lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <YtHozaPd8UV4fRX8@codewreck.org> Date: Sat, 16 Jul 2022 07:23:09 +0900 From: Dominique Martinet <asmadeus@...ewreck.org> To: Tyler Hicks <tyhicks@...ux.microsoft.com> Cc: Eric Van Hensbergen <ericvh@...il.com>, Latchesar Ionkov <lucho@...kov.net>, Christian Schoenebeck <linux_oss@...debyte.com>, Christophe JAILLET <christophe.jaillet@...adoo.fr>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, v9fs-developer@...ts.sourceforge.net, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2] net/9p: Initialize the iounit field during fid creation Tyler Hicks wrote on Sun, Jul 10, 2022 at 09:14:02AM -0500: > Ensure that the fid's iounit field is set to zero when a new fid is > created. Certain 9P operations, such as OPEN and CREATE, allow the > server to reply with an iounit size which the client code assigns to the > p9_fid struct shortly after the fid is created by p9_fid_create(). On > the other hand, an XATTRWALK operation doesn't allow for the server to > specify an iounit value. The iounit field of the newly allocated p9_fid > struct remained uninitialized in that case. Depending on allocation > patterns, the iounit value could have been something reasonable that was > carried over from previously freed fids or, in the worst case, could > have been arbitrary values from non-fid related usages of the memory > location. > > The bug was detected in the Windows Subsystem for Linux 2 (WSL2) kernel > after the uninitialized iounit field resulted in the typical sequence of > two getxattr(2) syscalls, one to get the size of an xattr and another > after allocating a sufficiently sized buffer to fit the xattr value, to > hit an unexpected ERANGE error in the second call to getxattr(2). An > uninitialized iounit field would sometimes force rsize to be smaller > than the xattr value size in p9_client_read_once() and the 9P server in > WSL refused to chunk up the READ on the attr_fid and, instead, returned > ERANGE to the client. The virtfs server in QEMU seems happy to chunk up > the READ and this problem goes undetected there. > > Fixes: ebf46264a004 ("fs/9p: Add support user. xattr") > Cc: stable@...r.kernel.org > Signed-off-by: Tyler Hicks <tyhicks@...ux.microsoft.com> Thanks for the v2, looks good to me and tested quickly so I've queued it up. (and thanks all the fixes lately and for the reminder, too many patches lately I thought I had already taken it... Feel free to send 'pings' on the list) Since the next merge window is close (probably starts next week-ish) I won't bother with a separate PR for 5.19; it's been 12 years it can wait another week. -- Dominique
Powered by blists - more mailing lists