From: "Marc-André Lureau" <marcandre.lureau@gmail.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: xiaoqiang zhao <zxq_yx_007@163.com>,
"Daniel P. Berrange" <berrange@redhat.com>,
Michael Tokarev <mjt@tls.msk.ru>,
QEMU Developers <qemu-devel@nongnu.org>,
Markus Armbruster <armbru@redhat.com>
Subject: Re: [PATCH] util: fix abstract socket path copy
Date: Tue, 31 Aug 2021 16:20:17 +0400 [thread overview]
Message-ID: <CAJ+F1C+YK75sQo2rmM18fZ31tDaV2Pi-XeLcCTtSuXL3ORVPmw@mail.gmail.com> (raw)
In-Reply-To: <CAFEAcA-sZ_BMeydW6-iqdGQnETC5Gb0FLaCFgCgnZWZecMaD8g@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3092 bytes --]
Hi
On Tue, Aug 31, 2021 at 2:32 PM Peter Maydell <peter.maydell@linaro.org>
wrote:
> On Tue, 31 Aug 2021 at 11:17, Michael Tokarev <mjt@tls.msk.ru> wrote:
> >
> > 31.08.2021 12:53, Peter Maydell wrote:
> > > On Mon, 30 Aug 2021 at 23:30, Michael Tokarev <mjt@tls.msk.ru> wrote:
> > >>
> > >> 31.08.2021 01:06, Michael Tokarev wrote:
> > >> ...
> > >>> And this is the value used to be returned in the
> getsockname/getpeername
> > >>> calls.
> > >>>
> > >>> So this has nothing to do with socket being abstract or not. We
> asked for
> > >>> larger storage for the sockaddr structure, and the kernel was able
> to build
> > >>> one for us, including the trailing \0 byte.
> > >
> > >> diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c
> > >> index f2f3676d1f..83926dc2bc 100644
> > >> --- a/util/qemu-sockets.c
> > >> +++ b/util/qemu-sockets.c
> > >> @@ -1345,8 +1345,9 @@ socket_sockaddr_to_address_unix(struct
> sockaddr_storage *sa,
> > >> SocketAddress *addr;
> > >> struct sockaddr_un *su = (struct sockaddr_un *)sa;
> > >>
> > >> + /* kernel might have added \0 terminator to non-abstract socket
> */
> > >> assert(salen >= sizeof(su->sun_family) + 1 &&
> > >> - salen <= sizeof(struct sockaddr_un));
> > >> + salen <= sizeof(struct sockaddr_un) + su->sun_path[0] ? 1
> : 0);
> > >
> > > Q: Why are we imposing an upper limit on salen anyway?
> > > We need the lower limit because salen is supposed to include
> > > the whole of the 'struct sockaddr_un' and we assume that.
> > > But what's the upper limit here protecting?
> >
> > It is not about protection really, it is about correctness.
> > This is actually a grey area. This single trailing \0 byte
> > depends on the implementation. Please read man 7 unix -
> > especially the "Pathname sockets" and BUGS sections.
>
> Yes, I know about that. Why are we assert()ing ? Our
> implementation here doesn't care whether the struct
> we're passed is exactly the size of a sockaddr_un,
> a bit bigger than it, or 5 bytes bigger. We're not going
> to crash or misbehave if the caller passes us in an oversized
> buffer.
>
The minimal len check seems appropriate, since the function accesses at
least the first X bytes (3 I suppose).
While at it I probably added an upper bound that I thought made sense (the
size of sockaddr_un), but I did wrong.
But now, I also think we can remove the upper bound check.
> > > Q2: why does our required upper limit change depending on whether
> > > there happens to be a string in the sun_path array or not ?
> >
> > Because for abstract sockets (the ones whos name starts with \0
> > byte) the sun_path is treated as a blob of given length, without
> > the additional trailing \0, and neither the kernel nor userspace
> > is trying to add the terminator, while for pathname sockets this
> > is not the case and someone has to add the trailing \0 somewhere.
>
> Ah, I hadn't realized about the abstract-sockets case. Thanks.
>
> -- PMM
>
>
--
Marc-André Lureau
[-- Attachment #2: Type: text/html, Size: 4273 bytes --]
prev parent reply other threads:[~2021-08-31 12:56 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-19 13:01 [PATCH] util: fix abstract socket path copy marcandre.lureau
2021-07-19 13:49 ` Daniel P. Berrangé
2021-07-19 13:52 ` Marc-André Lureau
2021-07-20 2:48 ` zhao xiao qiang
2021-08-04 8:39 ` Markus Armbruster
2021-08-04 8:41 ` Marc-André Lureau
2021-08-30 21:38 ` Michael Tokarev
2021-08-30 22:06 ` Michael Tokarev
2021-08-30 22:22 ` Michael Tokarev
2021-08-31 9:53 ` Peter Maydell
2021-08-31 10:17 ` Michael Tokarev
2021-08-31 10:30 ` Peter Maydell
2021-08-31 12:20 ` Marc-André Lureau [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJ+F1C+YK75sQo2rmM18fZ31tDaV2Pi-XeLcCTtSuXL3ORVPmw@mail.gmail.com \
--to=marcandre.lureau@gmail.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=mjt@tls.msk.ru \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=zxq_yx_007@163.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).