Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp115929imm;
        Tue, 17 Jul 2018 22:14:26 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpewuZnFHuG4yRDF7zDxQQ5AOU1GMpxTWqpErXg3cHWs7pjPkt/v0eaYdPJXQBfHm4VXusif
X-Received: by 2002:a17:902:280b:: with SMTP id e11-v6mr4450562plb.298.1531890866181;
        Tue, 17 Jul 2018 22:14:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1531890866; cv=none;
        d=google.com; s=arc-20160816;
        b=iMuSoASscKAAsYzOU1C5mrE1o51+PH9fy0gLqNq1VEbIE5PG4NRE5vHzstrzll8T6y
         AfOAb+T3dMNXnAKeFXE40DGT6HcgFJKzXZ9wB+WpVVRMEMIFME2JpgzILPG3Dt7zhUx9
         nBpvvtYWb2Zum701Sgx3BoW0I3Y2CURLm6A6Z4KAmQTLjmOW+ZfWPQTWmw00W/SpiW/s
         mwb4eqHLDzs5QK2irH6dBkN4Gy8CjCCWC6IzXhVSyACd3OB+MuoHaBot3NOXz2UZkfLD
         OkZ5uWG06reMFoiv6Wa10XMYXqQustKtsAS6q1RjoL8WzWdole9zccndXtuUDOZiR9ww
         3JVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=pjS9WIQGvOQeaZUlEWLA8T0nXVji8Af3r5wnHNOP1sQ=;
        b=fXBKsNtU0tNirIdIL8v8davWRhGUUWhpEvJVM8MhVGK0+8vNuWOCN/CWw+PFnJgB00
         3AlApNowUdpnd8qflFMGeeDJ0an7XJh7dVjlLFG7VJPLpYApnn+hG8/j6qrLGpsVrhzx
         UFvdI83JsLFQPxuyH8I40NrtXgE90Kjg6gRLdttdBSYEcNjdhqs9EotWE6SRlgiRdu4a
         eyBM9W98evQDfXM7B3DZu5r6f++JtB81ZIVomwkvFSRhZGIJdZ3Nhy0Q1AwfHqoNyX0R
         fLH7Z9a4yh8cVTXrqFEligcEJlwnBsl2fu8eQcPfKxIa/EOog70MLl/ikZIOwxgU7OXN
         hW6g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m32-v6si2579160pgl.622.2018.07.17.22.14.10;
        Tue, 17 Jul 2018 22:14:26 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726276AbeGRFti (ORCPT
        <rfc822;ArcheFireLinuxKernelMain@gmail.com> + 99 others);
        Wed, 18 Jul 2018 01:49:38 -0400
Received: from nautica.notk.org ([91.121.71.147]:44996 "EHLO nautica.notk.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726080AbeGRFti (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 18 Jul 2018 01:49:38 -0400
Received: by nautica.notk.org (Postfix, from userid 1001)
        id 4B72AC009; Wed, 18 Jul 2018 07:13:36 +0200 (CEST)
Date:   Wed, 18 Jul 2018 07:13:21 +0200
From:   Dominique Martinet <asmadeus@codewreck.org>
To:     Tomas Bortoli <tomasbortoli@gmail.com>
Cc:     ericvh@gmail.com, rminnich@sandia.gov, lucho@ionkov.net,
        viro@ZenIV.linux.org.uk, davem@davemloft.net,
        v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, syzkaller@googlegroups.com
Subject: Re: [V9fs-developer] [PATCH] p9_parse_header() validate PDU length
Message-ID: <20180718051321.GB16605@nautica>
References: <20180712110211.25535-1-tomasbortoli@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20180712110211.25535-1-tomasbortoli@gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Tomas Bortoli wrote on Thu, Jul 12, 2018:
> This patch adds checks to the p9_parse_header() function to
> verify that the length found within the header coincides with the actual
> length of the PDU. Furthermore, it checks that the length stays within the
> acceptable range. To do this the patch brings the actual length of the PDU
> from the different transport layers (rdma and virtio). For TCP (trans_fd.c)
> the length is not know before, so we get it from the header but we check it
> anyway that it's within the valid range.
> 
> Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
> Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com
> ---
> [..]
> @@ -498,6 +489,21 @@ p9_parse_header(struct p9_fcall *pdu, int32_t *size, int8_t *type, int16_t *tag,
>  	if (size)
>  		*size = r_size;
>  
> +	if (pdu->size != r_size) {
> +		err = -EINVAL;
> +		goto rewind_and_exit;
> +	}
> +	if (pdu->size >= pdu->capacity || pdu->size < 7) {
> +		p9_debug(P9_DEBUG_ERROR,
> +			 "requested packet size too big or too small: %d\n",
> +			 pdu->size);
> +		return -EIO;
> +	}

Actually, I've been bad advice - this breaks on virtio with zc packets -
a read or ls in a big directory fails with this in dmesg
[ 1006.853775] 9pnet: -- p9_parse_header (17123): requested packet size too big or too small: 4306
[ 1006.853780] 9pnet: -- p9_check_zc_errors (17123): couldn't parse header -5

I haven't given this any thought yet, but dropping the patch for now

-- 
Dominique