| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20181120060331.GA6675@nautica>
Date: Tue, 20 Nov 2018 07:03:31 +0100
From: Dominique Martinet <asmadeus@...ewreck.org>
To: Dominique Martinet <dominique.martinet@....fr>
Cc: Eric Van Hensbergen <ericvh@...il.com>,
Latchesar Ionkov <lucho@...kov.net>,
syzkaller-bugs@...glegroups.com,
v9fs-developer@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org
Subject: Re: [PATCH] 9p/net: put a lower bound on msize
Dominique Martinet wrote on Mon, Nov 05, 2018:
> From: Dominique Martinet <dominique.martinet@....fr>
>
> If the requested msize is too small (either from command line argument
> or from the server version reply), we won't get any work done.
> If it's *really* too small, nothing will work, and this got caught by
> syzbot recently (on a new kmem_cache_create_usercopy() call)
>
> Just set a minimum msize to 4k in both code paths, until someone
> complains they have a use-case for a smaller msize.
>
> We need to check in both mount option and server reply individually
> because the msize for the first version request would be unchecked
> with just a global check on clnt->msize.
>
> Reported-by: syzbot+0c1d61e4db7db94102ca@...kaller.appspotmail.com
> Signed-off-by: Dominique Martinet <dominique.martinet@....fr>
> Cc: Eric Van Hensbergen <ericvh@...il.com>
> Cc: Latchesar Ionkov <lucho@...kov.net>
> ---
> net/9p/client.c | 21 +++++++++++++++++++++
> 1 file changed, 21 insertions(+)
>
> diff --git a/net/9p/client.c b/net/9p/client.c
> index 2c9a17b9b46b..b1163ebdc622 100644
> --- a/net/9p/client.c
> +++ b/net/9p/client.c
> @@ -181,6 +181,12 @@ static int parse_opts(char *opts, struct p9_client *clnt)
> ret = r;
> continue;
> }
> + if (r < 4096) {
This should read if (option < 4096), amending what I've put in for -next
last week :(
Reviews wanted!
> + p9_debug(P9_DEBUG_ERROR,
> + "msize should be at least 4k\n");
> + ret = -EINVAL;
> + continue;
> + }
> clnt->msize = option;
> break;
> case Opt_trans:
> @@ -983,10 +989,18 @@ static int p9_client_version(struct p9_client *c)
> else if (!strncmp(version, "9P2000", 6))
> c->proto_version = p9_proto_legacy;
> else {
> + p9_debug(P9_DEBUG_ERROR,
> + "server returned an unknown version: %s\n", version);
> err = -EREMOTEIO;
> goto error;
> }
>
> + if (msize < 4096) {
> + p9_debug(P9_DEBUG_ERROR,
> + "server returned a msize < 4096: %d\n", msize);
> + err = -EREMOTEIO;
> + goto error;
> + }
> if (msize < c->msize)
> c->msize = msize;
>
> @@ -1043,6 +1057,13 @@ struct p9_client *p9_client_create(const char *dev_name, char *options)
> if (clnt->msize > clnt->trans_mod->maxsize)
> clnt->msize = clnt->trans_mod->maxsize;
>
> + if (clnt->msize < 4096) {
> + p9_debug(P9_DEBUG_ERROR,
> + "Please specify a msize of at least 4k\n");
> + err = -EINVAL;
> + goto free_client;
> + }
> +
> err = p9_client_version(clnt);
> if (err)
> goto close_trans;
--
Dominique
Powered by blists - more mailing lists