From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 07A4CC433EF for ; Fri, 4 Feb 2022 00:24:23 +0000 (UTC) Received: from localhost ([::1]:45674 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nFmOj-00086Z-NV for qemu-devel@archiver.kernel.org; Thu, 03 Feb 2022 19:24:21 -0500 Received: from eggs.gnu.org ([209.51.188.92]:36286) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nFmNA-0007GJ-1M; Thu, 03 Feb 2022 19:22:44 -0500 Received: from vmicros1.altlinux.org ([194.107.17.57]:56234) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nFmN7-0001Yc-Vq; Thu, 03 Feb 2022 19:22:43 -0500 Received: from mua.local.altlinux.org (mua.local.altlinux.org [192.168.1.14]) by vmicros1.altlinux.org (Postfix) with ESMTP id 5EDAD72C905; Fri, 4 Feb 2022 03:22:38 +0300 (MSK) Received: by mua.local.altlinux.org (Postfix, from userid 508) id 42A157CCE69; Fri, 4 Feb 2022 03:22:38 +0300 (MSK) Date: Fri, 4 Feb 2022 03:22:38 +0300 From: "Dmitry V. Levin" To: Vitaly Chikunov Subject: Re: [PATCH v2] 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread Message-ID: <20220204002237.GD7780@altlinux.org> References: <20220128223326.927132-1-vt@altlinux.org> <2001191.mYrJCF7IzP@silver> <20220204001516.n5ma26x3wxsoixeb@altlinux.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220204001516.n5ma26x3wxsoixeb@altlinux.org> Received-SPF: pass client-ip=194.107.17.57; envelope-from=ldv@altlinux.org; helo=vmicros1.altlinux.org X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-stable@nongnu.org, Christian Schoenebeck , qemu-devel@nongnu.org, Greg Kurz Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" On Fri, Feb 04, 2022 at 03:15:16AM +0300, Vitaly Chikunov wrote: [...] > Yes but this will cause another abort() call. I am thinking about v3 fix > like this: > > struct dirent * > qemu_dirent_dup(struct dirent *dent) > { > size_t sz = 0; > #if defined _DIRENT_HAVE_D_RECLEN > /* Avoid use of strlen() if there's d_reclen. */ > sz = dent->d_reclen; > #endif > if (sz == 0) { > /* Fallback to the most portable way. */ > sz = offsetof(struct dirent, d_name) + > strlen(dent->d_name) + 1; > } > struct dirent *dst = g_malloc(sz); > return memcpy(dst, dent, sz); > } > > Thus it will use strlen for simulated dirents and d_reclen for real ones Makes sense. -- ldv