lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2332540.nosMkMiWtC@silver>
Date: Sun, 22 Jun 2025 23:20:21 +0200
From: Christian Schoenebeck <linux_oss@...debyte.com>
To: asmadeus@...ewreck.org
Cc: Kees Cook <kees@...nel.org>,
 Dominique Martinet via B4 Relay <devnull+asmadeus.codewreck.org@...nel.org>,
 Eric Van Hensbergen <ericvh@...nel.org>, Latchesar Ionkov <lucho@...kov.net>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
 Michael Grzeschik <m.grzeschik@...gutronix.de>, stable@...r.kernel.org,
 Yuhao Jiang <danisjiang@...il.com>, security@...nel.org,
 v9fs@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] net/9p: Fix buffer overflow in USB transport layer

On Sunday, June 22, 2025 10:39:29 PM CEST asmadeus@...ewreck.org wrote:
[...]
> (... And this made me realize commit 60ece0833b6c ("net/9p: allocate
> appropriate reduced message buffers") likely broke everything for
> 9p/rdma 3 years ago, as rdma is swapping buffers around...
> I guess it doesn't have (m)any users...)

That patch contains an RDMA exception:

@@ -645,9 +664,18 @@ p9_client_rpc(struct p9_client *c, int8_t type, const char *fmt, ...)
        int sigpending, err;
        unsigned long flags;
        struct p9_req_t *req;
+       /* Passing zero for tsize/rsize to p9_client_prepare_req() tells it to
+        * auto determine an appropriate (small) request/response size
+        * according to actual message data being sent. Currently RDMA
+        * transport is excluded from this response message size optimization,
+        * as it would not cope with it, due to its pooled response buffers
+        * (using an optimized request size for RDMA as well though).
+        */
+       const uint tsize = 0;
+       const uint rsize = c->trans_mod->pooled_rbuffers ? c->msize : 0;
 
        va_start(ap, fmt);
-       req = p9_client_prepare_req(c, type, c->msize, c->msize, fmt, ap);
+       req = p9_client_prepare_req(c, type, tsize, rsize, fmt, ap);
        va_end(ap);
        if (IS_ERR(req))
                return req;

/Christian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