lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20250317-p9_bogus_io_error-v1-1-9639f6d1561f@codewreck.org>
Date: Mon, 17 Mar 2025 06:51:06 +0900
From: Dominique Martinet <asmadeus@...ewreck.org>
To: Eric Van Hensbergen <ericvh@...nel.org>, 
 Latchesar Ionkov <lucho@...kov.net>, 
 Christian Schoenebeck <linux_oss@...debyte.com>
Cc: v9fs@...ts.linux.dev, linux-kernel@...r.kernel.org, 
 Dominique Martinet <asmadeus@...ewreck.org>
Subject: [PATCH] 9p/net: return error on bogus (longer than requested)
 replies

Up until now we've been considering longer than requested replies as
acceptable, printing a message and just truncating the data,
but it makes more sense to consider these an error.

Make these fail with EIO instead.

Suggested-by: Christian Schoenebeck <linux_oss@...debyte.com>
Signed-off-by: Dominique Martinet <asmadeus@...ewreck.org>
---
As suggested in https://lkml.kernel.org/r/4171850.H1WhmIdAfj@silver

Not tested as I haven't taken the time to make a bogus server...
I'm sure syzbot will come bit us on that :|
---
 net/9p/client.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/net/9p/client.c b/net/9p/client.c
index 99e9a55199e8..a2e5ff161562 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -1594,7 +1594,9 @@ p9_client_read_once(struct p9_fid *fid, u64 offset, struct iov_iter *to,
 	}
 	if (rsize < received) {
 		pr_err("bogus RREAD count (%u > %u)\n", received, rsize);
-		received = rsize;
+		*err = -EIO;
+		p9_req_put(clnt, req);
+		return 0;
 	}
 
 	p9_debug(P9_DEBUG_9P, "<<< RREAD count %u\n", received);
@@ -1661,7 +1663,10 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err)
 		}
 		if (rsize < written) {
 			pr_err("bogus RWRITE count (%u > %u)\n", written, rsize);
-			written = rsize;
+			*err = -EIO;
+			iov_iter_revert(from, count - iov_iter_count(from));
+			p9_req_put(clnt, req);
+			break;
 		}
 
 		p9_debug(P9_DEBUG_9P, "<<< RWRITE count %u\n", written);
@@ -1713,7 +1718,7 @@ p9_client_write_subreq(struct netfs_io_subrequest *subreq)
 
 	if (written > len) {
 		pr_err("bogus RWRITE count (%d > %u)\n", written, len);
-		written = len;
+		written = -EIO;
 	}
 
 	p9_debug(P9_DEBUG_9P, "<<< RWRITE count %d\n", len);
@@ -2145,7 +2150,8 @@ int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset)
 	}
 	if (rsize < count) {
 		pr_err("bogus RREADDIR count (%u > %u)\n", count, rsize);
-		count = rsize;
+		err = -EIO;
+		goto free_and_error;
 	}
 
 	p9_debug(P9_DEBUG_9P, "<<< RREADDIR count %u\n", count);

---
base-commit: a08cea93bd00497bdf3ff09527d378e2e928ed3a
change-id: 20250317-p9_bogus_io_error-5e91a19be30c

Best regards,
-- 
Dominique Martinet | Asmadeus


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