Skip to content

Null pointer dereference in qemu_ram_free when HVA malloc fails #1588

Closed
@liyansong2018

Description

When we try to use uc_mem_map to apply for super large memory, memory allocation in HAV fails, but succeeds in GVA. This inconsistency leads to null pointer dereference in us_ close release about the ram block requested by uc_mem_map.

PoC

int main(int argc, char **argv) {
    uc_engine *uc;
    uc_err err;
    err = uc_open(UC_ARCH_X86, UC_MODE_64, &uc);
    if (err != UC_ERR_OK) {
        printf("Failed on uc_open() with error returned: %u %s\n", err, uc_strerror(err));
        return -1;
    }

    err = uc_mem_map(uc, 0x0, 0xfffffffff000, UC_PROT_ALL);
    if (err != UC_ERR_OK) {
        printf("Failed on uc_open() with error returned: %u %s\n", err, uc_strerror(err));
        //return -1;
    }
    uc_close(uc);
    return 0;
}

output

$ ./poc_test
AddressSanitizer:DEADLYSIGNAL
=================================================================
==36945==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6f0c61dc5f bp 0x7ffd6adc9320 sp 0x7ffd6adc9310 T0)                                                                                                                   
==36945==The signal is caused by a WRITE memory access.                                                                    
==36945==Hint: address points to the zero page.
    #0 0x7f6f0c61dc5f in qemu_ram_free_x86_64 /home/lys/Documents/my/unicorn/qemu/exec.c:1133
    #1 0x7f6f0c624483 in memory_region_destructor_ram /home/lys/Documents/my/unicorn/qemu/softmmu/memory.c:882
    #2 0x7f6f0c62269f in memory_free_x86_64 /home/lys/Documents/my/unicorn/qemu/softmmu/memory.c:182
    #3 0x7f6f0c6169da in release_common /home/lys/Documents/my/unicorn/qemu/unicorn_common.h:62
    #4 0x7f6f0c616cd3 in x86_release /home/lys/Documents/my/unicorn/qemu/target/i386/unicorn.c:47
    #5 0x7f6f0c60e4c5 in uc_close /home/lys/Documents/my/unicorn/uc.c:419
    #6 0x55955d1423e1 in main /home/lys/Documents/unitest/poc_test.c:60
    #7 0x7f6f0c0d47ec in __libc_start_main ../csu/libc-start.c:332
    #8 0x55955d142129 in _start (/home/lys/Documents/unitest/poc_test+0x1129)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lys/Documents/my/unicorn/qemu/exec.c:1133 in qemu_ram_free_x86_64
==36945==ABORTING

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions