Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1146180imm;
        Mon, 9 Jul 2018 18:29:15 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpfezEixBONvO3XaECFbzq4PkaR6OxNlYx1qzjC22Gl0oISskJR1Gk9iNSeEkU20pVcTmj+c
X-Received: by 2002:a17:902:8347:: with SMTP id z7-v6mr23119332pln.290.1531186155714;
        Mon, 09 Jul 2018 18:29:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1531186155; cv=none;
        d=google.com; s=arc-20160816;
        b=m5qA4oxwy4zHxgVysR6aFifxeac5aRdLOMycUML/JozFsdHWNvthKstReJz08Q3Bf1
         wHk+VtUZb2b4IPG4gSGfPiKJo1g9wPYGAGH6LT+41Cr6WcuYUDknBi5REKwX1mnL1k3u
         FZRe30VE6J3SqLcnUZp9blKwbyn3/g+Y8BzvBfCPCumDkg3EU2OfJWaJ8GG7Z+e7kgzZ
         SWmXSN1ltRnJGoP2HrwRSoQ9q5WsZAifBD7RXi/i48+/VgCg5d+iOaHi/6bjA8guyem7
         5C2rN1gyqZQJ1h2f4VBuGEc+ncrW8izqDRuEpYEFw5QAXpLvY9gp/ejDLz6ZhMwm6ZEH
         NtpQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:in-reply-to
         :mime-version:user-agent:date:message-id:from:cc:references:to
         :subject:arc-authentication-results;
        bh=zrE9gTEiFkqL9z5gg0bu18v1mo92CRPc9aimCt/d3PI=;
        b=A1fus1LzZPvCVKO0ff8/DVtJk9+tMG2Jrvapz0ueYmzBcrZXjyNla8RNoiF0tVvo08
         DM+J4HrjhI+4dCDL629uoXUXxTipDOgmF/B65nTgiLBFmBJ6pEDsNdfuOh9H5EZ4pbvF
         Vi+HHI+HO2JgZZdvzSQWZ5I/PgRKOn0MCUjVsDmPDHhAaOVN1+H0M6Rz9BWrwQCV8pXw
         oB1xD1QEFtCvu5Zg/HPpFL3D9qjeSm0nW83cw4Se9xUCMTJSyY0pWtWpcOebKGi22MYJ
         XbxJI9DJoXxIo6JU8BtwtIF3SJfO0n9+m8OodpAdG7pbv3BoqZfsYxiWqJ/6R91FMjtS
         LR3w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d3-v6si15756780pla.28.2018.07.09.18.29.01;
        Mon, 09 Jul 2018 18:29:15 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754741AbeGJB15 (ORCPT <rfc822;yingkeliu@gmail.com> + 99 others);
        Mon, 9 Jul 2018 21:27:57 -0400
Received: from szxga04-in.huawei.com ([45.249.212.190]:9166 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1754625AbeGJB12 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 9 Jul 2018 21:27:28 -0400
Received: from DGGEMS411-HUB.china.huawei.com (unknown [172.30.72.59])
        by Forcepoint Email with ESMTP id BE55A9E70A879;
        Tue, 10 Jul 2018 09:27:14 +0800 (CST)
Received: from [10.177.253.249] (10.177.253.249) by smtp.huawei.com
 (10.3.19.211) with Microsoft SMTP Server id 14.3.382.0; Tue, 10 Jul 2018
 09:27:14 +0800
Subject: Re: [V9fs-developer] [PATCH] Integer underflow in pdu_read()
To:     Tomas Bortoli <tomasbortoli@gmail.com>, <ericvh@gmail.com>,
        <rminnich@sandia.gov>, <lucho@ionkov.net>
References: <20180709192651.28095-1-tomasbortoli@gmail.com>
CC:     <netdev@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
        <syzkaller@googlegroups.com>,
        <v9fs-developer@lists.sourceforge.net>, <davem@davemloft.net>
From:   piaojun <piaojun@huawei.com>
Message-ID: <5B440B6A.9090000@huawei.com>
Date:   Tue, 10 Jul 2018 09:27:06 +0800
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <20180709192651.28095-1-tomasbortoli@gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.177.253.249]
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Tomas,

It looks like pdu->size should always be greater than pdu->offset, right?
My question may be very easy for you, please help explaining.

Thanks,
Jun

On 2018/7/10 3:26, Tomas Bortoli wrote:
> The pdu_read() function suffers from an integer underflow.
> When pdu->offset is greater than pdu->size, the length calculation will have
> a wrong result, resulting in an out-of-bound read.
> This patch modifies also pdu_write() in the same way to prevent the same
> issue from happening there and for consistency.
> 
> Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
> Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com
> ---
>  net/9p/protocol.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/net/9p/protocol.c b/net/9p/protocol.c
> index 931ea00c4fed..f1e2425f920b 100644
> --- a/net/9p/protocol.c
> +++ b/net/9p/protocol.c
> @@ -55,16 +55,20 @@ EXPORT_SYMBOL(p9stat_free);
>  
>  size_t pdu_read(struct p9_fcall *pdu, void *data, size_t size)
>  {
> -	size_t len = min(pdu->size - pdu->offset, size);
> -	memcpy(data, &pdu->sdata[pdu->offset], len);
> +	size_t len = pdu->offset > pdu->size ? 0 :
> +	 min(pdu->size - pdu->offset, size);
> +	if (len != 0)
> +		memcpy(data, &pdu->sdata[pdu->offset], len);
>  	pdu->offset += len;
>  	return size - len;
>  }
>  
>  static size_t pdu_write(struct p9_fcall *pdu, const void *data, size_t size)
>  {
> -	size_t len = min(pdu->capacity - pdu->size, size);
> -	memcpy(&pdu->sdata[pdu->size], data, len);
> +	size_t len = pdu->size > pdu->capacity ? 0 :
> +	 min(pdu->capacity - pdu->size, size);
> +	if (len != 0)
> +		memcpy(&pdu->sdata[pdu->size], data, len);
>  	pdu->size += len;
>  	return size - len;
>  }
>