From: Eric Blake <eblake@redhat.com>
To: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>,
qemu-devel@nongnu.org
Cc: pbonzini@redhat.com, den@openvz.org
Subject: Re: [Qemu-devel] [PATCH v2 03/12] nbd/server: get rid of nbd_negotiate_read and friends
Date: Tue, 18 Jul 2017 07:04:55 -0500 [thread overview]
Message-ID: <a880cbcb-9a16-bbd3-cda7-28e68bc21b34@redhat.com> (raw)
In-Reply-To: <20170602150150.258222-4-vsementsov@virtuozzo.com>
[-- Attachment #1: Type: text/plain, Size: 1924 bytes --]
On 06/02/2017 10:01 AM, Vladimir Sementsov-Ogievskiy wrote:
> Functions nbd_negotiate_{read,write,drop_sync} were introduced in
> 1a6245a5b, when nbd_rwv (was nbd_wr_sync) was working through
> qemu_co_sendv_recvv (the path is nbd_wr_sync -> qemu_co_{recv/send} ->
> qemu_co_send_recv -> qemu_co_sendv_recvv), which just yields, without
> setting any handlers. But starting from ff82911cd nbd_rwv (was
> nbd_wr_syncv) works through qio_channel_yield() which sets handlers, so
> watchers are redundant in nbd_negotiate_{read,write,drop_sync}, then,
> let's just use nbd_{read,write,drop} functions.
>
> Functions nbd_{read,write,drop} has errp parameter, which is unused in
> this patch. This will be fixed later.
>
> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
> Reviewed-by: Eric Blake <eblake@redhat.com>
> ---
> nbd/server.c | 107 ++++++++++++-----------------------------------------------
> 1 file changed, 22 insertions(+), 85 deletions(-)
I did not realize it at the time, but this patch plugs a
denial-of-service security hole against malicious clients that were able
to trigger an assertion failure in the server by sending garbage during
negotiation; which was a regression introduced in the mentioned commit
ff82911cd. This has now been assigned the identifier CVE-2017-7539
The fact that we have now had 4 CVEs against qemu's NBD implementation
in the last year means we are not doing a very good job of unit testing
either the server or the client against a malicious partner; I'm still
trying to figure out ways that we can improve our testsuite coverage
(testing that a sane client can still connect happens during
qemu-iotests, but most of our CVEs have happened due to poor reactions
to out-of-spec clients).
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 619 bytes --]
next prev parent reply other threads:[~2017-07-18 12:05 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-02 15:01 [Qemu-devel] [PATCH v2 00/12] nbd refactoring part 1 Vladimir Sementsov-Ogievskiy
2017-06-02 15:01 ` [Qemu-devel] [PATCH v2 01/12] nbd: rename read_sync and friends Vladimir Sementsov-Ogievskiy
2017-06-02 15:01 ` [Qemu-devel] [PATCH v2 02/12] nbd: make nbd_drop public Vladimir Sementsov-Ogievskiy
2017-06-02 15:01 ` [Qemu-devel] [PATCH v2 03/12] nbd/server: get rid of nbd_negotiate_read and friends Vladimir Sementsov-Ogievskiy
2017-07-18 12:04 ` Eric Blake [this message]
2017-06-02 15:01 ` [Qemu-devel] [PATCH v2 04/12] nbd/server: get rid of ssize_t Vladimir Sementsov-Ogievskiy
2017-06-02 15:01 ` [Qemu-devel] [PATCH v2 05/12] nbd/server: refactor nbd_co_send_reply Vladimir Sementsov-Ogievskiy
2017-06-02 15:01 ` [Qemu-devel] [PATCH v2 06/12] nbd/server: get rid of EAGAIN dead code Vladimir Sementsov-Ogievskiy
2017-06-02 15:01 ` [Qemu-devel] [PATCH v2 07/12] nbd/server: refactor nbd_co_receive_request Vladimir Sementsov-Ogievskiy
2017-06-02 15:01 ` [Qemu-devel] [PATCH v2 08/12] nbd/server: remove NBDClientNewData Vladimir Sementsov-Ogievskiy
2017-06-02 15:01 ` [Qemu-devel] [PATCH v2 09/12] nbd/server: nbd_negotiate: fix error path Vladimir Sementsov-Ogievskiy
2017-06-02 15:01 ` [Qemu-devel] [PATCH v2 10/12] nbd/server: get rid of fail: return rc Vladimir Sementsov-Ogievskiy
2017-06-02 15:01 ` [Qemu-devel] [PATCH v2 11/12] nbd/server: rename rc to ret Vladimir Sementsov-Ogievskiy
2017-06-02 15:01 ` [Qemu-devel] [PATCH v2 12/12] nbd/server: refactor nbd_trip Vladimir Sementsov-Ogievskiy
2017-06-13 18:04 ` Paolo Bonzini
2017-06-13 14:10 ` [Qemu-devel] ping Re: [PATCH v2 00/12] nbd refactoring part 1 Vladimir Sementsov-Ogievskiy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a880cbcb-9a16-bbd3-cda7-28e68bc21b34@redhat.com \
--to=eblake@redhat.com \
--cc=den@openvz.org \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=vsementsov@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).