From: "J. Bruce Fields" <bfields@fieldses.org>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: trond.myklebust@netapp.com, linux-nfs@vger.kernel.org
Subject: Re: [PATCH 04/24] SUNRPC: Address potential buffer length overflow in svc_sendto
Date: Mon, 14 Apr 2008 16:35:20 -0400 [thread overview]
Message-ID: <20080414203520.GP15950@fieldses.org> (raw)
In-Reply-To: <BF32CC2B-804B-430D-852E-75CB789C27FF@oracle.com>
On Mon, Apr 14, 2008 at 03:43:12PM -0400, Chuck Lever wrote:
> On Apr 14, 2008, at 1:48 PM, J. Bruce Fields wrote:
>> On Mon, Apr 14, 2008 at 12:27:08PM -0400, Chuck Lever wrote:
>>> Paranoia: Ensure a negative error value return from kernel_sendpage
>>> never
>>> matches a large buffer length.
>>
>> That is a little paranoid. Absent an argument for exactly what sort
>> of
>> bug could allow us to reach this point with the head iov_len in at
>> least
>> the gigabytes, I'm inclined to leave this alone for simplicity's
>> sake....
>
> I would like to document that we have noticed the mixed sign comparison
> there, and that it has been made entirely safe. In certain cases, the
> code as it stands does not do what it looks like it does.
>
> I'm not recommending these changes to be pedantic, nor am I doing this
> for my own health. When we leave checks like this out, what we have is
> "clever" nondeterministic code rather than safe code.
OK, I can buy the argument that it's a little clever and non-idiomatic
to skip the explicit check for the error case.
> This is simply
> good software engineering, but every one of these I've proposed has been
> argued over and often rejected.
>
> We know that humans write this code, and that humans make mistakes. We
> should be doing everything we can to make this code less vulnerable to
> coding mistakes. This is not about _fixing_ bugs, it's about
> _preventing_ them.
I understand that, but for me there's a problem of documentation. It
helps me, as I read the code, if I can distinguish between failures that
our code is designed to handle (a buggy or malicious nfs client, a
failed disk, whatever) from failures that it's not designed to handle
(memory corruption). So for the latter, my knee-jerk reaction is "why
isn't that a BUG_ON (or at least a WARN_ON)?"
But admittedly in this particular case, that's not really a problem--I
can't really see thinking "hey, is this code suggesting that it's
possible for iov_len to be greater than 2^31 at this point?".
--b.
>
>>> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
>>> ---
>>>
>>> net/sunrpc/svcsock.c | 2 +-
>>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
>>> index 6d4162b..a8ae279 100644
>>> --- a/net/sunrpc/svcsock.c
>>> +++ b/net/sunrpc/svcsock.c
>>> @@ -200,7 +200,7 @@ static int svc_sendto(struct svc_rqst *rqstp,
>>> struct xdr_buf *xdr)
>>> flags = 0;
>>> len = kernel_sendpage(sock, rqstp->rq_respages[0], 0,
>>> xdr->head[0].iov_len, flags);
>>> - if (len != xdr->head[0].iov_len)
>>> + if (len < 0 || len != xdr->head[0].iov_len)
>>> goto out;
>>> slen -= xdr->head[0].iov_len;
>>> if (slen == 0)
>>>
>
> --
> Chuck Lever
> chuck[dot]lever[at]oracle[dot]com
>
>
>
next prev parent reply other threads:[~2008-04-14 20:35 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-14 16:26 [PATCH 00/24] RPC server support rpcbind v4 plus additional clean ups Chuck Lever
[not found] ` <20080414162108.12741.73233.stgit-meopP2rzCrTwdl/1UfZZQIVfYA8g3rJ/@public.gmane.org>
2008-04-14 16:26 ` [PATCH 01/24] NFS: Use NFSDBG_FILE for all fops Chuck Lever
2008-04-14 16:26 ` [PATCH 02/24] NFS: Fix trace debugging nits in write.c Chuck Lever
