify_write ../hw/virtio/virtio-pci.c:1721
#3 0x55dade0ab336 in memory_region_write_accessor ../system/memory.c:497
#4 0x55dade0af3d0 in access_with_adjusted_size ../system/memory.c:573
#5 0x55dade0b5032 in memory_region_dispatch_write ../system/memory.c:1528
#6 0x55dade0ebb62 in flatview_write_continue_step ../system/physmem.c:2713
#7 0x55dade0ebfb2 in flatview_write_continue ../system/physmem.c:2743
#8 0x55dade0ebfb2 in flatview_write ../system/physmem.c:2774
#9 0x55dade0edd58 in address_space_write ../system/physmem.c:2894
#10 0x55dadd809972 in qtest_process_command ../system/qtest.c:679
#11 0x55dadd80c3e2 in qtest_process_inbuf ../system/qtest.c:811
#12 0x55dade6e79a4 in fd_chr_read ../chardev/char-fd.c:72
#13 0x7f79b0d29c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
#14 0x55dade998bcf in glib_pollfds_poll ../util/main-loop.c:287
#15 0x55dade998bcf in os_host_main_loop_wait ../util/main-loop.c:310
#16 0x55dade998bcf in main_loop_wait ../util/main-loop.c:589
#17 0x55dadd810e00 in qemu_main_loop ../system/runstate.c:783
#18 0x55dade2b703a in qemu_default_main ../system/main.c:37
#19 0x7f79afe29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#20 0x7f79afe29e3f in __libc_start_main_impl ../csu/libc-start.c:392
#21 0x55dadcb5a284 in _start (/home/joey/repo/qemu/build/qemu-system-x86_64+0x2ef6284)
0x602000068620 is located 0 bytes to the right of 16-byte region [0x602000068610,0x602000068620)
allocated by thread T0 here:
#0 0x7f79b18b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x7f79b0d32c50 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ec50)
#2 0x55dadebf5847 (/home/joey/repo/qemu/build/qemu-system-x86_64+0x4f91847)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../hw/audio/virtio-snd.c:988 in virtio_snd_handle_rx_xfer
Shadow bytes around the buggy address:
0x0c0480005070: fa fa 05 fa fa fa 07 fa fa fa 00 01 fa fa 07 fa
0x0c0480005080: fa fa 05 fa fa fa 07 fa fa fa 00 03 fa fa fd fd
0x0c0480005090: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 06
0x0c04800050a0: fa fa 00 00 fa fa 00 00 fa fa 00 01 fa fa 05 fa
0x0c04800050b0: fa fa 00 03 fa fa 00 03 fa fa 00 01 fa fa 00 05
=>0x0c04800050c0: fa fa 00 00[fa]fa 00 00 fa fa 00 04 fa fa 00 00
0x0c04800050d0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
0x0c04800050e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c04800050f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c0480005100: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c0480005110: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
Steps to reproduce
cat << EOF | qemu-system-x86_64 -display none \
-machine accel=qtest -m 512M -machine q35 -device \
virtio-sound,audiodev=my_audiodev,streams=2 -audiodev \
alsa,id=my_audiodev -qtest stdio
outl 0xcf8 0x80001804
outw 0xcfc 0x06
outl 0xcf8 0x80001820
outl 0xcfc 0xe0008000
write 0xe0008016 0x1 0x03
write 0xe0008020 0x4 0x00901000
write 0xe0008028 0x4 0x00a01000
write 0xe000801c 0x1 0x01
write 0xe000a004 0x1 0x40
write 0x10c000 0x1 0x02
write 0x109001 0x1 0xc0
write 0x109002 0x1 0x10
write 0x109008 0x1 0x04
write 0x10a002 0x1 0x01
write 0xe000b00d 0x1 0x00
EOF
Possible Fix
check the user-assigned value in virtio_snd_set_config()