Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp112808imm; Tue, 17 Jul 2018 22:09:51 -0700 (PDT) X-Google-Smtp-Source: AAOMgpeGZSbPMML3u12sG7LYZszTILC6T3Gi0P8onnWTy8xXpw7Q+8z5cx27045bAb3TyNGvyeGh X-Received: by 2002:a62:d646:: with SMTP id r67-v6mr3709013pfg.130.1531890591385; Tue, 17 Jul 2018 22:09:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531890591; cv=none; d=google.com; s=arc-20160816; b=sbVylx6oy8UpoPn2nH7uYZ8XjdH9xSlMqzUO32Ife1SQkGHGPe85B+PrYwHX7ll/Sl lHsCEAWMHRgGTT8/7vvQqSJtF31zftYl4S5Xcy6sk42u1npWT5KotOEqCTnq2hh2lpwy QuRXysd45UVOtlWfjWZyaZDwn63QxlqSNNnW+c3MXiM0TdDbQ776ieHVBW4LFaVtEeic boHwGou6x6/FqyjIIHYph5uC/BU08yJWf601ufRJ2AJweGX9wVSXZQkykStgQlxK1nb+ Zg6IpPl3haH4A7wYNSXBCz/zc9BIyvDOfiNdgxUgcd+P+fTyiY027zMAlL1ZoYik8n0I xJTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=lsUnHW1vQhY4npMiWjfsr9aItwjdsggU7YoL1W+NdJk=; b=XKcj57YJimFgnD9vH/qkfClQEXsPBNa5rj9vx+DDf3C1qzDOnnfcM2nWM/LwhG3MHy 95GI29l0TZQRJ1hUuCQ6yav6WFD66NiFkNZ4yvNn2CfEOJ+XJVaXvSSNfJeJcicxGBCq qgeFVpvLnso5OpyANvGmJ8E6J0GpY/bN8jc6kmh+GXgNluMYpHwRc+hCK7J1ZQnqG1pL tzK/xvfu2Sb5PU9x2JzldiollH3iCZFtihwMicVaH8YBiaz6r2i+HEWqb09meWu1Vqov K9RGDlWbHVk2Gq1ZVjxF5bUD25AE7UgB+NQmSDHQg+dZ7DvJMjP1BQ3iTckTkIkn1wII VSOQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r2-v6si2569892pgd.138.2018.07.17.22.09.35; Tue, 17 Jul 2018 22:09:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726282AbeGRFpE (ORCPT + 99 others); Wed, 18 Jul 2018 01:45:04 -0400 Received: from nautica.notk.org ([91.121.71.147]:52092 "EHLO nautica.notk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725909AbeGRFpE (ORCPT ); Wed, 18 Jul 2018 01:45:04 -0400 Received: by nautica.notk.org (Postfix, from userid 1001) id 747EEC009; Wed, 18 Jul 2018 07:09:01 +0200 (CEST) Date: Wed, 18 Jul 2018 07:08:46 +0200 From: Dominique Martinet To: Tomas Bortoli Cc: ericvh@gmail.com, rminnich@sandia.gov, lucho@ionkov.net, viro@ZenIV.linux.org.uk, davem@davemloft.net, v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com, Andrew Morton Subject: Re: [V9fs-developer] [PATCH] p9_parse_header() validate PDU length Message-ID: <20180718050846.GA16605@nautica> References: <20180712110211.25535-1-tomasbortoli@gmail.com> <20180712114304.GB17774@nautica> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Tomas Bortoli wrote on Thu, Jul 12, 2018: > + Cc: Andrew Morton > > On 07/12/2018 01:43 PM, Dominique Martinet wrote: > > Tomas Bortoli wrote on Thu, Jul 12, 2018: > >> This patch adds checks to the p9_parse_header() function to > >> verify that the length found within the header coincides with the actual > >> length of the PDU. Furthermore, it checks that the length stays within the > >> acceptable range. To do this the patch brings the actual length of the PDU > >> from the different transport layers (rdma and virtio). For TCP (trans_fd.c) > >> the length is not know before, so we get it from the header but we check it > >> anyway that it's within the valid range. > > Still for TCP it you could read "garbage" pre-allocated memory but I > don't know how much it is a risk, it might be a good idea to zero it > post allocation (I mean pdu->sdata). Allocated at: > > https://github.com/torvalds/linux/blob/master/net/9p/client.c#L236 > > > Just a note on transports here, I totally had forgotten about trans_xen > > when we discussed this earlier as it is fairly new, but it looks like it > > sets the length in the fcall properly so it should work without any > > change. > > > > I however cannot test trans=xen, so if someone could either point me to > > how to set that up (I couldn't find any decent documentation) or do some > > very basic tests that would be great. > > >> Signed-off-by: Tomas Bortoli > >> Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com > > Looks good to me, as the rdma/virtio part come from my suggestion: > > Signed-off-by: Dominique Martinet > > True > > > >> diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c > >> index 3d414acb7015..002badbcc9c0 100644 > >> --- a/net/9p/trans_rdma.c > >> +++ b/net/9p/trans_rdma.c > >> @@ -319,7 +319,7 @@ recv_done(struct ib_cq *cq, struct ib_wc *wc) > >> > >> if (wc->status != IB_WC_SUCCESS) > >> goto err_out; > >> - > >> + c->rc->size = wc->byte_len; > > (nitpick, I'd keep the empty line here. If you don't mind I'll add it > > back in my tree; this doesn't warrant a v2) > > > > Sure, > > Tomas >