Re: [PATCH v3] net/9p: Fix buffer overflow in USB transport layer

From: asmadeus
Date: Sun Jun 22 2025 - 16:39:59 EST

Next message: Linus Torvalds: "Linux 6.16-rc3"
Previous message: Andy Shevchenko: "Re: [PATCH v2] staging: media: atomisp: Replace scnprintf with sysfs_emit in bo_show"
In reply to: Kees Cook: "Re: [PATCH v3] net/9p: Fix buffer overflow in USB transport layer"
Next in thread: Christian Schoenebeck: "Re: [PATCH v3] net/9p: Fix buffer overflow in USB transport layer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Kees Cook wrote on Sun, Jun 22, 2025 at 01:02:20PM -0700:
> >- p9_rx_req->rc.size = req->actual;
> >+ memcpy(p9_rx_req->rc.sdata, req->buf, req_size);
>
> Is rc.sdata always rc.capacity sized? If so, this world be a good first adopter of the __counted_by annotation for pointer struct members, available in Clang trunk and soon in GCC:
> https://gcc.gnu.org/pipermail/gcc-patches/2025-May/683696.html

I think so, I'll add the annotation in another patch when time allows
(and try to revert this commit to check it works, even if I have no
reason to believe it wouldn't catch this)

(... And this made me realize commit 60ece0833b6c ("net/9p: allocate
appropriate reduced message buffers") likely broke everything for
9p/rdma 3 years ago, as rdma is swapping buffers around...
I guess it doesn't have (m)any users...)

--
Dominique Martinet | Asmadeus

Next message: Linus Torvalds: "Linux 6.16-rc3"
Previous message: Andy Shevchenko: "Re: [PATCH v2] staging: media: atomisp: Replace scnprintf with sysfs_emit in bo_show"
In reply to: Kees Cook: "Re: [PATCH v3] net/9p: Fix buffer overflow in USB transport layer"
Next in thread: Christian Schoenebeck: "Re: [PATCH v3] net/9p: Fix buffer overflow in USB transport layer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]