ASan stack-buffer-overflow in SLIRP networking due to struct mismatches with LKL #33
Description
Problem
Running kbox with SLIRP networking enabled (./kbox image -S alpine.ext4 --net) triggers a stack-buffer-overflow detected by AddressSanitizer (ASan).
The root cause stems from mismatches between the custom-defined network structures (ifr and rt) in net-slirp.c and the actual structures expected by the LKL interface. This manifests in two distinct ways:
ifrstruct (Architecture Mismatch): The current custom struct hardcodes a size of 32 bytes (16for name +16for the union/address). While this matches the 32-bit Linuxstruct ifreq(https://man7.org/linux/man-pages/man7/netdevice.7.html), the standard size on 64-bit architectures is 40 bytes. Running this on a 64-bit host results in an 8-byte discrepancy, causing the overflow.rtstruct (Incomplete Definition): The customrtstruct, corresponding to Linuxstruct rtentry, is structurally incomplete. It is missing two standard fields:unsigned long rt_windowandunsigned short rt_irtt, causing the overflow.
Proposed Changes
Modify net-slirp.c to improve memory safety and compatibility:
That is, replacing the custom, hardcoded ifr and rt struct definitions with the standard Linux structs (struct ifreq and struct rtentry) .
Considerations
- Architecture Portability: Using the standard headers natively resolves the 64-bit pointer and padding differences for
ifreqacross different host architectures (x86_64, aarch64). - Current Workarounds: For debugging purposes, the ASan checks can currently be bypassed by manually padding the
ifrstruct with 8 bytes and thertstruct with 16 bytes on 64-bit system. However, this is brittle and should be discarded in favor of standard headers. - Scope of Impact: The necessary modifications are strictly localized to
net-slirp.c.