qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointin


From: P J P
Subject: Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload
Date: Thu, 29 Aug 2019 16:43:40 +0530 (IST)

+-- On Mon, 26 Aug 2019, Samuel Thibault wrote --+
| Philippe Mathieu-Daudé, le ven. 23 août 2019 17:15:32 +0200, a ecrit:
| > > Did you make your test with commit 126c04acbabd ("Fix heap overflow in
| > > ip_reass on big packet input") applied?
| > 
| > Yes, unfortunately it doesn't fix the issue.
| 
| Ok.
| 
| Could you try the attached patch?  There was a use-after-free.  Without
| it, I can indeed crash qemu with the given exploit.  With it I don't
| seem to be able to crash it (trying in a loop for several minutes).

Considering that earlier fix was released/pulled into upstream QEMU v4.1.0, we 
need to treat this one as a separate issue.

   commit c59279437eda91841b9d26079c70b8a540d41204
   Author: Samuel Thibault <address@hidden>
   Date:   Mon Aug 26 00:55:03 2019 +0200

   ip_reass: Fix use after free
   
   Using ip_deq after m_free might read pointers from an allocation reuse.

I'll follow-up on that.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F


reply via email to

[Prev in Thread] Current Thread [Next in Thread]