From nobody Fri May 3 02:17:21 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1630502567202741.7834442839654; Wed, 1 Sep 2021 06:22:47 -0700 (PDT) Received: from localhost ([::1]:37634 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mLQCT-0004US-Hy for importer@patchew.org; Wed, 01 Sep 2021 09:22:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47272) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mLQ6T-0007un-AR; Wed, 01 Sep 2021 09:16:33 -0400 Received: from isrv.corpit.ru ([86.62.121.231]:54863) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mLQ6P-0000aE-Po; Wed, 01 Sep 2021 09:16:32 -0400 Received: from tls.msk.ru (mjt-x200la.wg.tls.msk.ru [192.168.177.132]) by isrv.corpit.ru (Postfix) with SMTP id 271C54000A; Wed, 1 Sep 2021 16:16:26 +0300 (MSK) Received: (nullmailer pid 46221 invoked by uid 1000); Wed, 01 Sep 2021 13:16:26 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Subject: [PATCH v3] qemu-sockets: fix unix socket path copy (again) Date: Wed, 1 Sep 2021 16:16:24 +0300 Message-Id: <20210901131624.46171-1-mjt@msgid.tls.msk.ru> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: none client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , Michael Tokarev , =?UTF-8?q?Daniel=20P=20=2E=20Berrang=C3=A9?= , qemu-stable@nongnu.org, Peter Maydell Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZM-MESSAGEID: 1630502568125100001 Content-Type: text/plain; charset="utf-8" Commit 4cfd970ec188558daa6214f26203fe553fb1e01f added an assert which ensures the path within an address of a unix socket returned from the kernel is at least one byte and does not exceed sun_path buffer. Both of this constraints are wrong: A unix socket can be unnamed, in this case the path is completely empty (not even \0) And some implementations (notable linux) can add extra trailing byte (\0) _after_ the sun_path buffer if we passed buffer larger than it (and we do). So remove the assertion (since it causes real-life breakage) but at the same time fix the usage of sun_path. Namely, we should not access sun_path[0] if kernel did not return it at all (this is the case for unnamed sockets), and use the returned salen when copyig actual path as an upper constraint for the amount of bytes to copy - this will ensure we wont exceed the information provided by the kernel, regardless whenever there is a trailing \0 or not. This also helps with unnamed sockets. Note the case of abstract socket, the sun_path is actually a blob and can contain \0 characters, - it should not be passed to g_strndup and the like, it should be accessed by memcpy-like functions. Fixes: 4cfd970ec188558daa6214f26203fe553fb1e01f Fixes: http://bugs.debian.org/993145 Signed-off-by: Michael Tokarev CC: qemu-stable@nongnu.org Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau --- util/qemu-sockets.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c index f2f3676d1f..c5043999e9 100644 --- a/util/qemu-sockets.c +++ b/util/qemu-sockets.c @@ -1345,25 +1345,22 @@ socket_sockaddr_to_address_unix(struct sockaddr_sto= rage *sa, SocketAddress *addr; struct sockaddr_un *su =3D (struct sockaddr_un *)sa; =20 - assert(salen >=3D sizeof(su->sun_family) + 1 && - salen <=3D sizeof(struct sockaddr_un)); - addr =3D g_new0(SocketAddress, 1); addr->type =3D SOCKET_ADDRESS_TYPE_UNIX; + salen -=3D offsetof(struct sockaddr_un, sun_path); #ifdef CONFIG_LINUX - if (!su->sun_path[0]) { + if (salen > 0 && !su->sun_path[0]) { /* Linux abstract socket */ - addr->u.q_unix.path =3D g_strndup(su->sun_path + 1, - salen - sizeof(su->sun_family) - 1= ); + addr->u.q_unix.path =3D g_strndup(su->sun_path + 1, salen - 1); addr->u.q_unix.has_abstract =3D true; addr->u.q_unix.abstract =3D true; addr->u.q_unix.has_tight =3D true; - addr->u.q_unix.tight =3D salen < sizeof(*su); + addr->u.q_unix.tight =3D salen < sizeof(su->sun_path); return addr; } #endif =20 - addr->u.q_unix.path =3D g_strndup(su->sun_path, sizeof(su->sun_path)); + addr->u.q_unix.path =3D g_strndup(su->sun_path, salen); return addr; } #endif /* WIN32 */ --=20 2.30.2