From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:52585)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1atV7n-00065g-I2
	for qemu-devel@nongnu.org; Fri, 22 Apr 2016 03:03:36 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1atV7m-0008It-KJ
	for qemu-devel@nongnu.org; Fri, 22 Apr 2016 03:03:35 -0400
Date: Fri, 22 Apr 2016 09:03:25 +0200
From: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20160422070325.GA4237@noname.redhat.com>
References: <1461249750-31928-1-git-send-email-eblake@redhat.com>
	<CAFEAcA9XOHgOPFQvrkvmgP04VaS-QU=KTGJxzpy5ribMctNanQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAFEAcA9XOHgOPFQvrkvmgP04VaS-QU=KTGJxzpy5ribMctNanQ@mail.gmail.com>
Subject: Re: [Qemu-devel] [PATCH for-2.6?] nbd: Don't mishandle unaligned
 client requests
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Eric Blake <eblake@redhat.com>, QEMU Developers <qemu-devel@nongnu.org>, Paolo Bonzini <pbonzini@redhat.com>, Qemu-block <qemu-block@nongnu.org>, qemu-stable@nongnu.org

Am 21.04.2016 um 18:28 hat Peter Maydell geschrieben:
> On 21 April 2016 at 15:42, Eric Blake <eblake@redhat.com> wrote:
> > The NBD protocol does not (yet) force any alignment constraints
> > on clients.  Even though qemu NBD clients always send requests
> > that are aligned to 512 bytes, we must be prepared for non-qemu
> > clients that don't care about alignment (even if it means they
> > are less efficient).  Our use of blk_read() and blk_write() was
> > silently operating on the wrong file offsets when the client
> > made an unaligned request, corrupting the client's data (but
> > as the client already has control over the file we are serving,
> > I don't think it is a security hole, per se, just a data
> > corruption bug).
> >
> > Note that in the case of NBD_CMD_READ, an unaligned length could
> > cause us to return up to 511 bytes of uninitialized trailing
> > garbage from blk_try_blockalign() - hopefully nothing sensitive
> > from the heap's prior usage is ever leaked in that manner.
> >
> > Signed-off-by: Eric Blake <eblake@redhat.com>
> > ---
> >
> > It's late for 2.6, but as a data corruption bug fix, I think
> > it's worth having if there is still time.
> 
> I want to tag rc3 today, but since it looks like there's going to
> be an rc4 for the virtio handler bug this can probably go into rc4
> if it gets review.

Reviewed-by: Kevin Wolf <kwolf@redhat.com>

Peter, do you want a pull request (which I would have to do because
Paolo is away) or are you going to apply the patch directly?

Also adding Cc: qemu-stable, because this is an old bug that has existed
ever since qemu-nbd was added.

Kevin