Heap-buffer-overflow in virtio-sound
Host environment
- Operating system: Ubuntu 22.04.4 LTS
- OS/kernel version: Linux 6.5.0-25-generic
- Architecture: x86_64
- QEMU flavor: 9.0.1
- QEMU version: commit 3665dd6b
Description of problem
The following log reveals it:
==852995==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50400002f2f9 at pc 0x5b291f531ba9 bp 0x7ffd8e80c0a0 sp 0x7ffd8e80c098
WRITE of size 2 at 0x50400002f2f9 thread T0
#0 0x5b291f531ba8 in clip_natural_int16_t_from_stereo audio/mixeng_template.h:133:16
#1 0x5b291f4ea707 in audio_pcm_sw_read audio/audio.c:604:5
#2 0x5b291f4e9502 in AUD_read audio/audio.c:900:16
#3 0x5b291e6db7c7 in virtio_snd_pcm_in_cb hw/audio/virtio-snd.c:1279:24
#4 0x5b291f4f3017 in audio_run_in audio/audio.c:1331:21
#5 0x5b291f4eda89 in audio_run audio/audio.c:1389:5
#6 0x5b291fa34311 in alsa_poll_handler audio/alsaaudio.c:205:9
#7 0x5b2921054bb3 in aio_dispatch_handler util/aio-posix.c:372:9
#8 0x5b292104b9d5 in aio_dispatch_handlers util/aio-posix.c:414:20
#9 0x5b292104b4b9 in aio_dispatch util/aio-posix.c:424:5
#10 0x5b29210ede0e in aio_ctx_dispatch util/async.c:360:5
#11 0x79b4f927fd3a in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55d3a) (BuildId: 224ac2a88b72bc8e2fe8566ee28fae789fc69241)
#12 0x5b29210f1851 in glib_pollfds_poll util/main-loop.c:287:9
#13 0x5b29210f007a in os_host_main_loop_wait util/main-loop.c:310:5
#14 0x5b29210efc24 in main_loop_wait util/main-loop.c:589:11
#15 0x5b291f5e5475 in qemu_main_loop system/runstate.c:795:9
#16 0x5b292067eefb in qemu_default_main system/main.c:37:14
#17 0x5b292067ef7d in main system/main.c:48:12
#18 0x79b4f8829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#19 0x79b4f8829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#20 0x5b291e29bef4 in _start (/usr/local/bin/qemu-system-x86_64+0x1c8fef4)
0x50400002f2f9 is located 1 bytes after 40-byte region [0x50400002f2d0,0x50400002f2f8)
allocated by thread T0 here:
#0 0x5b291e339758 in calloc /home/runner/work/llvm-project/llvm-project/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3
#1 0x79b4f9288c50 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ec50) (BuildId: 224ac2a88b72bc8e2fe8566ee28fae789fc69241)
#2 0x5b29202d0efd in virtio_queue_notify hw/virtio/virtio.c:2297:9
#3 0x5b291f3d242e in virtio_pci_notify_write hw/virtio/virtio-pci.c:1721:9
#4 0x5b29203c82a4 in memory_region_write_accessor system/memory.c:497:5
#5 0x5b29203c7951 in access_with_adjusted_size system/memory.c:573:18
#6 0x5b29203c57eb in memory_region_dispatch_write system/memory.c:1521:16
#7 0x5b292046cb42 in flatview_write_continue_step system/physmem.c:2757:18
#8 0x5b292046c3c1 in flatview_write_continue system/physmem.c:2787:19
#9 0x5b29204424c9 in flatview_write system/physmem.c:2818:12
#10 0x5b2920441f1e in address_space_write system/physmem.c:2938:18
#11 0x5b291f5d8eac in qtest_process_command system/qtest.c:643:9
#12 0x5b291f5cfec5 in qtest_process_inbuf system/qtest.c:776:9
#13 0x5b291f5de05e in qtest_read system/qtest.c:788:5
#14 0x5b2920d2aef0 in qemu_chr_be_write_impl chardev/char.c:214:9
#15 0x5b2920d2afb1 in qemu_chr_be_write chardev/char.c:226:9
#16 0x5b2920d37388 in fd_chr_read chardev/char-fd.c:72:9
#17 0x5b2920719767 in qio_channel_fd_source_dispatch io/channel-watch.c:84:12
#18 0x79b4f927fc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) (BuildId: 224ac2a88b72bc8e2fe8566ee28fae789fc69241)
SUMMARY: AddressSanitizer: heap-buffer-overflow audio/mixeng_template.h:133:16 in clip_natural_int16_t_from_stereo
Shadow bytes around the buggy address:
0x50400002f000: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x50400002f080: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x50400002f100: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x50400002f180: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fd
0x50400002f200: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
=>0x50400002f280: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00[fa]
0x50400002f300: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x50400002f380: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x50400002f400: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x50400002f480: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x50400002f500: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Steps to reproduce
cat << EOF | qemu-system-x86_64 -display none \
-machine accel=qtest, -m 512M -machine q35 -device \
virtio-sound,audiodev=my_audiodev,streams=2 -audiodev \
alsa,id=my_audiodev -qtest stdio
outl 0xcf8 0x80001804
outw 0xcfc 0x7
outl 0xcf8 0x80001820
outl 0xcfc 0xe0008000
write 0xe0008020 0x4 0x00001000
write 0xe0008028 0x4 0x00101000
write 0xe0008016 0x1 0x03
write 0xe0008020 0x4 0x00901000
write 0xe0008028 0x4 0x00a01000
write 0xe0008016 0x1 0x00
write 0xe000801c 0x1 0x01
write 0xe0008016 0x1 0x03
write 0xe000801c 0x1 0x01
write 0x100008 0x1 0x08
write 0x109008 0x1 0x04
write 0x11e000 0x1 0x04
write 0x11e001 0x1 0x01
write 0x11e004 0x1 0x01
write 0x100081 0x1 0xe0
write 0x100082 0x1 0x11
write 0x100088 0x1 0x08
write 0x10100a 0x1 0x08
write 0x151000 0x1 0x01
write 0x1090c1 0x1 0x10
write 0x1090c2 0x1 0x15
write 0x1090c8 0x1 0x04
write 0x10a00c 0x1 0x0c
write 0x10a002 0x1 0x05
write 0xe000b00c 0x1 0x03
write 0x101002 0x1 0x1d
write 0xe000b001 0x1 0x00
outl 0xcfc 0xe0008000
outl 0xcf8 0x80001885
outl 0xcf8 0x80001870
outl 0xcf8 0x80001878
inl 0xcfc
outl 0xcf8 0x80001870
outl 0xcf8 0x80001863
outl 0xcf8 0x80001853
inb 0xcfc
outl 0xcf8 0x80001854
inb 0xcfc
inb 0xcfc
outl 0xcf8 0x80001898
inb 0xcfc
outl 0xcf8 0x80001899
outl 0xcf8 0x80001870
inb 0xcfc
inb 0xcfc
EOF