[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/6] tools/libxs: Fix length check in xs_talkv()

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Jason Andryuk <jason.andryuk@xxxxxxx>
  • Date: Fri, 19 Jul 2024 17:14:51 -0400
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=citrix.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lsleLYF7hff2fEi3p44OOijzqxdPGzwyb+EgqFa98zY=; b=FsLg/CdIYCNc1ZYu0Tj7tf3+16C8EVD6XsjSYYwaZooxiKjM6hREwAb3NDxecbD16dTPNpHSZUfgvG8jX3mivNyiFKrMOckgzKPGH2Gz98yZ1EowxSIuBKXzy0O0AxxJkvEa5NzOCnD6tA5BjUmv5u7JMGSDODHJfc8qoUE1lhj9SSisY61RhMMUWftJs3reajAVXIACDsWUyQUb7LTQC+9+lEN5IbFyX0d8TzfpJbesBnfyS8dV10/qkloWz5HLPpn7z25Ro0HLmE+Fj3zrG5WoI5u835mpolU9UDmDSntDfY/uxr9cGDzIS+TU9LZVsbvnsSVMI0SZMDTcogdsaQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=EP7+oAux5Yywf03ondlUOF59NRtZMZ3oJEXILdx2yAXM3UtKO+XkrYgP3zducx/h9YUpVT/bWZl6Rr4leWvoudiCb4AvBtyDVm2D+wzu3KEm7u+8zEmrJAdeZ2bXY27ECPI5+WWprbX+mH6HzTfRpN1VOTrIlgaGC905P4RUvbfzsO+eP+opH0YvoFISugOQ7xqrnHb01GScBY29EEpJB8nvsz7HyWZXOAmAQtsd5uYd5ZELHAHMcyW1IJtqzBwuMiTwKMDTwbK8JXyvh2tZZi+0oD8ZF7vdvfR/LDlZ3XwzRY3xXpamUs30DgRDhGKSY96jkMkDQM9j2ATMrmkkRQ==
  • Cc: Anthony PERARD <anthony.perard@xxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>
  • Delivery-date: Fri, 19 Jul 2024 21:15:07 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 2024-07-18 12:48, Andrew Cooper wrote:

If the sum of iov element lengths overflows, the XENSTORE_PAYLOAD_MAX can
pass, after which we'll write 4G of data with a good-looking length field, and
the remainder of the payload will be interpreted as subsequent commands.

Check each iov element length for XENSTORE_PAYLOAD_MAX before accmulating it.

Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
CC: Anthony PERARD <anthony.perard@xxxxxxxxxx>
CC: Juergen Gross <jgross@xxxxxxxx>
---
  tools/libs/store/xs.c | 17 ++++++++++-------
  1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/tools/libs/store/xs.c b/tools/libs/store/xs.c
index ec77379ab9bd..81a790cfe60f 100644
--- a/tools/libs/store/xs.c
+++ b/tools/libs/store/xs.c
@@ -571,21 +571,24 @@ static void *xs_talkv(struct xs_handle *h, 
xs_transaction_t t,
        struct xsd_sockmsg msg;
        void *ret = NULL;
        int saved_errno;
-       unsigned int i;
+       unsigned int i, msg_len;
        struct sigaction ignorepipe, oldact;
msg.tx_id = t; 
        msg.req_id = 0;
        msg.type = type;
-       msg.len = 0;
-       for (i = 0; i < num_vecs; i++)
-               msg.len += iovec[i].iov_len;
- if (msg.len > XENSTORE_PAYLOAD_MAX) { 
-               errno = E2BIG;
-               return 0;
+       /* Calculate the payload length by summing iovec elements */
+       for (i = 0, msg_len = 0; i < num_vecs; i++) {
+               if ((iovec[i].iov_len > XENSTORE_PAYLOAD_MAX) ||
+                   ((msg_len += iovec[i].iov_len) > XENSTORE_PAYLOAD_MAX)) {
+                       errno = E2BIG;
+                       return 0;


return NULL;

With that,
Reviewed-by: Jason Andryuk <jason.andryuk@xxxxxxx>

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.