Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp5680642rwb; Tue, 22 Nov 2022 03:33:51 -0800 (PST) X-Google-Smtp-Source: AA0mqf7pbXBzClawLv5rU+Vf8SJY+4ETLHdxCwmzGu7aCLyN+ZPn3E80/xK4zDhUcKUllRnSgfDG X-Received: by 2002:a17:90a:b382:b0:213:1fcb:3ce1 with SMTP id e2-20020a17090ab38200b002131fcb3ce1mr24882351pjr.58.1669116830845; Tue, 22 Nov 2022 03:33:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669116830; cv=none; d=google.com; s=arc-20160816; b=Ju0xOZ0PMuxCp5faMpZt8V4Sj+wilnYXLQULMkZdWL66ta/9PGjGJefSMZI9kMchOo zYMIJhrLAow1nuxUVdzE6xaw7IpoNkdFmtSyPH/CKwes7Mp0QjtCaSQKdmAhGj7W/A3p +Y4yJvO1gEv9SNtpXxluc6Eqc8FYkZ1f8kHkv2CDtNrqie7MHR8gruRZthngUhEuh22Z gc41C18vFCRnQMHQKTGA94d0g8/kaUfyo1ZSYPlbyXC7KSX5cwZs3hINlBkah6PUuHoD tbeJVLp8khNzv983cZB2D3ljDg8IyX1EP3uRkxKxNHdjiTpdr+j9nWZcN1S7xDmgX4Iq 81gQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=NFmQ4BHqkfYXHJbxs2dTDkAt9Y6OhHoJPxA7yM9/MD0=; b=LmLxSoEaHdFoPGfzRq7tRbRspNvgTcZUhVIuU5rn/2kmPhDpFClrRAWS5mdBjgZ5zE 3iE7yiFAtVG+TFmKpuVPs4mCoBMWg3TQVQ2rhV27hy2Z5rjze2i9gobabfXMch5m3GeK fhDYKiWsw+kT5COX/n6wxzP8zehb+W0sEXapEg7iwEr7DivHBYhkM4cjkMc63SqyF5rj IQUQEnUaAY05z2EViiDOCfvN2unvuFeFnhF4sfgsqKf8LGayAgmyRvs69WmlPJUB9IIB jIlLvXLyQkWiD8PQ+FuKYLmgmm4G1F3Dbtu5Sl1kWVFBWLT7KkAkkIS8EYOX0CpVJUeH RZtA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@crudebyte.com header.s=kylie header.b=jX5AbsTO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=crudebyte.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 13-20020a63070d000000b00476f92f4571si1602776pgh.644.2022.11.22.03.33.38; Tue, 22 Nov 2022 03:33:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@crudebyte.com header.s=kylie header.b=jX5AbsTO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=crudebyte.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232745AbiKVK6i (ORCPT + 91 others); Tue, 22 Nov 2022 05:58:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51784 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232577AbiKVK6f (ORCPT ); Tue, 22 Nov 2022 05:58:35 -0500 Received: from kylie.crudebyte.com (kylie.crudebyte.com [5.189.157.229]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EE02D1E716 for ; Tue, 22 Nov 2022 02:58:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Content-Type:Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From: Content-ID:Content-Description; bh=NFmQ4BHqkfYXHJbxs2dTDkAt9Y6OhHoJPxA7yM9/MD0=; b=jX5AbsTOTPWw97x7bnntdg6Lmp wB9CV0UkXgWqIYIaWdWNtep50iCxoweH1Bw3Z70pmgb4IxkMp5QinylflkFiG3BNkwKZ0gNXJePmy TMD+pd2zOCgszFCscGuEbG3QvEm1A8LHOBhbgyHhnHL23kXjm+35L6utQZdbSohCgkQBN9m1HwJKY p3vUAd8asloTPM1xYK5C77OfwdVmdIhWGuvS5tqiC2WJ0Aa+VM1+L8XxFEHuwqtp3I+xBETBK92Gt EQJDp2lX0duL0dQKb4VfKjEZ99Ds+zFajwSt51i3UrJmmU8nvX9Ftdd7kRUMIUATCyx9mOcnUbfh0 +Os/QOg0uega6pFpISltbZbbz4sV8/8LniCX0ZKk3ARcrGSunOVnGVlag+qdNd9LB3hWXLp7a+23q Cq37lwRVvlw9Ul64L/j5AKuFB6bm3cbVqZSX7VWAAKYDToJAAMkErg51GiYXYGhSrKzh2THVmtybA z91ZYNE79pKVpAGwKNHvJho5QPcb7PF4NtdWpvLp9X0subBbxFFGMaSG3qZsABydiiioq+DkPnnks aVSQ+aodqK63mpX6dew2cX3sLzR2kuA4CQz3vPqdz8xdo1qBf6bLDEL8aQAwDiQBRIbC1qVOUTOAn HySKBI6Z0bFFvWYzBIzabnxCviroZ135WgCC3tu4M=; From: Christian Schoenebeck To: Stefano Stabellini , Dominique Martinet Cc: v9fs-developer@lists.sourceforge.net, linux-kernel@vger.kernel.org Subject: Re: [PATCH] 9p/xen: do not memcpy header into req->rc Date: Tue, 22 Nov 2022 11:58:26 +0100 Message-ID: <2044434.5qkcZKU06U@silver> In-Reply-To: <20221122001025.119121-1-asmadeus@codewreck.org> References: <20221122001025.119121-1-asmadeus@codewreck.org> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tuesday, November 22, 2022 1:10:25 AM CET Dominique Martinet wrote: > while 'h' is packed and can be assumed to match the request payload, > req->rc is a struct p9_fcall which is not packed and that memcpy > could be wrong. > > Fix this by copying each fields individually instead. > > Reported-by: Christian Schoenebeck > Suggested-by: Stefano Stabellini > Link: https://lkml.kernel.org/r/alpine.DEB.2.22.394.2211211454540.1049131@ubuntu-linux-20-04-desktop > Signed-off-by: Dominique Martinet > --- Reviewed-by: Christian Schoenebeck > Follow up from the previous xen patch's review. > > This isn't an immediate fix so I don't think this one should be rushed > in with the rest of the overflow fixes -- I'll let this sit a bit in > -next after reviews. > > net/9p/trans_xen.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c > index 4665215bc98b..e8e3f54a837e 100644 > --- a/net/9p/trans_xen.c > +++ b/net/9p/trans_xen.c > @@ -216,7 +216,9 @@ static void p9_xen_response(struct work_struct *work) > goto recv_error; > } > > - memcpy(&req->rc, &h, sizeof(h)); > + req->rc.size = h.size; > + req->rc.id = h.id; > + req->rc.tag = h.tag; > req->rc.offset = 0; > > masked_cons = xen_9pfs_mask(cons, XEN_9PFS_RING_SIZE(ring)); >