Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp4614820rwb;
        Mon, 21 Nov 2022 09:37:48 -0800 (PST)
X-Google-Smtp-Source: AA0mqf5ocA/WW6d9CvJUqK9enmUrfxum10rCk0xFsy1FRpYIRKjR2VeGDIvWwc1Vrl1dtS73mM4v
X-Received: by 2002:a17:906:882:b0:7ad:e161:b026 with SMTP id n2-20020a170906088200b007ade161b026mr10644981eje.760.1669052267754;
        Mon, 21 Nov 2022 09:37:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1669052267; cv=none;
        d=google.com; s=arc-20160816;
        b=DBRTd3Z3PH5a7Od5HTI6FVtskMpYDgsgq/PIAFX3UKcDEU8OsTvVgdXNm0pJazN2zL
         UxqPB5tu8j/UJG6fRZUWbAAjogCHgIM0uHcnVSqPQzqnDjApH2TRbe5pZ9liKvlg1ah2
         JO21tdD93LG7WDeZnQuNo4vyPmts7JXGZGoNbJUIbR5frwHGuCx3pM5wmgI9ItHzeR5y
         xQwZJzSWC6vFKA7utwXr90ADjRVr3OD9eNg22vDbXobFIbzUxm42nb1twwvLXJzFarh8
         bhvHb2z2FGLzVdBanTms62wOkLyooVomStC4EJbWtVHN9NRtRiSpOipezCmrexEXH/qS
         zTxA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=6Jdq67axWtUO34awWLIaNKXOMCvzA9J92byS0Y3jkdI=;
        b=TZipsO2QEhM5QX1yOxxMsYYcARePAGcflGE9fuASVbNtEUMITNp/FzXqE3L/wNXZUr
         26+lte9yNNlyApcwDimrzQrlPD4DWQ+5xKmWwFc5xY7bRqGSC8+gj9d8T9fq2vvQaPO3
         B4e+7q9Pn6vvQmTA8mq0jYo77l9dCNiLBnyeiCW74V7cps6XMAf71+eC/DqtAs0BOWHC
         +SLTD/t8Xumt/2bdEwZtVo4fvhzLvg1joZowsgzbbcN200jyve2tJ7JUVcwTVD0BXkEK
         LkKUBPwFYPm9RRSLhYJpRWZd+wz/YGw3IH3caZfoDOJwNe87mN7EQzk7QeyX/RIqBCw1
         r5NQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@crudebyte.com header.s=kylie header.b="Sfn/Bmoy";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=crudebyte.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id s7-20020a056402520700b00468f3073005si10590067edd.97.2022.11.21.09.37.22;
        Mon, 21 Nov 2022 09:37:47 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@crudebyte.com header.s=kylie header.b="Sfn/Bmoy";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=crudebyte.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229498AbiKUQhA (ORCPT <rfc822;2bno13@gmail.com> + 91 others);
        Mon, 21 Nov 2022 11:37:00 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58496 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230380AbiKUQgc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 21 Nov 2022 11:36:32 -0500
Received: from kylie.crudebyte.com (kylie.crudebyte.com [5.189.157.229])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 716E2C8463
        for <linux-kernel@vger.kernel.org>; Mon, 21 Nov 2022 08:36:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=crudebyte.com; s=kylie; h=Content-Type:Content-Transfer-Encoding:
        MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:
        Content-ID:Content-Description;
        bh=6Jdq67axWtUO34awWLIaNKXOMCvzA9J92byS0Y3jkdI=; b=Sfn/BmoyQJaLmjkFqMzo6E3ccw
        9w8vK8RT339KYN4on2o/f89RERCq2lJXGDD6W1oc67dTSqp4n2WR9UcPOMyIJTwgGP84au8H4B1Yl
        Fz9P0MyaGGwTKNJq4E/SZL8iWbh4m6fHfsKdmuh0i3OXHKkYoV80OMDBMyxaMy6M7EUMwYs6X3SAE
        QVzLw/42djImpPeX9KJb3lsuRNg2hH8n/v2zjH+EGdUD93OhPcuqLkLtZMY8VdQ8uyT93Gg5zR8pH
        FMbI2mAOgs3X+nWvKNZJn6hRaEqdDI5g7m9xVNUJcxna9wmE9T0uMnqhupuOmZF2BGA4PaCFtWZ/U
        +2JYYWwBhz0yaxROhm2UxtEJlU2vTM01S/ruQmneuNKzGLgD4pgR4ihvUnaxNtspFIy0o4r3NgN9h
