| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251028200755.GJ6174@frogsfrogsfrogs>
Date: Tue, 28 Oct 2025 13:07:55 -0700
From: "Darrick J. Wong" <djwong@...nel.org>
To: Brajesh Patil <brajeshpatil11@...il.com>
Cc: miklos@...redi.hu, stefanha@...hat.com, vgoyal@...hat.com,
eperezma@...hat.com, virtualization@...ts.linux.dev,
virtio-fs@...ts.linux.dev, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, skhan@...uxfoundation.org,
linux-kernel-mentees@...ts.linux.dev, david.hunter.linux@...il.com,
khalid@...nel.org
Subject: Re: [PATCH] fuse: virtio_fs: add checks for FUSE protocol compliance
On Wed, Oct 29, 2025 at 01:33:11AM +0530, Brajesh Patil wrote:
> Add validation in virtio-fs to ensure the server follows the FUSE
> protocol for response headers, addressing the existing TODO for
> verifying protocol compliance.
>
> Add checks for fuse_out_header to verify:
> - oh->unique matches req->in.h.unique
> - FUSE_INT_REQ_BIT is not set
> - error codes are valid
> - oh->len does not exceed the expected size
>
> Signed-off-by: Brajesh Patil <brajeshpatil11@...il.com>
> ---
> fs/fuse/virtio_fs.c | 30 +++++++++++++++++++++++++-----
> 1 file changed, 25 insertions(+), 5 deletions(-)
>
> diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c
> index 6bc7c97b017d..52e8338bf436 100644
> --- a/fs/fuse/virtio_fs.c
> +++ b/fs/fuse/virtio_fs.c
> @@ -764,14 +764,34 @@ static void virtio_fs_request_complete(struct fuse_req *req,
> {
> struct fuse_args *args;
> struct fuse_args_pages *ap;
> - unsigned int len, i, thislen;
> + struct fuse_out_header *oh;
> + unsigned int len, i, thislen, expected_len = 0;
> struct folio *folio;
>
> - /*
> - * TODO verify that server properly follows FUSE protocol
> - * (oh.uniq, oh.len)
> - */
> + oh = &req->out.h;
> +
> + if (oh->unique == 0)
> + pr_warn_once("notify through fuse-virtio-fs not supported");
> +
> + if ((oh->unique & ~FUSE_INT_REQ_BIT) != req->in.h.unique)
> + pr_warn_ratelimited("virtio-fs: unique mismatch, expected: %llu got %llu\n",
> + req->in.h.unique, oh->unique & ~FUSE_INT_REQ_BIT);
Er... shouldn't these be rejecting the response somehow? Instead of
warning that something's amiss but continuing with known bad data?
--D
> +
> + WARN_ON_ONCE(oh->unique & FUSE_INT_REQ_BIT);
> +
> + if (oh->error <= -ERESTARTSYS || oh->error > 0)
> + pr_warn_ratelimited("virtio-fs: invalid error code from server: %d\n",
> + oh->error);
> +
> args = req->args;
> +
> + for (i = 0; i < args->out_numargs; i++)
> + expected_len += args->out_args[i].size;
> +
> + if (oh->len > sizeof(*oh) + expected_len)
> + pr_warn("FUSE reply too long! got=%u expected<=%u\n",
> + oh->len, (unsigned int)(sizeof(*oh) + expected_len));
> +
> copy_args_from_argbuf(args, req);
>
> if (args->out_pages && args->page_zeroing) {
> --
> 2.43.0
>
>
Powered by blists - more mailing lists