2008-04-14 16:27 ` [PATCH 03/24] SUNRPC: RPC server still uses 2.4 method for disabling TCP Nagle Chuck Lever
[not found] ` <20080414162701.12741.10868.stgit-meopP2rzCrTwdl/1UfZZQIVfYA8g3rJ/@public.gmane.org>
2008-04-14 17:38 ` J. Bruce Fields
2008-04-14 16:27 ` [PATCH 04/24] SUNRPC: Address potential buffer length overflow in svc_sendto Chuck Lever
[not found] ` <20080414162708.12741.71691.stgit-meopP2rzCrTwdl/1UfZZQIVfYA8g3rJ/@public.gmane.org>
2008-04-14 17:48 ` J. Bruce Fields
2008-04-14 19:43 ` Chuck Lever
2008-04-14 20:35 ` J. Bruce Fields [this message]
2008-04-14 16:27 ` [PATCH 05/24] SUNRPC: Address potential buffer length overflow in svc_tcp_sendto Chuck Lever
2008-04-14 16:27 ` [PATCH 06/24] SUNRPC: Sanity check incoming UDP datagram lengths properly Chuck Lever
[not found] ` <20080414162723.12741.35500.stgit-meopP2rzCrTwdl/1UfZZQIVfYA8g3rJ/@public.gmane.org>
2008-04-14 18:38 ` J. Bruce Fields
2008-04-14 19:55 ` Chuck Lever
2008-04-14 20:54 ` J. Bruce Fields
2008-04-14 21:38 ` Chuck Lever
2008-04-14 16:27 ` [PATCH 07/24] SUNRPC: Update RPC server's TCP record marker decoder Chuck Lever
[not found] ` <20080414162730.12741.97124.stgit-meopP2rzCrTwdl/1UfZZQIVfYA8g3rJ/@public.gmane.org>
2008-04-14 18:49 ` J. Bruce Fields
2008-04-14 16:27 ` [PATCH 08/24] SUNRPC: Use unsigned index when looping over arrays Chuck Lever
2008-04-14 16:27 ` [PATCH 09/24] " Chuck Lever
[not found] ` <20080414162745.12741.37176.stgit-meopP2rzCrTwdl/1UfZZQIVfYA8g3rJ/@public.gmane.org>
2008-04-14 18:51 ` J. Bruce Fields
2008-04-14 16:27 ` [PATCH 10/24] SUNRPC: Use unsigned loop and array index in svc_init_buffer() Chuck Lever
[not found] ` <20080414162752.12741.15628.stgit-meopP2rzCrTwdl/1UfZZQIVfYA8g3rJ/@public.gmane.org>
2008-04-14 18:51 ` J. Bruce Fields
2008-04-14 16:28 ` [PATCH 11/24] SUNRPC: Remove obsolete messages during transport connect Chuck Lever
2008-04-14 16:28 ` [PATCH 12/24] SUNRPC: More useful debugging output for rpcb client Chuck Lever
2008-04-14 16:28 ` [PATCH 13/24] SUNRPC: Document some naked integers in rpcbind client Chuck Lever
2008-04-14 16:28 ` [PATCH 14/24] SUNRPC: Use correct XDR encoding procedure for rpcbind SET/UNSET Chuck Lever
2008-04-14 16:28 ` [PATCH 15/24] SUNRPC: Introduce a specific rpcb_create for contacting localhost Chuck Lever
2008-04-14 16:28 ` [PATCH 16/24] SUNRPC: None of rpcb_create's callers wants a privileged ephemeral port Chuck Lever
2008-04-14 16:28 ` [PATCH 17/24] SUNRPC: Refactor rpcb_register to make rpcbindv4 support easier Chuck Lever
2008-04-14 16:28 ` [PATCH 18/24] SUNRPC: introduce new task flag that fails requests on xprt disconnect Chuck Lever
2008-04-14 16:28 ` [PATCH 19/24] SUNRPC: Quickly detect missing portmapper during RPC service registration Chuck Lever
2008-04-14 16:29 ` [PATCH 20/24] SUNRPC: Support registering IPv6 interfaces with local rpcbind daemon Chuck Lever
2008-04-14 16:29 ` [PATCH 21/24] SUNRPC: Split portmap unregister API into separate function Chuck Lever
2008-04-14 16:29 ` [PATCH 22/24] SUNRPC: Use the new rpcb_v4_register() API in svc_unregister() Chuck Lever
2008-04-14 16:29 ` [PATCH 23/24] SUNRPC: Use new rpcb_v4_register() interface in svc_register() Chuck Lever
2008-04-14 16:29 ` [PATCH 24/24] SUNRPC: Add kernel build option to disable server-side use of rpcbind v3/v4 Chuck Lever
2008-04-14 19:14 ` [PATCH 00/24] RPC server support rpcbind v4 plus additional clean ups J. Bruce Fields
2008-04-14 20:05 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080414203520.GP15950@fieldses.org \
--to=bfields@fieldses.org \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
--cc=trond.myklebust@netapp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox