net/9p/trans_xen.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
while 'h' is packed and can be assumed to match the request payload,
req->rc is a struct p9_fcall which is not packed and that memcpy
could be wrong.
Fix this by copying each fields individually instead.
Reported-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Suggested-by: Stefano Stabellini <sstabellini@kernel.org>
Link: https://lkml.kernel.org/r/alpine.DEB.2.22.394.2211211454540.1049131@ubuntu-linux-20-04-desktop
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
---
Follow up from the previous xen patch's review.
This isn't an immediate fix so I don't think this one should be rushed
in with the rest of the overflow fixes -- I'll let this sit a bit in
-next after reviews.
net/9p/trans_xen.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
index 4665215bc98b..e8e3f54a837e 100644
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -216,7 +216,9 @@ static void p9_xen_response(struct work_struct *work)
goto recv_error;
}
- memcpy(&req->rc, &h, sizeof(h));
+ req->rc.size = h.size;
+ req->rc.id = h.id;
+ req->rc.tag = h.tag;
req->rc.offset = 0;
masked_cons = xen_9pfs_mask(cons, XEN_9PFS_RING_SIZE(ring));
--
2.35.1On Tuesday, November 22, 2022 1:10:25 AM CET Dominique Martinet wrote: > while 'h' is packed and can be assumed to match the request payload, > req->rc is a struct p9_fcall which is not packed and that memcpy > could be wrong. > > Fix this by copying each fields individually instead. > > Reported-by: Christian Schoenebeck <linux_oss@crudebyte.com> > Suggested-by: Stefano Stabellini <sstabellini@kernel.org> > Link: https://lkml.kernel.org/r/alpine.DEB.2.22.394.2211211454540.1049131@ubuntu-linux-20-04-desktop > Signed-off-by: Dominique Martinet <asmadeus@codewreck.org> > --- Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com> > Follow up from the previous xen patch's review. > > This isn't an immediate fix so I don't think this one should be rushed > in with the rest of the overflow fixes -- I'll let this sit a bit in > -next after reviews. > > net/9p/trans_xen.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c > index 4665215bc98b..e8e3f54a837e 100644 > --- a/net/9p/trans_xen.c > +++ b/net/9p/trans_xen.c > @@ -216,7 +216,9 @@ static void p9_xen_response(struct work_struct *work) > goto recv_error; > } > > - memcpy(&req->rc, &h, sizeof(h)); > + req->rc.size = h.size; > + req->rc.id = h.id; > + req->rc.tag = h.tag; > req->rc.offset = 0; > > masked_cons = xen_9pfs_mask(cons, XEN_9PFS_RING_SIZE(ring)); >
On Tue, 22 Nov 2022, Dominique Martinet wrote: > while 'h' is packed and can be assumed to match the request payload, > req->rc is a struct p9_fcall which is not packed and that memcpy > could be wrong. > > Fix this by copying each fields individually instead. > > Reported-by: Christian Schoenebeck <linux_oss@crudebyte.com> > Suggested-by: Stefano Stabellini <sstabellini@kernel.org> > Link: https://lkml.kernel.org/r/alpine.DEB.2.22.394.2211211454540.1049131@ubuntu-linux-20-04-desktop > Signed-off-by: Dominique Martinet <asmadeus@codewreck.org> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> > --- > Follow up from the previous xen patch's review. > > This isn't an immediate fix so I don't think this one should be rushed > in with the rest of the overflow fixes -- I'll let this sit a bit in > -next after reviews. > > net/9p/trans_xen.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c > index 4665215bc98b..e8e3f54a837e 100644 > --- a/net/9p/trans_xen.c > +++ b/net/9p/trans_xen.c > @@ -216,7 +216,9 @@ static void p9_xen_response(struct work_struct *work) > goto recv_error; > } > > - memcpy(&req->rc, &h, sizeof(h)); > + req->rc.size = h.size; > + req->rc.id = h.id; > + req->rc.tag = h.tag; > req->rc.offset = 0; > > masked_cons = xen_9pfs_mask(cons, XEN_9PFS_RING_SIZE(ring)); > -- > 2.35.1 >
© 2016 - 2025 Red Hat, Inc.