From patchwork Tue Jan 2 15:37:45 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Huth X-Patchwork-Id: 10140931 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 15B0C601A1 for ; Tue, 2 Jan 2018 15:38:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EAF5C28B94 for ; Tue, 2 Jan 2018 15:38:41 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DE6A428BEE; Tue, 2 Jan 2018 15:38:41 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 8D4AE28B94 for ; Tue, 2 Jan 2018 15:38:41 +0000 (UTC) Received: from localhost ([::1]:46275 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eWOeG-0003yf-Id for patchwork-qemu-devel@patchwork.kernel.org; Tue, 02 Jan 2018 10:38:40 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35253) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eWOdU-0003Sl-Az for qemu-devel@nongnu.org; Tue, 02 Jan 2018 10:37:53 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eWOdR-0001wx-Mv for qemu-devel@nongnu.org; Tue, 02 Jan 2018 10:37:52 -0500 Received: from mx1.redhat.com ([209.132.183.28]:29031) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eWOdR-0001v9-GT; Tue, 02 Jan 2018 10:37:49 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BBFAE70CE; Tue, 2 Jan 2018 15:37:47 +0000 (UTC) Received: from thh440s.str.redhat.com (dhcp-192-189.str.redhat.com [10.33.192.189]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1E9025D755; Tue, 2 Jan 2018 15:37:45 +0000 (UTC) From: Thomas Huth To: qemu-devel@nongnu.org, "Daniel P. Berrange" Date: Tue, 2 Jan 2018 16:37:45 +0100 Message-Id: <1514907465-14530-1-git-send-email-thuth@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Tue, 02 Jan 2018 15:37:47 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH] crypto/ivgen-essiv: Fix problem with address sanitizer of Clang X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-trivial@nongnu.org Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP When compiling QEMU with clang and -fsanitize=address, I get the following error: ==9185==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc7e9adf2f at pc 0x564cba001d88 bp 0x7ffc7e9adeb0 sp 0x7ffc7e9adea8 READ of size 16 at 0x7ffc7e9adf2f thread T0 #0 0x564cba001d87 in qcrypto_ivgen_essiv_calculate .../crypto/ivgen-essiv.c:83 #1 0x564cba001367 in qcrypto_ivgen_calculate .../crypto/ivgen.c:72 #2 0x564cb9fec630 in test_ivgen .../tests/test-crypto-ivgen.c:148 #3 0x7f98f4224b39 (/lib64/libglib-2.0.so.0+0x6fb39) #4 0x7f98f4224d02 (/lib64/libglib-2.0.so.0+0x6fd02) #5 0x7f98f4224d02 (/lib64/libglib-2.0.so.0+0x6fd02) #6 0x7f98f4224d02 (/lib64/libglib-2.0.so.0+0x6fd02) #7 0x7f98f4224f0d (/lib64/libglib-2.0.so.0+0x6ff0d) #8 0x7f98f4224f30 (/lib64/libglib-2.0.so.0+0x6ff30) #9 0x564cb9fec446 in main .../tests/test-crypto-ivgen.c:173 #10 0x7f98f294fc04 in __libc_start_main (/lib64/libc.so.6+0x21c04) #11 0x564cb9fec1ac in _start (.../tests/test-crypto-ivgen+0xdb1ac) Address 0x7ffc7e9adf2f is located in stack of thread T0 at offset 47 in frame #0 0x564cba00192f in qcrypto_ivgen_essiv_calculate .../crypto/ivgen-essiv.c:76 And indeed, the code is doing a "memcpy(data, (uint8_t *)§or, ndata)" here with "sector" being a uint64_t variable and ndata = 16. Fix it by limiting the size of the memcpy correctly. Signed-off-by: Thomas Huth --- crypto/ivgen-essiv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/ivgen-essiv.c b/crypto/ivgen-essiv.c index cba20bd..8944609 100644 --- a/crypto/ivgen-essiv.c +++ b/crypto/ivgen-essiv.c @@ -79,7 +79,7 @@ static int qcrypto_ivgen_essiv_calculate(QCryptoIVGen *ivgen, uint8_t *data = g_new(uint8_t, ndata); sector = cpu_to_le64(sector); - memcpy(data, (uint8_t *)§or, ndata); + memcpy(data, (uint8_t *)§or, MIN(ndata, sizeof(sector))); if (sizeof(sector) < ndata) { memset(data + sizeof(sector), 0, ndata - sizeof(sector)); }