Re: [V9fs-developer] [PATCH] Integer underflow in pdu_read()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: piaojun <piaojun@huawei.com>
To: Tomas Bortoli <tomasbortoli@gmail.com>, <ericvh@gmail.com>,
	<rminnich@sandia.gov>, <lucho@ionkov.net>
Cc: <netdev@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
	<syzkaller@googlegroups.com>,
	<v9fs-developer@lists.sourceforge.net>, <davem@davemloft.net>
Subject: Re: [V9fs-developer] [PATCH] Integer underflow in pdu_read()
Date: Tue, 10 Jul 2018 19:06:17 +0800	[thread overview]
Message-ID: <5B449329.1050507@huawei.com> (raw)
In-Reply-To: <36523cc7-adec-9e61-d34c-dc00806c403a@gmail.com>

Hi Tomas,

Thanks for your explaination, and I get your point.

On 2018/7/10 16:27, Tomas Bortoli wrote:
> Hi Jun,
> 
> Intuitively, if you have a packet of size x and you read at an offset y,
> when y>x you are off the packet. That's an out out bound read.
> 
> In this specific code when offset > size, the available length
> estimation will fail as there will be an underflow resulting from
> offset-size (it'll give a big big number) that breaks the out-of-bound
> control put in place (if offset-size is a big big number, the asked size
> to read will be probably smaller and therefore allowed).
> 
> These definitions might help:
> https://cwe.mitre.org/data/definitions/787.html
> https://cwe.mitre.org/data/definitions/125.html
> 
> Tomas
>> Hi Tomas,
>>
>> It looks like pdu->size should always be greater than pdu->offset, right?
>> My question may be very easy for you, please help explaining.
>>
>> Thanks,
>> Jun
>>
>> On 2018/7/10 3:26, Tomas Bortoli wrote:
>>> The pdu_read() function suffers from an integer underflow.
>>> When pdu->offset is greater than pdu->size, the length calculation will have
>>> a wrong result, resulting in an out-of-bound read.
>>> This patch modifies also pdu_write() in the same way to prevent the same
>>> issue from happening there and for consistency.
>>>
>>> Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
>>> Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com
>>> ---
>>>  net/9p/protocol.c | 12 ++++++++----
>>>  1 file changed, 8 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/net/9p/protocol.c b/net/9p/protocol.c
>>> index 931ea00c4fed..f1e2425f920b 100644
>>> --- a/net/9p/protocol.c
>>> +++ b/net/9p/protocol.c
>>> @@ -55,16 +55,20 @@ EXPORT_SYMBOL(p9stat_free);
>>>  
>>>  size_t pdu_read(struct p9_fcall *pdu, void *data, size_t size)
>>>  {
>>> -	size_t len = min(pdu->size - pdu->offset, size);
>>> -	memcpy(data, &pdu->sdata[pdu->offset], len);
>>> +	size_t len = pdu->offset > pdu->size ? 0 :
>>> +	 min(pdu->size - pdu->offset, size);
>>> +	if (len != 0)
>>> +		memcpy(data, &pdu->sdata[pdu->offset], len);
>>>  	pdu->offset += len;
>>>  	return size - len;
>>>  }
>>>  
>>>  static size_t pdu_write(struct p9_fcall *pdu, const void *data, size_t size)
>>>  {
>>> -	size_t len = min(pdu->capacity - pdu->size, size);
>>> -	memcpy(&pdu->sdata[pdu->size], data, len);
>>> +	size_t len = pdu->size > pdu->capacity ? 0 :
>>> +	 min(pdu->capacity - pdu->size, size);
>>> +	if (len != 0)
>>> +		memcpy(&pdu->sdata[pdu->size], data, len);
>>>  	pdu->size += len;
>>>  	return size - len;
>>>  }
>>>
> 
> 
>

next prev parent reply	other threads:[~2018-07-10 11:06 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-09 19:26 [V9fs-developer] [PATCH] Integer underflow in pdu_read() Tomas Bortoli
2018-07-09 19:31 ` Al Viro
2018-07-09 22:14   ` Tomas Bortoli
2018-07-09 23:29     ` Dominique Martinet
2018-07-10  1:27 ` piaojun
2018-07-10  8:27   ` Tomas Bortoli
2018-07-10 11:06     ` piaojun [this message]
2018-07-10 11:16 ` piaojun
2018-07-11  2:04 ` jiangyiwen
2018-07-12 11:05   ` Tomas Bortoli

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5B449329.1050507@huawei.com \
    --to=piaojun@huawei.com \
    --cc=davem@davemloft.net \
    --cc=ericvh@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lucho@ionkov.net \
    --cc=netdev@vger.kernel.org \
    --cc=rminnich@sandia.gov \
    --cc=syzkaller@googlegroups.com \
    --cc=tomasbortoli@gmail.com \
    --cc=v9fs-developer@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.