From: Tomas Bortoli <tomasbortoli@gmail.com>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: ericvh@gmail.com, rminnich@sandia.gov, lucho@ionkov.net,
davem@davemloft.net, v9fs-developer@lists.sourceforge.net,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller@googlegroups.com
Subject: Re: [V9fs-developer] [PATCH] Integer underflow in pdu_read()
Date: Tue, 10 Jul 2018 00:14:21 +0200 [thread overview]
Message-ID: <bc857171-8abb-765c-d722-908ab743cd6e@gmail.com> (raw)
In-Reply-To: <20180709193151.GI30522@ZenIV.linux.org.uk>
On 07/09/2018 09:31 PM, Al Viro wrote:
> On Mon, Jul 09, 2018 at 09:26:51PM +0200, Tomas Bortoli wrote:
>> The pdu_read() function suffers from an integer underflow.
>> When pdu->offset is greater than pdu->size, the length calculation will have
>> a wrong result, resulting in an out-of-bound read.
>> This patch modifies also pdu_write() in the same way to prevent the same
>> issue from happening there and for consistency.
> What does cause the calls of pdu_read() in such conditions and shouldn't *that*
> be dealt with?
Mmh I think that's caused by p9_parse_header(). That function reads the
first 7 bytes of a PDU regardless of the current offset. It then sets
the PDU length to the one read and then it restores the original offset.
Therefore, it's possible to set a size < offset here.
(to be 100% sure I'd need more debugging)
We can prevent it in p9_parse_header(), but if the invariant offset <
size gets broken elsewhere we fall back to the underflow. Enforcing it
in pdu_read() should be the safest thing to do as it would detect *any*
bad read.
next prev parent reply other threads:[~2018-07-09 22:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-09 19:26 [V9fs-developer] [PATCH] Integer underflow in pdu_read() Tomas Bortoli
2018-07-09 19:31 ` Al Viro
2018-07-09 22:14 ` Tomas Bortoli [this message]
2018-07-09 23:29 ` Dominique Martinet
2018-07-10 1:27 ` piaojun
2018-07-10 8:27 ` Tomas Bortoli
2018-07-10 11:06 ` piaojun
2018-07-10 11:16 ` piaojun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bc857171-8abb-765c-d722-908ab743cd6e@gmail.com \
--to=tomasbortoli@gmail.com \
--cc=davem@davemloft.net \
--cc=ericvh@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lucho@ionkov.net \
--cc=netdev@vger.kernel.org \
--cc=rminnich@sandia.gov \
--cc=syzkaller@googlegroups.com \
--cc=v9fs-developer@lists.sourceforge.net \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).