|
 |
6e1750 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
6e1750 |
From: Marc-Andre Lureau <marcandre.lureau@redhat.com>
|
|
|
6e1750 |
Date: Thu, 17 Dec 2015 18:16:22 +0100
|
|
|
6e1750 |
Subject: [PATCH] smartcard: allocate msg with the expected size
|
|
|
6e1750 |
|
|
|
6e1750 |
==529== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040009c098 at pc 0x7fffee0eda6d bp 0x7fffffffcd00 sp 0x7fffffffccf0
|
|
|
6e1750 |
WRITE of size 4 at 0x60040009c098 thread T0
|
|
|
6e1750 |
#0 0x7fffee0eda6c in smartcard_char_device_notify_reader_add /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:334
|
|
|
6e1750 |
#1 0x7fffee0ef783 in smartcard_add_reader /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:642
|
|
|
6e1750 |
#2 0x7fffee0f0568 in smartcard_channel_handle_message /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:757
|
|
|
6e1750 |
#3 0x7fffee032f3f in red_peer_handle_incoming /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:304
|
|
|
6e1750 |
#4 0x7fffee033216 in red_channel_client_receive /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:322
|
|
|
6e1750 |
#5 0x7fffee03bf1f in red_channel_client_event /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:1561
|
|
|
6e1750 |
#6 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143
|
|
|
6e1750 |
#7 0x555555c3b800 in main_loop_wait /home/elmarco/src/qemu/main-loop.c:504
|
|
|
6e1750 |
#8 0x5555556f160c in main_loop /home/elmarco/src/qemu/vl.c:1818
|
|
|
6e1750 |
#9 0x5555556f160c in main /home/elmarco/src/qemu/vl.c:4394
|
|
|
6e1750 |
#10 0x7fffed80eb14 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/libc-start.c:274
|
|
|
6e1750 |
#11 0x5555556f9c20 in _start (/home/elmarco/src/qemu/x86_64-softmmu/qemu-system-x86_64+0x1a5c20)
|
|
|
6e1750 |
0x60040009c098 is located 0 bytes to the right of 8-byte region [0x60040009c090,0x60040009c098)
|
|
|
6e1750 |
allocated by thread T0 here:
|
|
|
6e1750 |
#0 0x7ffff4e612be in __interceptor_realloc /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:92
|
|
|
6e1750 |
#1 0x7fffee121308 in spice_realloc /home/elmarco/pkg/spice/spice-0.12.4/spice-common/common/mem.c:123
|
|
|
6e1750 |
#2 0x7fffee004a48 in __spice_char_device_write_buffer_get /home/elmarco/pkg/spice/spice-0.12.4/server/char_device.c:516
|
|
|
6e1750 |
#3 0x7fffee004e87 in spice_char_device_write_buffer_get /home/elmarco/pkg/spice/spice-0.12.4/server/char_device.c:557
|
|
|
6e1750 |
#4 0x7fffee0ed8b9 in smartcard_char_device_notify_reader_add /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:325
|
|
|
6e1750 |
#5 0x7fffee0ef783 in smartcard_add_reader /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:642
|
|
|
6e1750 |
#6 0x7fffee0f0568 in smartcard_channel_handle_message /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:757
|
|
|
6e1750 |
#7 0x7fffee032f3f in red_peer_handle_incoming /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:304
|
|
|
6e1750 |
#8 0x7fffee033216 in red_channel_client_receive /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:322
|
|
|
6e1750 |
#9 0x7fffee03bf1f in red_channel_client_event /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:1561
|
|
|
6e1750 |
#10 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143
|
|
|
6e1750 |
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:334 smartcard_char_device_notify_reader_add
|
|
|
6e1750 |
|
|
|
6e1750 |
Signed-off-by: Marc-Andre Lureau <marcandre.lureau@redhat.com>
|
|
|
6e1750 |
---
|
|
|
6e1750 |
server/smartcard.c | 4 ++--
|
|
|
6e1750 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
6e1750 |
|
|
|
6e1750 |
diff --git a/server/smartcard.c b/server/smartcard.c
|
|
|
6e1750 |
index 8d529fe..3043ad1 100644
|
|
|
6e1750 |
--- a/server/smartcard.c
|
|
|
6e1750 |
+++ b/server/smartcard.c
|
|
|
6e1750 |
@@ -325,7 +325,7 @@ static void smartcard_char_device_notify_reader_add(SmartCardDeviceState *st)
|
|
|
6e1750 |
SpiceCharDeviceWriteBuffer *write_buf;
|
|
|
6e1750 |
VSCMsgHeader *vheader;
|
|
|
6e1750 |
|
|
|
6e1750 |
- write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(vheader));
|
|
|
6e1750 |
+ write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(*vheader));
|
|
|
6e1750 |
if (!write_buf) {
|
|
|
6e1750 |
spice_error("failed to allocate write buffer");
|
|
|
6e1750 |
return;
|
|
|
6e1750 |
@@ -372,7 +372,7 @@ static void smartcard_char_device_notify_reader_remove(SmartCardDeviceState *st)
|
|
|
6e1750 |
spice_debug("reader add was never sent to the device");
|
|
|
6e1750 |
return;
|
|
|
6e1750 |
}
|
|
|
6e1750 |
- write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(vheader));
|
|
|
6e1750 |
+ write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(*vheader));
|
|
|
6e1750 |
if (!write_buf) {
|
|
|
6e1750 |
spice_error("failed to allocate write buffer");
|
|
|
6e1750 |
return;
|