aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTomas Bortoli <tomasbortoli@gmail.com>2018-07-23 11:44:04 -0400
committerDominique Martinet <dominique.martinet@cea.fr>2018-08-12 20:34:58 -0400
commitf984579a01d85166ee7380204a96d978a67687a1 (patch)
tree6921952e63cd2ec0cb11625de49fb4395e0d4ce4
parent9f476d7c540cb57556d3cc7e78704e6cd5100f5f (diff)
9p: validate PDU length
This commit adds length check for the PDU size. The size contained in the header has to match the actual size, except for TCP (trans_fd.c) where actual length is not known ahead and the header's length will be checked only against the validity range. Link: http://lkml.kernel.org/r/20180723154404.2406-1-tomasbortoli@gmail.com Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com> Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com To: Eric Van Hensbergen <ericvh@gmail.com> To: Ron Minnich <rminnich@sandia.gov> To: Latchesar Ionkov <lucho@ionkov.net> Cc: David S. Miller <davem@davemloft.net> Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Diffstat
-rw-r--r--net/9p/client.c25
-rw-r--r--net/9p/trans_fd.c5
-rw-r--r--net/9p/trans_rdma.c1
-rw-r--r--net/9p/trans_virtio.c4
4 files changed, 24 insertions, 11 deletions
diff --git a/net/9p/client.c b/net/9p/client.c
index 33717b1b84d8..20088aa06343 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -469,20 +469,11 @@ p9_parse_header(struct p9_fcall *pdu, int32_t *size, int8_t *type, int16_t *tag,
469 int err; 469 int err;
470 470
471 pdu->offset = 0; 471 pdu->offset = 0;
472 if (pdu->size == 0)
473 pdu->size = 7;
474 472
475 err = p9pdu_readf(pdu, 0, "dbw", &r_size, &r_type, &r_tag); 473 err = p9pdu_readf(pdu, 0, "dbw", &r_size, &r_type, &r_tag);
476 if (err) 474 if (err)
477 goto rewind_and_exit; 475 goto rewind_and_exit;
478 476
479 pdu->size = r_size;
480 pdu->id = r_type;
481 pdu->tag = r_tag;
482
483 p9_debug(P9_DEBUG_9P, "<<< size=%d type: %d tag: %d\n",
484 pdu->size, pdu->id, pdu->tag);
485
486 if (type) 477 if (type)
487 *type = r_type; 478 *type = r_type;
488 if (tag) 479 if (tag)
@@ -490,6 +481,16 @@ p9_parse_header(struct p9_fcall *pdu, int32_t *size, int8_t *type, int16_t *tag,
490 if (size) 481 if (size)
491 *size = r_size; 482 *size = r_size;
492 483
484 if (pdu->size != r_size || r_size < 7) {
485 err = -EINVAL;
486 goto rewind_and_exit;
487 }
488
489 pdu->id = r_type;
490 pdu->tag = r_tag;
491
492 p9_debug(P9_DEBUG_9P, "<<< size=%d type: %d tag: %d\n",
493 pdu->size, pdu->id, pdu->tag);
493 494
494rewind_and_exit: 495rewind_and_exit:
495 if (rewind) 496 if (rewind)
@@ -516,6 +517,12 @@ static int p9_check_errors(struct p9_client *c, struct p9_req_t *req)
516 int ecode; 517 int ecode;
517 518
518 err = p9_parse_header(req->rc, NULL, &type, NULL, 0); 519 err = p9_parse_header(req->rc, NULL, &type, NULL, 0);
520 if (req->rc->size >= c->msize) {
521 p9_debug(P9_DEBUG_ERROR,
522 "requested packet size too big: %d\n",
523 req->rc->size);
524 return -EIO;
525 }
519 /* 526 /*
520 * dump the response from server 527 * dump the response from server
521 * This should be after check errors which poplulate pdu_fcall. 528 * This should be after check errors which poplulate pdu_fcall.
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index cce41b20a709..964260265b13 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -325,7 +325,9 @@ static void p9_read_work(struct work_struct *work)
325 if ((!m->req) && (m->rc.offset == m->rc.capacity)) { 325 if ((!m->req) && (m->rc.offset == m->rc.capacity)) {
326 p9_debug(P9_DEBUG_TRANS, "got new header\n"); 326 p9_debug(P9_DEBUG_TRANS, "got new header\n");
327 327
328 err = p9_parse_header(&m->rc, NULL, NULL, NULL, 0); 328 /* Header size */
329 m->rc.size = 7;
330 err = p9_parse_header(&m->rc, &m->rc.size, NULL, NULL, 0);
329 if (err) { 331 if (err) {
330 p9_debug(P9_DEBUG_ERROR, 332 p9_debug(P9_DEBUG_ERROR,
331 "error parsing header: %d\n", err); 333 "error parsing header: %d\n", err);
@@ -370,6 +372,7 @@ static void p9_read_work(struct work_struct *work)
370 */ 372 */
371 if ((m->req) && (m->rc.offset == m->rc.capacity)) { 373 if ((m->req) && (m->rc.offset == m->rc.capacity)) {
372 p9_debug(P9_DEBUG_TRANS, "got new packet\n"); 374 p9_debug(P9_DEBUG_TRANS, "got new packet\n");
375 m->req->rc->size = m->rc.offset;
373 spin_lock(&m->client->lock); 376 spin_lock(&m->client->lock);
374 if (m->req->status != REQ_STATUS_ERROR) 377 if (m->req->status != REQ_STATUS_ERROR)
375 status = REQ_STATUS_RCVD; 378 status = REQ_STATUS_RCVD;
diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
index 3d414acb7015..2649b2ebf961 100644
--- a/net/9p/trans_rdma.c
+++ b/net/9p/trans_rdma.c
@@ -320,6 +320,7 @@ recv_done(struct ib_cq *cq, struct ib_wc *wc)
320 if (wc->status != IB_WC_SUCCESS) 320 if (wc->status != IB_WC_SUCCESS)
321 goto err_out; 321 goto err_out;
322 322
323 c->rc->size = wc->byte_len;
323 err = p9_parse_header(c->rc, NULL, NULL, &tag, 1); 324 err = p9_parse_header(c->rc, NULL, NULL, &tag, 1);
324 if (err) 325 if (err)
325 goto err_out; 326 goto err_out;
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
index d422bfc81eca..06dcd3cc6a29 100644
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -156,8 +156,10 @@ static void req_done(struct virtqueue *vq)
156 need_wakeup = true; 156 need_wakeup = true;
157 } 157 }
158 158
159 if (len) 159 if (len) {
160 req->rc->size = len;
160 p9_client_cb(chan->client, req, REQ_STATUS_RCVD); 161 p9_client_cb(chan->client, req, REQ_STATUS_RCVD);
162 }
161 } 163 }
162 spin_unlock_irqrestore(&chan->lock, flags); 164 spin_unlock_irqrestore(&chan->lock, flags);
163 /* Wakeup if anyone waiting for VirtIO ring space. */ 165 /* Wakeup if anyone waiting for VirtIO ring space. */
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-23 13:26:24 -0400