Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp4614820rwb; Mon, 21 Nov 2022 09:37:48 -0800 (PST) X-Google-Smtp-Source: AA0mqf5ocA/WW6d9CvJUqK9enmUrfxum10rCk0xFsy1FRpYIRKjR2VeGDIvWwc1Vrl1dtS73mM4v X-Received: by 2002:a17:906:882:b0:7ad:e161:b026 with SMTP id n2-20020a170906088200b007ade161b026mr10644981eje.760.1669052267754; Mon, 21 Nov 2022 09:37:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669052267; cv=none; d=google.com; s=arc-20160816; b=DBRTd3Z3PH5a7Od5HTI6FVtskMpYDgsgq/PIAFX3UKcDEU8OsTvVgdXNm0pJazN2zL UxqPB5tu8j/UJG6fRZUWbAAjogCHgIM0uHcnVSqPQzqnDjApH2TRbe5pZ9liKvlg1ah2 JO21tdD93LG7WDeZnQuNo4vyPmts7JXGZGoNbJUIbR5frwHGuCx3pM5wmgI9ItHzeR5y xQwZJzSWC6vFKA7utwXr90ADjRVr3OD9eNg22vDbXobFIbzUxm42nb1twwvLXJzFarh8 bhvHb2z2FGLzVdBanTms62wOkLyooVomStC4EJbWtVHN9NRtRiSpOipezCmrexEXH/qS zTxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=6Jdq67axWtUO34awWLIaNKXOMCvzA9J92byS0Y3jkdI=; b=TZipsO2QEhM5QX1yOxxMsYYcARePAGcflGE9fuASVbNtEUMITNp/FzXqE3L/wNXZUr 26+lte9yNNlyApcwDimrzQrlPD4DWQ+5xKmWwFc5xY7bRqGSC8+gj9d8T9fq2vvQaPO3 B4e+7q9Pn6vvQmTA8mq0jYo77l9dCNiLBnyeiCW74V7cps6XMAf71+eC/DqtAs0BOWHC +SLTD/t8Xumt/2bdEwZtVo4fvhzLvg1joZowsgzbbcN200jyve2tJ7JUVcwTVD0BXkEK LkKUBPwFYPm9RRSLhYJpRWZd+wz/YGw3IH3caZfoDOJwNe87mN7EQzk7QeyX/RIqBCw1 r5NQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@crudebyte.com header.s=kylie header.b="Sfn/Bmoy"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=crudebyte.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s7-20020a056402520700b00468f3073005si10590067edd.97.2022.11.21.09.37.22; Mon, 21 Nov 2022 09:37:47 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@crudebyte.com header.s=kylie header.b="Sfn/Bmoy"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=crudebyte.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229498AbiKUQhA (ORCPT + 91 others); Mon, 21 Nov 2022 11:37:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58496 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230380AbiKUQgc (ORCPT ); Mon, 21 Nov 2022 11:36:32 -0500 Received: from kylie.crudebyte.com (kylie.crudebyte.com [5.189.157.229]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 716E2C8463 for ; Mon, 21 Nov 2022 08:36:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Content-Type:Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From: Content-ID:Content-Description; bh=6Jdq67axWtUO34awWLIaNKXOMCvzA9J92byS0Y3jkdI=; b=Sfn/BmoyQJaLmjkFqMzo6E3ccw 9w8vK8RT339KYN4on2o/f89RERCq2lJXGDD6W1oc67dTSqp4n2WR9UcPOMyIJTwgGP84au8H4B1Yl Fz9P0MyaGGwTKNJq4E/SZL8iWbh4m6fHfsKdmuh0i3OXHKkYoV80OMDBMyxaMy6M7EUMwYs6X3SAE QVzLw/42djImpPeX9KJb3lsuRNg2hH8n/v2zjH+EGdUD93OhPcuqLkLtZMY8VdQ8uyT93Gg5zR8pH FMbI2mAOgs3X+nWvKNZJn6hRaEqdDI5g7m9xVNUJcxna9wmE9T0uMnqhupuOmZF2BGA4PaCFtWZ/U +2JYYWwBhz0yaxROhm2UxtEJlU2vTM01S/ruQmneuNKzGLgD4pgR4ihvUnaxNtspFIy0o4r3NgN9h mmv7Otaq0dLEyW8ZlPBiI3zG7jf71TJQyKpXIuG8cJXPN3Lzs/lnQE5oiCVZ8VQ6YDIkLc6FnS6og cu9re7un9iUXBdoqFrXs6PeCIcqKKQlHFrUOwKcBS8cgpArcaoXFfd+L3PsEMZJRO8n6iwN/lGZAC Ic+aLgyZSh+zYrLTiVAooNlOAxIbtuNHaZcykXyUb4WZuaqyPgpPFeE072Rm4hdMPHVzzLecKUaCF AUzPXci8K+yTYg5hYGclUDlp2nCrwSWFx6PYUHIxw=; From: Christian Schoenebeck To: Stefano Stabellini , Dominique Martinet Cc: GUO Zihua , v9fs-developer@lists.sourceforge.net, linux-kernel@vger.kernel.org, Dominique Martinet Subject: Re: [PATCH 1/2] 9p/xen: check logical size for buffer size Date: Mon, 21 Nov 2022 17:35:56 +0100 Message-ID: <37091478.n1eaNAWdo1@silver> In-Reply-To: <20221118135542.63400-1-asmadeus@codewreck.org> References: <20221118135542.63400-1-asmadeus@codewreck.org> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Friday, November 18, 2022 2:55:41 PM CET Dominique Martinet wrote: > trans_xen did not check the data fits into the buffer before copying > from the xen ring, but we probably should. > Add a check that just skips the request and return an error to > userspace if it did not fit > > Signed-off-by: Dominique Martinet > --- > > This comes more or less as a follow up of a fix for trans_fd: > https://lkml.kernel.org/r/20221117091159.31533-1-guozihua@huawei.com > Where msize should be replaced by capacity check, except trans_xen > did not actually use to check the size fits at all. > > While we normally trust the hypervisor (they can probably do whatever > they want with our memory), a bug in the 9p server is always possible so > sanity checks never hurt, especially now buffers got drastically smaller > with a recent patch. > > My setup for xen is unfortunately long dead so I cannot test this: > Stefano, you've tested v9fs xen patches in the past, would you mind > verifying this works as well? > > net/9p/trans_xen.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c > index b15c64128c3e..66ceb3b3ae30 100644 > --- a/net/9p/trans_xen.c > +++ b/net/9p/trans_xen.c > @@ -208,6 +208,14 @@ static void p9_xen_response(struct work_struct *work) > continue; > } > > + if (h.size > req->rc.capacity) { > + dev_warn(&priv->dev->dev, > + "requested packet size too big: %d for tag %d with capacity %zd\n", > + h.size, h.tag, rreq->rc.capacity); > + req->status = REQ_STATUS_ERROR; > + goto recv_error; > + } > + Looks good (except of s/rreq/req/ mentioned by Stefano already). > memcpy(&req->rc, &h, sizeof(h)); Is that really OK? 1. `h` is of type xen_9pfs_header and declared as packed, whereas `rc` is of type p9_fcall not declared as packed. 2. Probably a bit dangerous to assume the layout of xen_9pfs_header being in sync with the starting layout of p9_fcall without any compile-time assertion? > req->rc.offset = 0; > > @@ -217,6 +225,7 @@ static void p9_xen_response(struct work_struct *work) > masked_prod, &masked_cons, > XEN_9PFS_RING_SIZE(ring)); > > +recv_error: > virt_mb(); > cons += h.size; > ring->intf->in_cons = cons; >