| Message ID | 1514907465-14530-1-git-send-email-thuth@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Tue, Jan 02, 2018 at 04:37:45PM +0100, Thomas Huth wrote: > When compiling QEMU with clang and -fsanitize=address, I get the > following error: > > ==9185==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc7e9adf2f at pc 0x564cba001d88 bp 0x7ffc7e9adeb0 sp 0x7ffc7e9adea8 > READ of size 16 at 0x7ffc7e9adf2f thread T0 > #0 0x564cba001d87 in qcrypto_ivgen_essiv_calculate .../crypto/ivgen-essiv.c:83 > #1 0x564cba001367 in qcrypto_ivgen_calculate .../crypto/ivgen.c:72 > #2 0x564cb9fec630 in test_ivgen .../tests/test-crypto-ivgen.c:148 > #3 0x7f98f4224b39 (/lib64/libglib-2.0.so.0+0x6fb39) > #4 0x7f98f4224d02 (/lib64/libglib-2.0.so.0+0x6fd02) > #5 0x7f98f4224d02 (/lib64/libglib-2.0.so.0+0x6fd02) > #6 0x7f98f4224d02 (/lib64/libglib-2.0.so.0+0x6fd02) > #7 0x7f98f4224f0d (/lib64/libglib-2.0.so.0+0x6ff0d) > #8 0x7f98f4224f30 (/lib64/libglib-2.0.so.0+0x6ff30) > #9 0x564cb9fec446 in main .../tests/test-crypto-ivgen.c:173 > #10 0x7f98f294fc04 in __libc_start_main (/lib64/libc.so.6+0x21c04) > #11 0x564cb9fec1ac in _start (.../tests/test-crypto-ivgen+0xdb1ac) > > Address 0x7ffc7e9adf2f is located in stack of thread T0 at offset 47 in frame > #0 0x564cba00192f in qcrypto_ivgen_essiv_calculate .../crypto/ivgen-essiv.c:76 > > And indeed, the code is doing a "memcpy(data, (uint8_t *)§or, ndata)" > here with "sector" being a uint64_t variable and ndata = 16. > > Fix it by limiting the size of the memcpy correctly. > > Signed-off-by: Thomas Huth <thuth@redhat.com> > --- > crypto/ivgen-essiv.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) FYI, this is a dupe of the same fix posted Marc-AndrĂ© Lureau last year with subject "crypto: fix stack-buffer-overflow error", which I already have queued. Regards, Daniel
diff --git a/crypto/ivgen-essiv.c b/crypto/ivgen-essiv.c index cba20bd..8944609 100644 --- a/crypto/ivgen-essiv.c +++ b/crypto/ivgen-essiv.c @@ -79,7 +79,7 @@ static int qcrypto_ivgen_essiv_calculate(QCryptoIVGen *ivgen, uint8_t *data = g_new(uint8_t, ndata); sector = cpu_to_le64(sector); - memcpy(data, (uint8_t *)§or, ndata); + memcpy(data, (uint8_t *)§or, MIN(ndata, sizeof(sector))); if (sizeof(sector) < ndata) { memset(data + sizeof(sector), 0, ndata - sizeof(sector)); }
When compiling QEMU with clang and -fsanitize=address, I get the following error: ==9185==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc7e9adf2f at pc 0x564cba001d88 bp 0x7ffc7e9adeb0 sp 0x7ffc7e9adea8 READ of size 16 at 0x7ffc7e9adf2f thread T0 #0 0x564cba001d87 in qcrypto_ivgen_essiv_calculate .../crypto/ivgen-essiv.c:83 #1 0x564cba001367 in qcrypto_ivgen_calculate .../crypto/ivgen.c:72 #2 0x564cb9fec630 in test_ivgen .../tests/test-crypto-ivgen.c:148 #3 0x7f98f4224b39 (/lib64/libglib-2.0.so.0+0x6fb39) #4 0x7f98f4224d02 (/lib64/libglib-2.0.so.0+0x6fd02) #5 0x7f98f4224d02 (/lib64/libglib-2.0.so.0+0x6fd02) #6 0x7f98f4224d02 (/lib64/libglib-2.0.so.0+0x6fd02) #7 0x7f98f4224f0d (/lib64/libglib-2.0.so.0+0x6ff0d) #8 0x7f98f4224f30 (/lib64/libglib-2.0.so.0+0x6ff30) #9 0x564cb9fec446 in main .../tests/test-crypto-ivgen.c:173 #10 0x7f98f294fc04 in __libc_start_main (/lib64/libc.so.6+0x21c04) #11 0x564cb9fec1ac in _start (.../tests/test-crypto-ivgen+0xdb1ac) Address 0x7ffc7e9adf2f is located in stack of thread T0 at offset 47 in frame #0 0x564cba00192f in qcrypto_ivgen_essiv_calculate .../crypto/ivgen-essiv.c:76 And indeed, the code is doing a "memcpy(data, (uint8_t *)§or, ndata)" here with "sector" being a uint64_t variable and ndata = 16. Fix it by limiting the size of the memcpy correctly. Signed-off-by: Thomas Huth <thuth@redhat.com> --- crypto/ivgen-essiv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)