Stack-buffer-overflow in e1000: e1000_receive_iov

Hello,

Reproducer

# Confirmed on 10.0.0 and master
mkdir build && cd build/
../configure --enable-asan --enable-slirp
ninja -j`nproc` qemu-system-i386

cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -M q35 -nodefaults -device e1000,netdev=net0 -netdev user,id=net0 \
-qtest stdio
write 0x12a 0x1 0x10
write 0x12b 0x1 0x01
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000804
outw 0xcfc 0x06
write 0xe0000000 0x4 0x0000006c
write 0xe0000102 0x2 0x0a00
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
write 0xe0002819 0x1 0x01
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
write 0xe0000020 0x4 0x04402004
write 0xe000381a 0x2 0x2000
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
write 0xe000380a 0x2 0x0108
clock_step
write 0xe000003b 0x1 0x00
clock_step
clock_step
clock_step
clock_step
write 0xe0000400 0x1 0x02
EOF

Stack-trace:

==108265==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xffff99de53b8 at pc 0xaaaaaecb5c64 bp 0xfffff17d8270 sp 0xfffff17d8268
READ of size 8 at 0xffff99de53b8 thread T0
    #0 0xaaaaaecb5c60 in e1000_receive_iov ../hw/net/e1000.c:925:25
    #1 0xaaaaaf153284 in qemu_deliver_packet_iov ../net/net.c:839:15
    #2 0xaaaaaf155340 in qemu_net_queue_deliver ../net/queue.c:164:11
    #3 0xaaaaaf155340 in qemu_net_queue_receive ../net/queue.c:193:12
    #4 0xaaaaaecb47c4 in e1000_send_packet ../hw/net/e1000.c:565:9
    #5 0xaaaaaecb3e7c in xmit_seg ../hw/net/e1000.c
    #6 0xaaaaaecb2abc in process_tx_desc ../hw/net/e1000.c:720:9
    #7 0xaaaaaecb2abc in start_xmit ../hw/net/e1000.c:780:9
    #8 0xaaaaaecb2abc in set_tctl ../hw/net/e1000.c:1106:5
    #9 0xaaaaaf454de8 in memory_region_write_accessor ../system/memory.c:497:5
    #10 0xaaaaaf454944 in access_with_adjusted_size ../system/memory.c:573:18
    #11 0xaaaaaf4545dc in memory_region_dispatch_write ../system/memory.c
    #12 0xaaaaaf480750 in flatview_write_continue_step ../system/physmem.c:2951:18
    #13 0xaaaaaf473aa8 in flatview_write_continue ../system/physmem.c:2981:19
    #14 0xaaaaaf473aa8 in flatview_write ../system/physmem.c:3012:12
    #15 0xaaaaaf473694 in address_space_write ../system/physmem.c:3132:18
    #16 0xaaaaaf09d6a4 in qtest_process_command ../system/qtest.c:636:9
    #17 0xaaaaaf09d6a4 in qtest_process_inbuf ../system/qtest.c:769:9
    #18 0xaaaaaf74ae84 in fd_chr_read ../chardev/char-fd.c:72:9
...
Address 0xffff99de53b8 is located in stack of thread T0 at offset 56 in frame
    #0 0xaaaaaf1551e0 in qemu_net_queue_receive ../net/queue.c:188

  This frame has 1 object(s):
    [32, 48) 'iov.i' (line 158) <== Memory access at offset 56 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../hw/net/e1000.c:925:25 in e1000_receive_iov
Shadow bytes around the buggy address:
  0xffff99de5100: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0xffff99de5180: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0xffff99de5200: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0xffff99de5280: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0xffff99de5300: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
=>0xffff99de5380: f1 f1 f1 f1 00 00 f3[f3]f5 f5 f5 f5 f5 f5 f5 f5
  0xffff99de5400: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0xffff99de5480: f5 f5 f5 f5 f5 f5 f5 f5 00 00 00 00 00 00 00 00
  0xffff99de5500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0xffff99de5580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0xffff99de5600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==108265==ABORTING

This is: https://issues.oss-fuzz.com/issues/432364226

Thank you!

Edited Jul 17, 2025 by Alexander Bulekov

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information