Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1078626imm; Mon, 9 Jul 2018 16:55:24 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfyQaLVUmU4X7Ue6+Zac0AuTE+0xHQIgRWmBKrh6u1kPbVNgtz6QiWqnEekqP3UnwYcC392 X-Received: by 2002:a65:5245:: with SMTP id q5-v6mr20303596pgp.67.1531180524198; Mon, 09 Jul 2018 16:55:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531180524; cv=none; d=google.com; s=arc-20160816; b=WdBTHVZfg0OM1j02Gw4pPoEMEu3JJnqvatbUiPBWJgE3zY1TKl85Q3+M5XfiuCz28Q 9f5NFfiTCh8rf5fFP3sx2jTeQ0jMd+UO8Zo3b9lCPDdh9WZBnTdd56oc5ECUHKqN6Anv 2AodgUJUYEhI9xccc/n5R5/GpxzGmqcfFjju9Qp8xQJfp/wJySzYmn0S/qGA3A6s4If0 B9y7OGqglpQ4bL79hERH/ncQYKLJUl+xxEpGUtDQF4EeLEfxmSxMTL9bJNWCH9iD9RQZ iptMqxjGQwb7pfYT1dDhEug7H1BzkfyEyClBEKj3nui87MAZE6SZLKFTU7q3Jyzhs0aB lIsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=Pba3W2Yc8D2I4L9rdW8ZPkvohlCcCJG+FQAxFdznpSg=; b=mArB4c1NtsP7dJygkA28GYpw59VCRq6nQLJ0QyGHQ4SlZnl6dtb2p6FQ38HHJJvsxd izKpsu0QQ+azLvfFawitbMqeeaPQmw0ZQfXHTSHYmn9J9tgReR9d/+gsF14A8xVydDdE vpEqz0QoBpGjoAAlVTqyFJjyGYN+4+b3t3EfK/9rxf4OuKCt5laThmgUy8juR8BKOaaf mOeZjgIaoxvN0roC8k8G4VdKbApEabzPAFADwKQhNxIvf7y5QGKXa1gEibKjsMmv8j6g UmZZP5CM3PtNaMAPtrkoHbkDYiTIeDOPaJiLGy5p07Q105zbmiQl/Udgc63yV9tDRCLD ReqQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z77-v6si16491847pff.100.2018.07.09.16.55.09; Mon, 09 Jul 2018 16:55:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754607AbeGIXyZ (ORCPT + 99 others); Mon, 9 Jul 2018 19:54:25 -0400 Received: from nautica.notk.org ([91.121.71.147]:47747 "EHLO nautica.notk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754568AbeGIXyU (ORCPT ); Mon, 9 Jul 2018 19:54:20 -0400 Received: by nautica.notk.org (Postfix, from userid 1001) id 7959AC009; Tue, 10 Jul 2018 01:54:18 +0200 (CEST) Date: Tue, 10 Jul 2018 01:54:03 +0200 From: Dominique Martinet To: Tomas Bortoli Cc: ericvh@gmail.com, rminnich@sandia.gov, lucho@ionkov.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com, v9fs-developer@lists.sourceforge.net, davem@davemloft.net, Al Viro Subject: Re: [V9fs-developer] [PATCH] p9_check_errors() validate PDU length Message-ID: <20180709235403.GB19917@nautica> References: <20180709224323.20597-1-tomasbortoli@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20180709224323.20597-1-tomasbortoli@gmail.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org (extra Cc: Al Viro, as it's kind of the continuation of the other thread) Tomas Bortoli wrote on Tue, Jul 10, 2018: > p9_check_errors() does not validate the size of the PDU read > in p9_parse_header(). Any size can be passed, provoking out-of-bound reads. cf. what I just said in other patch, I think this check needs to be moved up to p9_parse_header as p9_check_zc_error has the same problem. Also, they really need to check against the actual read size, not just capacity. For virtio/rdma, something like this ought to fix pdu->size, then p9_parse_header can just never overwrite it (untested but it's useless on its own, I'll test the full patch with the parse header change) diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c index 3d414acb7015..2649b2ebf961 100644 --- a/net/9p/trans_rdma.c +++ b/net/9p/trans_rdma.c @@ -320,6 +320,7 @@ recv_done(struct ib_cq *cq, struct ib_wc *wc) if (wc->status != IB_WC_SUCCESS) goto err_out; + c->rc->size = wc->byte_len; err = p9_parse_header(c->rc, NULL, NULL, &tag, 1); if (err) goto err_out; diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c index 05006cbb3361..fc6dc9ca86a4 100644 --- a/net/9p/trans_virtio.c +++ b/net/9p/trans_virtio.c @@ -159,8 +159,10 @@ static void req_done(struct virtqueue *vq) spin_unlock_irqrestore(&chan->lock, flags); /* Wakeup if anyone waiting for VirtIO ring space. */ wake_up(chan->vc_wq); - if (len) + if (len) { + req->rc->size = len; p9_client_cb(chan->client, req, REQ_STATUS_RCVD); + } } } -- Dominique Martinet | Asmadeus