From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tomas Bortoli Subject: Re: [V9fs-developer] [PATCH] p9_parse_header() validate PDU length Date: Wed, 18 Jul 2018 10:39:51 +0200 Message-ID: <8c25c95f-a8cc-9530-b0e7-93bb5af8888d@gmail.com> References: <20180712110211.25535-1-tomasbortoli@gmail.com> <20180718051321.GB16605@nautica> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: ericvh@gmail.com, rminnich@sandia.gov, lucho@ionkov.net, viro@ZenIV.linux.org.uk, davem@davemloft.net, v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com To: Dominique Martinet Return-path: In-Reply-To: <20180718051321.GB16605@nautica> Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On 07/18/2018 07:13 AM, Dominique Martinet wrote: > Tomas Bortoli wrote on Thu, Jul 12, 2018: >> This patch adds checks to the p9_parse_header() function to >> verify that the length found within the header coincides with the actual >> length of the PDU. Furthermore, it checks that the length stays within the >> acceptable range. To do this the patch brings the actual length of the PDU >> from the different transport layers (rdma and virtio). For TCP (trans_fd.c) >> the length is not know before, so we get it from the header but we check it >> anyway that it's within the valid range. >> >> Signed-off-by: Tomas Bortoli >> Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com >> --- >> [..] >> @@ -498,6 +489,21 @@ p9_parse_header(struct p9_fcall *pdu, int32_t *size, int8_t *type, int16_t *tag, >> if (size) >> *size = r_size; >> >> + if (pdu->size != r_size) { >> + err = -EINVAL; >> + goto rewind_and_exit; >> + } >> + if (pdu->size >= pdu->capacity || pdu->size < 7) { >> + p9_debug(P9_DEBUG_ERROR, >> + "requested packet size too big or too small: %d\n", >> + pdu->size); >> + return -EIO; >> + } > Actually, I've been bad advice - this breaks on virtio with zc packets - > a read or ls in a big directory fails with this in dmesg > [ 1006.853775] 9pnet: -- p9_parse_header (17123): requested packet size too big or too small: 4306 > [ 1006.853780] 9pnet: -- p9_check_zc_errors (17123): couldn't parse header -5 > > I haven't given this any thought yet, but dropping the patch for now > It seems that pdu->capacity is set to less than 4306 at that point, we can just increase it.