Incorrect node type casting in libafl_maps_next leads to out-of-bound dereference #46
Comments
|
the boolean is not ugly if safe, feel free to do a pr
Il lun 5 feb 2024, 09:30 cube0x8 ***@***.***> ha scritto:
… The libafl_maps_next function casts an IntervalTreeNode to a MapInfo
using the container_of macro (13685).
<https://github.com/AFLplusplus/qemu-libafl-bridge/blob/de3e3f15eeb8f81c7e68e70c82cb57d0331b1fb9/linux-user/syscall.c#L13685>
However, the root of the interval tree is initialized as IntervalTreeRoot
in the read_self_maps function (23)
<https://github.com/AFLplusplus/qemu-libafl-bridge/blob/de3e3f15eeb8f81c7e68e70c82cb57d0331b1fb9/util/selfmap.c#L23>.
This mismatch in types leads to an out-of-bound dereference when accessing
e->itree.start in libafl_maps_next (13687)
<https://github.com/AFLplusplus/qemu-libafl-bridge/blob/de3e3f15eeb8f81c7e68e70c82cb57d0331b1fb9/linux-user/syscall.c#L13687>
.
This is definitely a minor bug since h2g_valid is likely to return always
false, but still is blocking me to debug QEMU using ASAN.
I assign this to me, but suggestions on how to fix it are very welcome.
Here my proposals:
1. Somewhat, make root a MapInfo instead of IntervalTreeRoot, but
maybe this would require changes in the interval tree implementation in
QEMU, so I don't think it's a good idea.
2. Use a boolean flag in libafl_maps_next when called the first time
(maybe too ugly)
—
Reply to this email directly, view it on GitHub
<#46>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD3LJ6V5WWEPANBUFVMPZN3YSCKEFAVCNFSM6AAAAABCZWQGE2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGEYTOOJVGI4TINA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Yes, instead of fixing it, I broke it even more. I'm reopening this because it's something I want to fix once we're done with #52. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
libafl_maps_nextfunction casts anIntervalTreeNodeto aMapInfousing thecontainer_ofmacro (13685). However, the root of the interval tree is initialized asIntervalTreeRootin theread_self_mapsfunction (23). This mismatch in types leads to an out-of-bound dereference when accessinge->itree.startinlibafl_maps_next(13687).This is definitely a minor bug since
h2g_validis likely to return always false, but still is blocking me to debug QEMU using ASAN.I assign this to me, but suggestions on how to fix it are very welcome. Here my proposals:
rootaMapInfoinstead ofIntervalTreeRoot, but maybe this would require changes in the interval tree implementation in QEMU, so I don't think it's a good idea.libafl_maps_nextwhen called the first time (maybe too ugly)The text was updated successfully, but these errors were encountered: