From: "Dr. David Alan Gilbert (git)" <dgilbert@redhat.com>
To: qemu-devel@nongnu.org, stefanha@redhat.com
Subject: [PULL 044/111] virtiofsd: validate input buffer sizes in do_write_buf()
Date: Thu, 23 Jan 2020 11:57:34 +0000 [thread overview]
Message-ID: <20200123115841.138849-45-dgilbert@redhat.com> (raw)
In-Reply-To: <20200123115841.138849-1-dgilbert@redhat.com>
From: Stefan Hajnoczi <stefanha@redhat.com>
There is a small change in behavior: if fuse_write_in->size doesn't
match the input buffer size then the request is failed. Previously
write requests with 1 fuse_buf element would truncate to
fuse_write_in->size.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Sergio Lopez <slp@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
---
tools/virtiofsd/fuse_lowlevel.c | 49 ++++++++++++++++++++-------------
1 file changed, 30 insertions(+), 19 deletions(-)
diff --git a/tools/virtiofsd/fuse_lowlevel.c b/tools/virtiofsd/fuse_lowlevel.c
index 7e10995adc..611e8b0354 100644
--- a/tools/virtiofsd/fuse_lowlevel.c
+++ b/tools/virtiofsd/fuse_lowlevel.c
@@ -1003,8 +1003,8 @@ static void do_write(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)
}
}
-static void do_write_buf(fuse_req_t req, fuse_ino_t nodeid, const void *inarg,
- struct fuse_bufvec *ibufv)
+static void do_write_buf(fuse_req_t req, fuse_ino_t nodeid,
+ struct fuse_mbuf_iter *iter, struct fuse_bufvec *ibufv)
{
struct fuse_session *se = req->se;
struct fuse_bufvec *pbufv = ibufv;
@@ -1012,28 +1012,27 @@ static void do_write_buf(fuse_req_t req, fuse_ino_t nodeid, const void *inarg,
.buf[0] = ibufv->buf[0],
.count = 1,
};
- struct fuse_write_in *arg = (struct fuse_write_in *)inarg;
+ struct fuse_write_in *arg;
+ size_t arg_size = sizeof(*arg);
struct fuse_file_info fi;
memset(&fi, 0, sizeof(fi));
+
+ arg = fuse_mbuf_iter_advance(iter, arg_size);
+ if (!arg) {
+ fuse_reply_err(req, EINVAL);
+ return;
+ }
+
+ fi.lock_owner = arg->lock_owner;
+ fi.flags = arg->flags;
fi.fh = arg->fh;
fi.writepage = arg->write_flags & FUSE_WRITE_CACHE;
if (ibufv->count == 1) {
- fi.lock_owner = arg->lock_owner;
- fi.flags = arg->flags;
- if (!(tmpbufv.buf[0].flags & FUSE_BUF_IS_FD)) {
- tmpbufv.buf[0].mem = PARAM(arg);
- }
- tmpbufv.buf[0].size -=
- sizeof(struct fuse_in_header) + sizeof(struct fuse_write_in);
- if (tmpbufv.buf[0].size < arg->size) {
- fuse_log(FUSE_LOG_ERR,
- "fuse: do_write_buf: buffer size too small\n");
- fuse_reply_err(req, EIO);
- return;
- }
- tmpbufv.buf[0].size = arg->size;
+ assert(!(tmpbufv.buf[0].flags & FUSE_BUF_IS_FD));
+ tmpbufv.buf[0].mem = ((char *)arg) + arg_size;
+ tmpbufv.buf[0].size -= sizeof(struct fuse_in_header) + arg_size;
pbufv = &tmpbufv;
} else {
/*
@@ -1043,6 +1042,13 @@ static void do_write_buf(fuse_req_t req, fuse_ino_t nodeid, const void *inarg,
ibufv->buf[0].size = 0;
}
+ if (fuse_buf_size(pbufv) != arg->size) {
+ fuse_log(FUSE_LOG_ERR,
+ "fuse: do_write_buf: buffer size doesn't match arg->size\n");
+ fuse_reply_err(req, EIO);
+ return;
+ }
+
se->op.write_buf(req, nodeid, pbufv, arg->offset, &fi);
}
@@ -2052,12 +2058,17 @@ void fuse_session_process_buf_int(struct fuse_session *se,
struct fuse_chan *ch)
{
const struct fuse_buf *buf = bufv->buf;
+ struct fuse_mbuf_iter iter = FUSE_MBUF_ITER_INIT(buf);
struct fuse_in_header *in;
const void *inarg;
struct fuse_req *req;
int err;
- in = buf->mem;
+ /* The first buffer must be a memory buffer */
+ assert(!(buf->flags & FUSE_BUF_IS_FD));
+
+ in = fuse_mbuf_iter_advance(&iter, sizeof(*in));
+ assert(in); /* caller guarantees the input buffer is large enough */
if (se->debug) {
fuse_log(FUSE_LOG_DEBUG,
@@ -2129,7 +2140,7 @@ void fuse_session_process_buf_int(struct fuse_session *se,
inarg = (void *)&in[1];
if (in->opcode == FUSE_WRITE && se->op.write_buf) {
- do_write_buf(req, in->nodeid, inarg, bufv);
+ do_write_buf(req, in->nodeid, &iter, bufv);
} else {
fuse_ll_ops[in->opcode].func(req, in->nodeid, inarg);
}
--
2.24.1
next prev parent reply other threads:[~2020-01-23 13:40 UTC|newest]
Thread overview: 123+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-23 11:56 [PULL 000/111] virtiofs queue Dr. David Alan Gilbert (git)
2020-01-23 11:56 ` [PULL 001/111] virtiofsd: Pull in upstream headers Dr. David Alan Gilbert (git)
2020-01-23 11:56 ` [PULL 002/111] virtiofsd: Pull in kernel's fuse.h Dr. David Alan Gilbert (git)
2020-01-23 11:56 ` [PULL 003/111] virtiofsd: Add auxiliary .c's Dr. David Alan Gilbert (git)
2020-01-23 11:56 ` [PULL 004/111] virtiofsd: Add fuse_lowlevel.c Dr. David Alan Gilbert (git)
2020-01-23 11:56 ` [PULL 005/111] virtiofsd: Add passthrough_ll Dr. David Alan Gilbert (git)
2020-01-23 11:56 ` [PULL 006/111] virtiofsd: Trim down imported files Dr. David Alan Gilbert (git)
2020-01-23 11:56 ` [PULL 007/111] virtiofsd: Format imported files to qemu style Dr. David Alan Gilbert (git)
2020-01-23 11:56 ` [PULL 008/111] virtiofsd: remove mountpoint dummy argument Dr. David Alan Gilbert (git)
2020-01-23 11:56 ` [PULL 009/111] virtiofsd: remove unused notify reply support Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 010/111] virtiofsd: Remove unused enum fuse_buf_copy_flags Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 011/111] virtiofsd: Fix fuse_daemonize ignored return values Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 012/111] virtiofsd: Fix common header and define for QEMU builds Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 013/111] virtiofsd: Trim out compatibility code Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 014/111] vitriofsd/passthrough_ll: fix fallocate() ifdefs Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 015/111] virtiofsd: Make fsync work even if only inode is passed in Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 016/111] virtiofsd: Add options for virtio Dr. David Alan Gilbert (git)
