lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 20 Nov 2018 07:03:31 +0100
From:   Dominique Martinet <asmadeus@...ewreck.org>
To:     Dominique Martinet <dominique.martinet@....fr>
Cc:     Eric Van Hensbergen <ericvh@...il.com>,
        Latchesar Ionkov <lucho@...kov.net>,
        syzkaller-bugs@...glegroups.com,
        v9fs-developer@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org
Subject: Re: [PATCH] 9p/net: put a lower bound on msize

Dominique Martinet wrote on Mon, Nov 05, 2018:
> From: Dominique Martinet <dominique.martinet@....fr>
> 
> If the requested msize is too small (either from command line argument
> or from the server version reply), we won't get any work done.
> If it's *really* too small, nothing will work, and this got caught by
> syzbot recently (on a new kmem_cache_create_usercopy() call)
> 
> Just set a minimum msize to 4k in both code paths, until someone
> complains they have a use-case for a smaller msize.
> 
> We need to check in both mount option and server reply individually
> because the msize for the first version request would be unchecked
> with just a global check on clnt->msize.
> 
> Reported-by: syzbot+0c1d61e4db7db94102ca@...kaller.appspotmail.com
> Signed-off-by: Dominique Martinet <dominique.martinet@....fr>
> Cc: Eric Van Hensbergen <ericvh@...il.com>
> Cc: Latchesar Ionkov <lucho@...kov.net>
> ---
>  net/9p/client.c | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
> 
> diff --git a/net/9p/client.c b/net/9p/client.c
> index 2c9a17b9b46b..b1163ebdc622 100644
> --- a/net/9p/client.c
> +++ b/net/9p/client.c
> @@ -181,6 +181,12 @@ static int parse_opts(char *opts, struct p9_client *clnt)
>  				ret = r;
>  				continue;
>  			}
> +			if (r < 4096) {

This should read if (option < 4096), amending what I've put in for -next
last week :(

Reviews wanted!


> +				p9_debug(P9_DEBUG_ERROR,
> +					 "msize should be at least 4k\n");
> +				ret = -EINVAL;
> +				continue;
> +			}
>  			clnt->msize = option;
>  			break;
>  		case Opt_trans:
> @@ -983,10 +989,18 @@ static int p9_client_version(struct p9_client *c)
>  	else if (!strncmp(version, "9P2000", 6))
>  		c->proto_version = p9_proto_legacy;
>  	else {
> +		p9_debug(P9_DEBUG_ERROR,
> +			 "server returned an unknown version: %s\n", version);
>  		err = -EREMOTEIO;
>  		goto error;
>  	}
>  
> +	if (msize < 4096) {
> +		p9_debug(P9_DEBUG_ERROR,
> +			 "server returned a msize < 4096: %d\n", msize);
> +		err = -EREMOTEIO;
> +		goto error;
> +	}
>  	if (msize < c->msize)
>  		c->msize = msize;
>  
> @@ -1043,6 +1057,13 @@ struct p9_client *p9_client_create(const char *dev_name, char *options)
>  	if (clnt->msize > clnt->trans_mod->maxsize)
>  		clnt->msize = clnt->trans_mod->maxsize;
>  
> +	if (clnt->msize < 4096) {
> +		p9_debug(P9_DEBUG_ERROR,
> +			 "Please specify a msize of at least 4k\n");
> +		err = -EINVAL;
> +		goto free_client;
> +	}
> +
>  	err = p9_client_version(clnt);
>  	if (err)
>  		goto close_trans;

-- 
Dominique

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