From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Alex Chen <alex.chen@huawei.com>
Cc: stefanha@redhat.com, qemu-devel@nongnu.org,
qemu-trivial@nongnu.org, zhang.zhanghailiang@huawei.com
Subject: Re: [PATCH] virtiofsd: Fix potential NULL pointer dereference in virtio_send_msg()
Date: Thu, 10 Dec 2020 18:00:10 +0000 [thread overview]
Message-ID: <20201210180010.GG3629@work-vm> (raw)
In-Reply-To: <20201210151426.89244-1-alex.chen@huawei.com>
* Alex Chen (alex.chen@huawei.com) wrote:
> The 'ch' will be NULL in the following stack:
> send_notify_iov()->fuse_send_msg()->virtio_send_msg(),
> so we should check 'ch' is valid before dereferencing it
>
> Reported-by: Euler Robot <euler.robot@huawei.com>
> Signed-off-by: Alex Chen <alex.chen@huawei.com>
Please check, but I don't think we can currently hit this because
we never call send_notify_iov - it's currently called by
fuse_lowlevel_notify_inval_entry, inval_inode, and
fuse_lowlevel_notify_poll -
but I don't think those are called anywhere.
In that case, probably the best fix is to remove those until we
put notify back in.
Dave
> ---
> tools/virtiofsd/fuse_virtio.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/tools/virtiofsd/fuse_virtio.c b/tools/virtiofsd/fuse_virtio.c
> index 623812c432..31b2187a15 100644
> --- a/tools/virtiofsd/fuse_virtio.c
> +++ b/tools/virtiofsd/fuse_virtio.c
> @@ -205,6 +205,8 @@ static void copy_iov(struct iovec *src_iov, int src_count,
> int virtio_send_msg(struct fuse_session *se, struct fuse_chan *ch,
> struct iovec *iov, int count)
> {
> + assert(ch);
> +
> FVRequest *req = container_of(ch, FVRequest, ch);
> struct fv_QueueInfo *qi = ch->qi;
> VuDev *dev = &se->virtio_dev->dev;
> --
> 2.19.1
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
WARNING: multiple messages have this Message-ID (diff)
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Alex Chen <alex.chen@huawei.com>
Cc: qemu-trivial@nongnu.org, qemu-devel@nongnu.org,
stefanha@redhat.com, zhang.zhanghailiang@huawei.com
Subject: Re: [PATCH] virtiofsd: Fix potential NULL pointer dereference in virtio_send_msg()
Date: Thu, 10 Dec 2020 18:00:10 +0000 [thread overview]
Message-ID: <20201210180010.GG3629@work-vm> (raw)
In-Reply-To: <20201210151426.89244-1-alex.chen@huawei.com>
* Alex Chen (alex.chen@huawei.com) wrote:
> The 'ch' will be NULL in the following stack:
> send_notify_iov()->fuse_send_msg()->virtio_send_msg(),
> so we should check 'ch' is valid before dereferencing it
>
> Reported-by: Euler Robot <euler.robot@huawei.com>
> Signed-off-by: Alex Chen <alex.chen@huawei.com>
Please check, but I don't think we can currently hit this because
we never call send_notify_iov - it's currently called by
fuse_lowlevel_notify_inval_entry, inval_inode, and
fuse_lowlevel_notify_poll -
but I don't think those are called anywhere.
In that case, probably the best fix is to remove those until we
put notify back in.
Dave
> ---
> tools/virtiofsd/fuse_virtio.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/tools/virtiofsd/fuse_virtio.c b/tools/virtiofsd/fuse_virtio.c
> index 623812c432..31b2187a15 100644
> --- a/tools/virtiofsd/fuse_virtio.c
> +++ b/tools/virtiofsd/fuse_virtio.c
> @@ -205,6 +205,8 @@ static void copy_iov(struct iovec *src_iov, int src_count,
> int virtio_send_msg(struct fuse_session *se, struct fuse_chan *ch,
> struct iovec *iov, int count)
> {
> + assert(ch);
> +
> FVRequest *req = container_of(ch, FVRequest, ch);
> struct fv_QueueInfo *qi = ch->qi;
> VuDev *dev = &se->virtio_dev->dev;
> --
> 2.19.1
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2020-12-10 18:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-10 15:14 [PATCH] virtiofsd: Fix potential NULL pointer dereference in virtio_send_msg() Alex Chen
2020-12-10 15:14 ` Alex Chen
2020-12-10 18:00 ` Dr. David Alan Gilbert [this message]
2020-12-10 18:00 ` Dr. David Alan Gilbert
2020-12-11 10:16 ` Alex Chen
2020-12-11 10:16 ` Alex Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201210180010.GG3629@work-vm \
--to=dgilbert@redhat.com \
--cc=alex.chen@huawei.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-trivial@nongnu.org \
--cc=stefanha@redhat.com \
--cc=zhang.zhanghailiang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.