From: Eric Blake <eblake@redhat.com>
To: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>,
Max Reitz <mreitz@redhat.com>,
"qemu-block@nongnu.org" <qemu-block@nongnu.org>
Cc: "kwolf@redhat.com" <kwolf@redhat.com>,
"jsnow@redhat.com" <jsnow@redhat.com>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
Denis Lunev <den@virtuozzo.com>
Subject: Re: [PATCH v3 05/10] block/dirty-bitmap: switch _next_dirty_area and _next_zero to int64_t
Date: Mon, 20 Jan 2020 13:56:23 -0600 [thread overview]
Message-ID: <a9d1c3a2-5121-75dd-3682-3c02a510b494@redhat.com> (raw)
In-Reply-To: <c2f78255-c001-01a3-487a-f7cf224f86f8@virtuozzo.com>
On 1/20/20 6:28 AM, Vladimir Sementsov-Ogievskiy wrote:
>> As far as I can see, NBD just passes NBDRequest.from (which is a
>> uint64_t) to this function (on NBD_CMD_BLOCK_STATUS). Would this allow
>> a malicious client to send a value > INT64_MAX, thus provoking an
>> overflow and killing the server with this new assertion?
>
>
> in nbd_co_receive_request() we have
>
>
> if (request->from > client->exp->size ||
> request->len > client->exp->size - request->from) {
>
>
> So, we check that from is <= exp->size. and exp->size cant be greater than INT64_MAX,
> as it derived from bdrv_getlength, which returns int64_t.
>
>
>
> Interesting, should we be more strict in server:?
I think we're okay based on the existing bounds checks.
>
> --- a/nbd/server.c
> +++ b/nbd/server.c
> @@ -2178,7 +2178,7 @@ static int nbd_co_receive_request(NBDRequestData *req, NBDRequest *request,
> error_setg(errp, "Export is read-only");
> return -EROFS;
> }
> - if (request->from > client->exp->size ||
> + if (request->from >= client->exp->size ||
> request->len > client->exp->size - request->from) {
> error_setg(errp, "operation past EOF; From: %" PRIu64 ", Len: %" PRIu32
> ", Size: %" PRIu64, request->from, request->len,
>
> Or is it intentional? Looking through NBD spec I found only
>
> client MUST NOT use a length ... or which, when added to offset, would exceed the export size.
>
> So, formally pair offset=<export size>, len=0 is valid...
Except that the spec also says that len=0 is generally unspecified
behavior (whether it is a no-op, or means special handling, or whatever
else, is up to the server, but clients shouldn't be sending it - thus a
server that rejects it instead of handling it as a no-op is no worse for
the wear).
>
>>
>> On second thought, we have this problem already everywhere in
>> nbd_handle_request(). I don’t see it or its caller ever checking
>> whether the received values are in bounds, it just passes them to all
>> kind of block layer functions that sometimes even just accept plain
>> ints. Well, I suppose all other functions just error out, so it
>> probably isn’t an actual problem in practice so far...
>>
>> Max
>>
>
>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
next prev parent reply other threads:[~2020-01-20 19:57 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-19 10:03 [PATCH v3 00/10] Further bitmaps improvements Vladimir Sementsov-Ogievskiy
2019-12-19 10:03 ` [PATCH v3 01/10] hbitmap: assert that we don't create bitmap larger than INT64_MAX Vladimir Sementsov-Ogievskiy
2020-01-20 10:51 ` Max Reitz
2019-12-19 10:03 ` [PATCH v3 02/10] hbitmap: move hbitmap_iter_next_word to hbitmap.c Vladimir Sementsov-Ogievskiy
2020-01-20 10:55 ` Max Reitz
2020-01-20 16:14 ` Vladimir Sementsov-Ogievskiy
2019-12-19 10:03 ` [PATCH v3 03/10] hbitmap: unpublish hbitmap_iter_skip_words Vladimir Sementsov-Ogievskiy
2020-01-20 10:59 ` Max Reitz
2019-12-19 10:03 ` [PATCH v3 04/10] hbitmap: drop meta bitmaps as they are unused Vladimir Sementsov-Ogievskiy
2020-01-20 11:13 ` Max Reitz
2020-01-20 16:20 ` Vladimir Sementsov-Ogievskiy
2020-01-20 17:05 ` Max Reitz
2020-01-20 17:28 ` Vladimir Sementsov-Ogievskiy
2020-01-20 19:53 ` Eric Blake
2020-01-21 9:15 ` Vladimir Sementsov-Ogievskiy
2019-12-19 10:03 ` [PATCH v3 05/10] block/dirty-bitmap: switch _next_dirty_area and _next_zero to int64_t Vladimir Sementsov-Ogievskiy
2020-01-20 11:59 ` Max Reitz
2020-01-20 12:28 ` Vladimir Sementsov-Ogievskiy
2020-01-20 12:53 ` Max Reitz
2020-01-20 19:56 ` Eric Blake [this message]
2019-12-19 10:03 ` [PATCH v3 06/10] block/dirty-bitmap: add _next_dirty API Vladimir Sementsov-Ogievskiy
2020-01-20 13:14 ` Max Reitz
2020-01-20 16:30 ` Vladimir Sementsov-Ogievskiy
2020-01-21 9:35 ` Vladimir Sementsov-Ogievskiy
2019-12-19 10:03 ` [PATCH v3 07/10] block/dirty-bitmap: improve _next_dirty_area API Vladimir Sementsov-Ogievskiy
2020-01-20 13:58 ` Max Reitz
2020-01-20 16:26 ` Vladimir Sementsov-Ogievskiy
2019-12-19 10:03 ` [PATCH v3 08/10] nbd/server: introduce NBDExtentArray Vladimir Sementsov-Ogievskiy
2020-01-20 20:20 ` Eric Blake
2020-01-21 10:25 ` Vladimir Sementsov-Ogievskiy
2019-12-19 10:03 ` [PATCH v3 09/10] nbd/server: use bdrv_dirty_bitmap_next_dirty_area Vladimir Sementsov-Ogievskiy
2020-01-20 20:23 ` Eric Blake
2019-12-19 10:03 ` [PATCH v3 10/10] block/qcow2-bitmap: use bdrv_dirty_bitmap_next_dirty Vladimir Sementsov-Ogievskiy
2020-01-20 14:18 ` Max Reitz
2020-01-20 16:05 ` Vladimir Sementsov-Ogievskiy
2020-01-20 9:08 ` [PATCH v3 00/10] Further bitmaps improvements Vladimir Sementsov-Ogievskiy
2020-01-20 14:20 ` Max Reitz
2020-01-20 16:33 ` Vladimir Sementsov-Ogievskiy
2020-01-20 20:25 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a9d1c3a2-5121-75dd-3682-3c02a510b494@redhat.com \
--to=eblake@redhat.com \
--cc=den@virtuozzo.com \
--cc=jsnow@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=vsementsov@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).