From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTP id BA6A65A004E for ; Thu, 27 Jun 2024 10:21:43 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1719476502; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0kD2XKyg6XmEZoWzx8HZYlR1IV5GxEVgBlbnoYTNQqo=; b=dVvt9N1tiWWkS7MdyrZA3eQvYbNvmVwgscMnZBUTB20Dz7MmPAwQs4xzHzag0RZZqITlVd vu1aoaZEAusmw9ef1OsZU9oxT7BlQ0t4Q7mwA+7JciGdFxANRZvcor5p4V25IEDDKM04Ga RRG9dNo5imiEJP7W94q/v+fbAhUtoG8= Received: from mail-qv1-f71.google.com (mail-qv1-f71.google.com [209.85.219.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-260-Ej8VCuh_O9yG3ifV-AKAjQ-1; Thu, 27 Jun 2024 04:21:40 -0400 X-MC-Unique: Ej8VCuh_O9yG3ifV-AKAjQ-1 Received: by mail-qv1-f71.google.com with SMTP id 6a1803df08f44-6b077edfd2fso137031366d6.3 for ; Thu, 27 Jun 2024 01:21:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719476500; x=1720081300; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=0kD2XKyg6XmEZoWzx8HZYlR1IV5GxEVgBlbnoYTNQqo=; b=DnGLyEG9H7NvFRocnOjf92GX/s4SUFbJasHHEfYROAKIiaR/HITiTVOJXJB++HrSDs iI5PubAkdi47SkykI++edcWcRP+RY3k6O2Mf05Qwm/Xybvp3zrnm0nw8IrGzNFOWhTDF B5ijCp7oPPtwuLXOSZjTrY2+uVBVFyK1HwObc6sTxrYweFUh5LGOJ1JfftDmR9jS/OMv KAJpdeoi+/GPqHF8wnXAJyZrZijnyA2fFjRC7DHsHSbYjhUKBe/gTjtgqMpdVV1UIv1k MGJ0UA7X6Gj5ktKxnQwuoNcKIXZDFJ7mf1vYRIzG36d/KonoL/6rRKVDlsU/PpV+Awu/ BNxQ== X-Gm-Message-State: AOJu0YxVf/DcYy9ci342dcWA/AReAVd4IL0Zho0TArZsLSsSTiP0Ee1B UtAnXnRkQa6nJGkg5BTjickoCskTE0pV2kkP0tw1jYomxoveszHATbqNjquh5pSZIKcaU1d869G T6zrMGPgYWQn8pjwR3aZlFndkY1ScgsYVskHMFJDqoYtdvlm/wQ== X-Received: by 2002:a05:6214:286:b0:6ad:67d3:af2f with SMTP id 6a1803df08f44-6b54099db58mr132706826d6.13.1719476500095; Thu, 27 Jun 2024 01:21:40 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGEKSAICAktQ7s8JLrV3I1+h3M1kh3rmqjjKOWbgwRcZY4GsXW01p49IqDO5nokYUtAzBcyWQ== X-Received: by 2002:a05:6214:286:b0:6ad:67d3:af2f with SMTP id 6a1803df08f44-6b54099db58mr132706636d6.13.1719476499662; Thu, 27 Jun 2024 01:21:39 -0700 (PDT) Received: from maya.cloud.tilaa.com (maya.cloud.tilaa.com. [164.138.29.33]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6b5927079e1sm3227256d6.129.2024.06.27.01.21.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 27 Jun 2024 01:21:38 -0700 (PDT) Date: Thu, 27 Jun 2024 10:21:04 +0200 From: Stefano Brivio To: David Gibson Subject: Re: [PATCH 4/4] tap: Drop frames from guest whose length is more than remaining buffer Message-ID: <20240627102057.2f452002@elisabeth> In-Reply-To: References: <20240626234536.3306466-1-sbrivio@redhat.com> <20240626234536.3306466-5-sbrivio@redhat.com> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: B76SVSUJTWYLYRYSOHA2HPS77Z5S7NXD X-Message-ID-Hash: B76SVSUJTWYLYRYSOHA2HPS77Z5S7NXD X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Matej Hrica X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Thu, 27 Jun 2024 11:30:02 +1000 David Gibson wrote: > On Thu, Jun 27, 2024 at 01:45:36AM +0200, Stefano Brivio wrote: > > This was reported by Matej a while ago, but we forgot to fix it. Even > > if the hypervisor is necessarily trusted by passt, as it can in any > > case terminate the guest or disrupt guest connectivity, it's a good > > idea to be robust against possible issues. > > > > Instead of resetting the connection to the hypervisor, just skip the > > offending frame, as we had a few cases where QEMU would get the > > length descriptor wrong, in the past. > > > > Reported-by: Matej Hrica > > Suggested-by: Matej Hrica > > Signed-off-by: Stefano Brivio > > --- > > tap.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/tap.c b/tap.c > > index 7f8c26d..bb993e0 100644 > > --- a/tap.c > > +++ b/tap.c > > @@ -1026,6 +1026,9 @@ redo: > > So.. I just realised there's a different pre-existing problem here, > above what's quoted in the patch we have: > > ssize_t l2len = ntohl(*(uint32_t *)p); > > On a platform where ssize_t is only 32-bits we could get a negative > value here, which would be very bad. We can't, because the length is anyway limited to the maximum IPv4 path MTU in any hypervisor we might be talking to. > So l2len should be a uint32_t, not ssize_t. True, I can also change that while at it. > We do then need to make sure that the comparison between > l2len and n is unsigned - it's safe to cast n to size_t there, because > we've verified it's positive as the loop condition. > > Or... maybe it's simpler. The frame length is encoded as 32-bits, but > we can't meaningfully have frames above 64k (maybe 64k+ETH_HLEN). So > possibly we should just reset the tap connection if we see such a > frame (most likely it means we've somehow gotten out of sync, anyway). I'd rather "fix" type and comparison, for the sake of whatever static checkers might eventually come up with. > > p += sizeof(uint32_t); > > n -= sizeof(uint32_t); > > > > + if (l2len > (ssize_t)TAP_BUF_BYTES - n) > > I hate to discard valid frames from the guest. That won't happen because of how TAP_BUF_FILL and TAP_BUF_BYTES are defined. If this condition is true, the length descriptor actually mismatched. If you have a better proposal, let me know. > > + goto next; > > ..and this is not safe. This skips (l2len > n) check, which means > that the n -= l2len at next could now have a signed overflow, which is > UB. It's safe because of the change from 3/4, which will just return on overflow. In any case, yes, I can add a return directly, it's not very productive to speculate what kind of issues a hypervisor might have, let's just avoid crashing in case. > > + > > /* At most one packet might not fit in a single read, and this > > * needs to be blocking. > > */ > -- Stefano