        mmv7Otaq0dLEyW8ZlPBiI3zG7jf71TJQyKpXIuG8cJXPN3Lzs/lnQE5oiCVZ8VQ6YDIkLc6FnS6og
        cu9re7un9iUXBdoqFrXs6PeCIcqKKQlHFrUOwKcBS8cgpArcaoXFfd+L3PsEMZJRO8n6iwN/lGZAC
        Ic+aLgyZSh+zYrLTiVAooNlOAxIbtuNHaZcykXyUb4WZuaqyPgpPFeE072Rm4hdMPHVzzLecKUaCF
        AUzPXci8K+yTYg5hYGclUDlp2nCrwSWFx6PYUHIxw=;
From:   Christian Schoenebeck <linux_oss@crudebyte.com>
To:     Stefano Stabellini <sstabellini@kernel.org>,
        Dominique Martinet <asmadeus@codewreck.org>
Cc:     GUO Zihua <guozihua@huawei.com>,
        v9fs-developer@lists.sourceforge.net, linux-kernel@vger.kernel.org,
        Dominique Martinet <asmadeus@codewreck.org>
Subject: Re: [PATCH 1/2] 9p/xen: check logical size for buffer size
Date:   Mon, 21 Nov 2022 17:35:56 +0100
Message-ID: <37091478.n1eaNAWdo1@silver>
In-Reply-To: <20221118135542.63400-1-asmadeus@codewreck.org>
References: <20221118135542.63400-1-asmadeus@codewreck.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Friday, November 18, 2022 2:55:41 PM CET Dominique Martinet wrote:
> trans_xen did not check the data fits into the buffer before copying
> from the xen ring, but we probably should.
> Add a check that just skips the request and return an error to
> userspace if it did not fit
> 
> Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
> ---
> 
> This comes more or less as a follow up of a fix for trans_fd:
> https://lkml.kernel.org/r/20221117091159.31533-1-guozihua@huawei.com
> Where msize should be replaced by capacity check, except trans_xen
> did not actually use to check the size fits at all.
> 
> While we normally trust the hypervisor (they can probably do whatever
> they want with our memory), a bug in the 9p server is always possible so
> sanity checks never hurt, especially now buffers got drastically smaller
> with a recent patch.
> 
> My setup for xen is unfortunately long dead so I cannot test this:
> Stefano, you've tested v9fs xen patches in the past, would you mind
> verifying this works as well?
> 
>  net/9p/trans_xen.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
> index b15c64128c3e..66ceb3b3ae30 100644
> --- a/net/9p/trans_xen.c
> +++ b/net/9p/trans_xen.c
> @@ -208,6 +208,14 @@ static void p9_xen_response(struct work_struct *work)
>  			continue;
>  		}
>  
> +		if (h.size > req->rc.capacity) {
> +			dev_warn(&priv->dev->dev,
> +				 "requested packet size too big: %d for tag %d with capacity %zd\n",
> +		                 h.size, h.tag, rreq->rc.capacity);
> +			req->status = REQ_STATUS_ERROR;
> +			goto recv_error;
> +		}
> +

Looks good (except of s/rreq/req/ mentioned by Stefano already).

>  		memcpy(&req->rc, &h, sizeof(h));

Is that really OK?

1. `h` is of type xen_9pfs_header and declared as packed, whereas `rc` is of 
   type p9_fcall not declared as packed.

2. Probably a bit dangerous to assume the layout of xen_9pfs_header being in
   sync with the starting layout of p9_fcall without any compile-time 
   assertion?

>  		req->rc.offset = 0;
>  
> @@ -217,6 +225,7 @@ static void p9_xen_response(struct work_struct *work)
>  				     masked_prod, &masked_cons,
>  				     XEN_9PFS_RING_SIZE(ring));
>  
> +recv_error:
>  		virt_mb();
>  		cons += h.size;
>  		ring->intf->in_cons = cons;
>