search

AFLplusplus / qemu-libafl-bridge

A patched QEMU that exposes an interface for LibAFL-based fuzzers
Other
57 stars 29 forks source link

Incorrect node type casting in libafl_maps_next leads to out-of-bound dereference #46

Closed cube0x8 closed 5 months ago

cube0x8 commented 7 months ago

The libafl_maps_next function casts an IntervalTreeNode to a MapInfo using the container_of macro (13685). However, the root of the interval tree is initialized as IntervalTreeRoot in the read_self_maps function (23). This mismatch in types leads to an out-of-bound dereference when accessing e->itree.start in libafl_maps_next (13687).

This is definitely a minor bug since h2g_valid is likely to return always false, but still is blocking me to debug QEMU using ASAN.

I assign this to me, but suggestions on how to fix it are very welcome. Here my proposals:

1) Somewhat, make root a MapInfo instead of IntervalTreeRoot, but maybe this would require changes in the interval tree implementation in QEMU, so I don't think it's a good idea. 2) Use a boolean flag in libafl_maps_next when called the first time (maybe too ugly)

andreafioraldi commented 7 months ago

the boolean is not ugly if safe, feel free to do a pr

Il lun 5 feb 2024, 09:30 cube0x8 @.***> ha scritto:

The libafl_maps_next function casts an IntervalTreeNode to a MapInfo using the container_of macro (13685). https://github.com/AFLplusplus/qemu-libafl-bridge/blob/de3e3f15eeb8f81c7e68e70c82cb57d0331b1fb9/linux-user/syscall.c#L13685 However, the root of the interval tree is initialized as IntervalTreeRoot in the read_self_maps function (23) https://github.com/AFLplusplus/qemu-libafl-bridge/blob/de3e3f15eeb8f81c7e68e70c82cb57d0331b1fb9/util/selfmap.c#L23. This mismatch in types leads to an out-of-bound dereference when accessing e->itree.start in libafl_maps_next (13687) https://github.com/AFLplusplus/qemu-libafl-bridge/blob/de3e3f15eeb8f81c7e68e70c82cb57d0331b1fb9/linux-user/syscall.c#L13687 .

This is definitely a minor bug since h2g_valid is likely to return always false, but still is blocking me to debug QEMU using ASAN.

I assign this to me, but suggestions on how to fix it are very welcome. Here my proposals:

  1. Somewhat, make root a MapInfo instead of IntervalTreeRoot, but maybe this would require changes in the interval tree implementation in QEMU, so I don't think it's a good idea.
  2. Use a boolean flag in libafl_maps_next when called the first time (maybe too ugly)

— Reply to this email directly, view it on GitHub https://github.com/AFLplusplus/qemu-libafl-bridge/issues/46, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD3LJ6V5WWEPANBUFVMPZN3YSCKEFAVCNFSM6AAAAABCZWQGE2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGEYTOOJVGI4TINA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

cube0x8 commented 6 months ago

Yes, instead of fixing it, I broke it even more. I'm reopening this because it's something I want to fix once we're done with #52.