| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250317-p9_bogus_io_error-v1-1-9639f6d1561f@codewreck.org>
Date: Mon, 17 Mar 2025 06:51:06 +0900
From: Dominique Martinet <asmadeus@...ewreck.org>
To: Eric Van Hensbergen <ericvh@...nel.org>,
Latchesar Ionkov <lucho@...kov.net>,
Christian Schoenebeck <linux_oss@...debyte.com>
Cc: v9fs@...ts.linux.dev, linux-kernel@...r.kernel.org,
Dominique Martinet <asmadeus@...ewreck.org>
Subject: [PATCH] 9p/net: return error on bogus (longer than requested)
replies
Up until now we've been considering longer than requested replies as
acceptable, printing a message and just truncating the data,
but it makes more sense to consider these an error.
Make these fail with EIO instead.
Suggested-by: Christian Schoenebeck <linux_oss@...debyte.com>
Signed-off-by: Dominique Martinet <asmadeus@...ewreck.org>
---
As suggested in https://lkml.kernel.org/r/4171850.H1WhmIdAfj@silver
Not tested as I haven't taken the time to make a bogus server...
I'm sure syzbot will come bit us on that :|
---
net/9p/client.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/net/9p/client.c b/net/9p/client.c
index 99e9a55199e8..a2e5ff161562 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -1594,7 +1594,9 @@ p9_client_read_once(struct p9_fid *fid, u64 offset, struct iov_iter *to,
}
if (rsize < received) {
pr_err("bogus RREAD count (%u > %u)\n", received, rsize);
- received = rsize;
+ *err = -EIO;
+ p9_req_put(clnt, req);
+ return 0;
}
p9_debug(P9_DEBUG_9P, "<<< RREAD count %u\n", received);
@@ -1661,7 +1663,10 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err)
}
if (rsize < written) {
pr_err("bogus RWRITE count (%u > %u)\n", written, rsize);
- written = rsize;
+ *err = -EIO;
+ iov_iter_revert(from, count - iov_iter_count(from));
+ p9_req_put(clnt, req);
+ break;
}
p9_debug(P9_DEBUG_9P, "<<< RWRITE count %u\n", written);
@@ -1713,7 +1718,7 @@ p9_client_write_subreq(struct netfs_io_subrequest *subreq)
if (written > len) {
pr_err("bogus RWRITE count (%d > %u)\n", written, len);
- written = len;
+ written = -EIO;
}
p9_debug(P9_DEBUG_9P, "<<< RWRITE count %d\n", len);
@@ -2145,7 +2150,8 @@ int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset)
}
if (rsize < count) {
pr_err("bogus RREADDIR count (%u > %u)\n", count, rsize);
- count = rsize;
+ err = -EIO;
+ goto free_and_error;
}
p9_debug(P9_DEBUG_9P, "<<< RREADDIR count %u\n", count);
---
base-commit: a08cea93bd00497bdf3ff09527d378e2e928ed3a
change-id: 20250317-p9_bogus_io_error-5e91a19be30c
Best regards,
--
Dominique Martinet | Asmadeus
Powered by blists - more mailing lists