2020-01-27 12:03 ` Christophe de Dinechin
2020-01-27 19:38 ` Dr. David Alan Gilbert
2020-01-23 11:57 ` [PULL 017/111] virtiofsd: add -o source=PATH to help output Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 018/111] virtiofsd: Open vhost connection instead of mounting Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 019/111] virtiofsd: Start wiring up vhost-user Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 020/111] virtiofsd: Add main virtio loop Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 021/111] virtiofsd: get/set features callbacks Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 022/111] virtiofsd: Start queue threads Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 023/111] virtiofsd: Poll kick_fd for queue Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 024/111] virtiofsd: Start reading commands from queue Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 025/111] virtiofsd: Send replies to messages Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 026/111] virtiofsd: Keep track of replies Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 027/111] virtiofsd: Add Makefile wiring for virtiofsd contrib Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 028/111] virtiofsd: Fast path for virtio read Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 029/111] virtiofsd: add --fd=FDNUM fd passing option Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 030/111] virtiofsd: make -f (foreground) the default Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 031/111] virtiofsd: add vhost-user.json file Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 032/111] virtiofsd: add --print-capabilities option Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 033/111] virtiofs: Add maintainers entry Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 034/111] virtiofsd: passthrough_ll: create new files in caller's context Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 035/111] virtiofsd: passthrough_ll: add lo_map for ino/fh indirection Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 036/111] virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 037/111] virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 038/111] virtiofsd: passthrough_ll: add fd_map to hide file descriptors Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 039/111] virtiofsd: passthrough_ll: add fallback for racy ops Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 040/111] virtiofsd: validate path components Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 041/111] virtiofsd: Plumb fuse_bufvec through to do_write_buf Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 042/111] virtiofsd: Pass write iov's all the way through Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 043/111] virtiofsd: add fuse_mbuf_iter API Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` Dr. David Alan Gilbert (git) [this message]
2020-01-23 11:57 ` [PULL 045/111] virtiofsd: check input buffer size in fuse_lowlevel.c ops Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 046/111] virtiofsd: prevent ".." escape in lo_do_lookup() Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 047/111] virtiofsd: prevent ".." escape in lo_do_readdir() Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 048/111] virtiofsd: use /proc/self/fd/ O_PATH file descriptor Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 049/111] virtiofsd: sandbox mount namespace Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 050/111] virtiofsd: move to an empty network namespace Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 051/111] virtiofsd: move to a new pid namespace Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 052/111] virtiofsd: add seccomp whitelist Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 053/111] virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 054/111] virtiofsd: cap-ng helpers Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 055/111] virtiofsd: Drop CAP_FSETID if client asked for it Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 056/111] virtiofsd: set maximum RLIMIT_NOFILE limit Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 057/111] virtiofsd: fix libfuse information leaks Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 058/111] docs: Add docs/tools Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 059/111] virtiofsd: add security guide document Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 060/111] virtiofsd: add --syslog command-line option Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 061/111] virtiofsd: print log only when priority is high enough Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 062/111] virtiofsd: Add ID to the log with FUSE_LOG_DEBUG level Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 063/111] virtiofsd: Add timestamp " Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 064/111] virtiofsd: Handle reinit Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 065/111] virtiofsd: Handle hard reboot Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 066/111] virtiofsd: Kill threads when queues are stopped Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 067/111] vhost-user: Print unexpected slave message types Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 068/111] contrib/libvhost-user: Protect slave fd with mutex Dr. David Alan Gilbert (git)
