On 8/29/19 5:43 PM, Philippe Mathieu-Daudé wrote: > On 8/26/19 12:54 AM, Samuel Thibault wrote: >> Philippe Mathieu-Daudé, le ven. 23 août 2019 17:15:32 +0200, a ecrit: >>>> Did you make your test with commit 126c04acbabd ("Fix heap overflow in >>>> ip_reass on big packet input") applied? >>> >>> Yes, unfortunately it doesn't fix the issue. >> >> Ok. >> >> Could you try the attached patch? There was a use-after-free. Without >> it, I can indeed crash qemu with the given exploit. With it I don't >> seem to be able to crash it (trying in a loop for several minutes). [...] > > Note 2: We miss some Makefile rules in QEMU with the libslirp split. > > Checkouting branches in the slirp/ directory doesn't trigger recompiling > the slirp object, and even if I force the creation of the libslirp.a > archive, the QEMU binaries are not linked again with the refreshed archive.
And I hit the same issue after applying your patch =) So, using a clean workspace, I can not reproduce the null deref anymore. If you send a proper patch, feel free to add: Tested-by: Philippe Mathieu-Daudé <phi...@redhat.com> Thanks! Phil.