From nobody Fri Apr 19 06:41:01 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1502419242436872.2368658952887; Thu, 10 Aug 2017 19:40:42 -0700 (PDT) Received: from localhost ([::1]:49271 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dfzsP-0007pu-0e for importer@patchew.org; Thu, 10 Aug 2017 22:40:41 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60453) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dfzq0-00067O-23 for qemu-devel@nongnu.org; Thu, 10 Aug 2017 22:38:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dfzpz-00056y-0f for qemu-devel@nongnu.org; Thu, 10 Aug 2017 22:38:12 -0400 Received: from mx1.redhat.com ([209.132.183.28]:42376) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dfzpw-000545-8o; Thu, 10 Aug 2017 22:38:08 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3F67A6016B; Fri, 11 Aug 2017 02:38:07 +0000 (UTC) Received: from red.redhat.com (ovpn-120-43.rdu2.redhat.com [10.10.120.43]) by smtp.corp.redhat.com (Postfix) with ESMTP id 099C28AD69; Fri, 11 Aug 2017 02:38:05 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 3F67A6016B Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=eblake@redhat.com From: Eric Blake To: qemu-devel@nongnu.org Date: Thu, 10 Aug 2017 21:37:57 -0500 Message-Id: <20170811023759.26390-2-eblake@redhat.com> In-Reply-To: <20170811023759.26390-1-eblake@redhat.com> References: <20170811023759.26390-1-eblake@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Fri, 11 Aug 2017 02:38:07 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 1/2] nbd: Drop connection if broken server is detected X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Paolo Bonzini , vsementsov@virtuozzo.com, "open list:Network Block Dev..." , Max Reitz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" As soon as the server is sending us garbage, we should quit trying to send further messages to the server, and allow all pending coroutines for any remaining replies to error out. Failure to do so can let a malicious server cause the client to hang, for example, if the server sends an invalid magic number in its response. Reported by: Vladimir Sementsov-Ogievskiy Signed-off-by: Eric Blake --- block/nbd-client.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/block/nbd-client.c b/block/nbd-client.c index 25dd28406b..802d50b636 100644 --- a/block/nbd-client.c +++ b/block/nbd-client.c @@ -68,7 +68,8 @@ static void nbd_teardown_connection(BlockDriverState *bs) static coroutine_fn void nbd_read_reply_entry(void *opaque) { - NBDClientSession *s =3D opaque; + BlockDriverState *bs =3D opaque; + NBDClientSession *s =3D nbd_get_client_session(bs); uint64_t i; int ret; Error *local_err =3D NULL; @@ -107,8 +108,12 @@ static coroutine_fn void nbd_read_reply_entry(void *op= aque) qemu_coroutine_yield(); } + s->reply.handle =3D 0; nbd_recv_coroutines_enter_all(s); s->read_reply_co =3D NULL; + if (ret < 0) { + nbd_teardown_connection(bs); + } } static int nbd_co_send_request(BlockDriverState *bs, @@ -416,7 +421,7 @@ int nbd_client_init(BlockDriverState *bs, /* Now that we're connected, set the socket to be non-blocking and * kick the reply mechanism. */ qio_channel_set_blocking(QIO_CHANNEL(sioc), false, NULL); - client->read_reply_co =3D qemu_coroutine_create(nbd_read_reply_entry, = client); + client->read_reply_co =3D qemu_coroutine_create(nbd_read_reply_entry, = bs); nbd_client_attach_aio_context(bs, bdrv_get_aio_context(bs)); logout("Established connection with NBD server\n"); --=20 2.13.4 From nobody Fri Apr 19 06:41:01 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1502419324397268.3437005346135; Thu, 10 Aug 2017 19:42:04 -0700 (PDT) Received: from localhost ([::1]:49366 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dfztj-0000Cx-53 for importer@patchew.org; Thu, 10 Aug 2017 22:42:03 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60464) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dfzq0-00068F-PB for qemu-devel@nongnu.org; Thu, 10 Aug 2017 22:38:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dfzpz-00057S-Qe for qemu-devel@nongnu.org; Thu, 10 Aug 2017 22:38:12 -0400 Received: from mx1.redhat.com ([209.132.183.28]:35592) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dfzpx-00055U-A1; Thu, 10 Aug 2017 22:38:09 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 301FF1103F2; Fri, 11 Aug 2017 02:38:08 +0000 (UTC) Received: from red.redhat.com (ovpn-120-43.rdu2.redhat.com [10.10.120.43]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7869B8AD69; Fri, 11 Aug 2017 02:38:07 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 301FF1103F2 Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=eblake@redhat.com From: Eric Blake To: qemu-devel@nongnu.org Date: Thu, 10 Aug 2017 21:37:58 -0500 Message-Id: <20170811023759.26390-3-eblake@redhat.com> In-Reply-To: <20170811023759.26390-1-eblake@redhat.com> References: <20170811023759.26390-1-eblake@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Fri, 11 Aug 2017 02:38:08 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 2/2] HACK: define NBD_SERVER_DEBUG to force malicious server X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Paolo Bonzini , vsementsov@virtuozzo.com, "open list:Network Block Dev..." Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" --- nbd/server.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/nbd/server.c b/nbd/server.c index 82a78bf439..d6fbd46370 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -919,6 +919,17 @@ static int nbd_send_reply(QIOChannel *ioc, NBDReply *r= eply, Error **errp) stl_be_p(buf + 4, reply->error); stq_be_p(buf + 8, reply->handle); + static int debug; + static int count; + if (!count++) { + const char *str =3D getenv("NBD_SERVER_DEBUG"); + if (str) { + debug =3D atoi(str); + } + } + if (debug && !(count % debug)) { + buf[0] =3D 0; + } return nbd_write(ioc, buf, sizeof(buf), errp); } --=20 2.13.4