2020-01-23 11:57 ` [PULL 069/111] virtiofsd: passthrough_ll: add renameat2 support Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 070/111] virtiofsd: passthrough_ll: disable readdirplus on cache=never Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 071/111] virtiofsd: passthrough_ll: control readdirplus Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 072/111] virtiofsd: rename unref_inode() to unref_inode_lolocked() Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 073/111] virtiofsd: fail when parent inode isn't known in lo_do_lookup() Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 074/111] virtiofsd: extract root inode init into setup_root() Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 075/111] virtiofsd: passthrough_ll: clean up cache related options Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 076/111] virtiofsd: passthrough_ll: use hashtable Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 077/111] virtiofsd: Clean up inodes on destroy Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 078/111] virtiofsd: support nanosecond resolution for file timestamp Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 079/111] virtiofsd: fix error handling in main() Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 080/111] virtiofsd: cleanup allocated resource in se Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 081/111] virtiofsd: fix memory leak on lo.source Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 082/111] virtiofsd: add helper for lo_data cleanup Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 083/111] virtiofsd: Prevent multiply running with same vhost_user_socket Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 084/111] virtiofsd: enable PARALLEL_DIROPS during INIT Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 085/111] virtiofsd: fix incorrect error handling in lo_do_lookup Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 086/111] Virtiofsd: fix memory leak on fuse queueinfo Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 087/111] virtiofsd: Support remote posix locks Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 088/111] virtiofsd: use fuse_lowlevel_is_virtio() in fuse_session_destroy() Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 089/111] virtiofsd: prevent fv_queue_thread() vs virtio_loop() races Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 090/111] virtiofsd: make lo_release() atomic Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 091/111] virtiofsd: prevent races with lo_dirp_put() Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 092/111] virtiofsd: rename inode->refcount to inode->nlookup Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 093/111] libvhost-user: Fix some memtable remap cases Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 094/111] virtiofsd: add man page Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 095/111] virtiofsd: passthrough_ll: fix refcounting on remove/rename Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 096/111] virtiofsd: introduce inode refcount to prevent use-after-free Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 097/111] virtiofsd: do not always set FUSE_FLOCK_LOCKS Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 098/111] virtiofsd: convert more fprintf and perror to use fuse log infra Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 099/111] virtiofsd: Reset O_DIRECT flag during file open Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 100/111] virtiofsd: Fix data corruption with O_APPEND write in writeback mode Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 101/111] virtiofsd: passthrough_ll: Use cache_readdir for directory open Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 102/111] virtiofsd: add definition of fuse_buf_writev() Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 103/111] virtiofsd: use fuse_buf_writev to replace fuse_buf_write for better performance Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 104/111] virtiofsd: process requests in a thread pool Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 105/111] virtiofsd: prevent FUSE_INIT/FUSE_DESTROY races Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 106/111] virtiofsd: fix lo_destroy() resource leaks Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 107/111] virtiofsd: add --thread-pool-size=NUM option Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 108/111] virtiofsd: Convert lo_destroy to take the lo->mutex lock itself Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 109/111] virtiofsd/passthrough_ll: Pass errno to fuse_reply_err() Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 110/111] virtiofsd: stop all queue threads on exit in virtio_loop() Dr. David Alan Gilbert (git)
2020-01-23 11:58 ` [PULL 111/111] virtiofsd: add some options to the help message Dr. David Alan Gilbert (git)
2020-01-27 12:41 ` Christophe de Dinechin
2020-01-27 19:45 ` Dr. David Alan Gilbert
2020-01-23 15:13 ` [PULL 000/111] virtiofs queue no-reply
2020-01-23 15:20 ` Peter Maydell
2020-01-23 15:30 ` Dr. David Alan Gilbert
2020-01-23 15:44 ` Peter Maydell
2020-01-23 16:02 ` Dr. David Alan Gilbert
2020-01-23 16:06 ` Peter Maydell
2020-01-23 16:10 ` Dr. David Alan Gilbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200123115841.138849-45-dgilbert@redhat.com \
--to=dgilbert@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).