From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTP id BA6A65A004E
	for <passt-dev@passt.top>; Thu, 27 Jun 2024 10:21:43 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1719476502;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=0kD2XKyg6XmEZoWzx8HZYlR1IV5GxEVgBlbnoYTNQqo=;
	b=dVvt9N1tiWWkS7MdyrZA3eQvYbNvmVwgscMnZBUTB20Dz7MmPAwQs4xzHzag0RZZqITlVd
	vu1aoaZEAusmw9ef1OsZU9oxT7BlQ0t4Q7mwA+7JciGdFxANRZvcor5p4V25IEDDKM04Ga
	RRG9dNo5imiEJP7W94q/v+fbAhUtoG8=
Received: from mail-qv1-f71.google.com (mail-qv1-f71.google.com
 [209.85.219.71]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-260-Ej8VCuh_O9yG3ifV-AKAjQ-1; Thu, 27 Jun 2024 04:21:40 -0400
X-MC-Unique: Ej8VCuh_O9yG3ifV-AKAjQ-1
Received: by mail-qv1-f71.google.com with SMTP id 6a1803df08f44-6b077edfd2fso137031366d6.3
        for <passt-dev@passt.top>; Thu, 27 Jun 2024 01:21:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1719476500; x=1720081300;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=0kD2XKyg6XmEZoWzx8HZYlR1IV5GxEVgBlbnoYTNQqo=;
        b=DnGLyEG9H7NvFRocnOjf92GX/s4SUFbJasHHEfYROAKIiaR/HITiTVOJXJB++HrSDs
         iI5PubAkdi47SkykI++edcWcRP+RY3k6O2Mf05Qwm/Xybvp3zrnm0nw8IrGzNFOWhTDF
         B5ijCp7oPPtwuLXOSZjTrY2+uVBVFyK1HwObc6sTxrYweFUh5LGOJ1JfftDmR9jS/OMv
         KAJpdeoi+/GPqHF8wnXAJyZrZijnyA2fFjRC7DHsHSbYjhUKBe/gTjtgqMpdVV1UIv1k
         MGJ0UA7X6Gj5ktKxnQwuoNcKIXZDFJ7mf1vYRIzG36d/KonoL/6rRKVDlsU/PpV+Awu/
         BNxQ==
X-Gm-Message-State: AOJu0YxVf/DcYy9ci342dcWA/AReAVd4IL0Zho0TArZsLSsSTiP0Ee1B
	UtAnXnRkQa6nJGkg5BTjickoCskTE0pV2kkP0tw1jYomxoveszHATbqNjquh5pSZIKcaU1d869G
	T6zrMGPgYWQn8pjwR3aZlFndkY1ScgsYVskHMFJDqoYtdvlm/wQ==
X-Received: by 2002:a05:6214:286:b0:6ad:67d3:af2f with SMTP id 6a1803df08f44-6b54099db58mr132706826d6.13.1719476500095;
        Thu, 27 Jun 2024 01:21:40 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGEKSAICAktQ7s8JLrV3I1+h3M1kh3rmqjjKOWbgwRcZY4GsXW01p49IqDO5nokYUtAzBcyWQ==
X-Received: by 2002:a05:6214:286:b0:6ad:67d3:af2f with SMTP id 6a1803df08f44-6b54099db58mr132706636d6.13.1719476499662;
        Thu, 27 Jun 2024 01:21:39 -0700 (PDT)
Received: from maya.cloud.tilaa.com (maya.cloud.tilaa.com. [164.138.29.33])
        by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6b5927079e1sm3227256d6.129.2024.06.27.01.21.38
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 27 Jun 2024 01:21:38 -0700 (PDT)
Date: Thu, 27 Jun 2024 10:21:04 +0200
From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [PATCH 4/4] tap: Drop frames from guest whose length is more
 than remaining buffer
Message-ID: <20240627102057.2f452002@elisabeth>
In-Reply-To: <ZnzAmiFK5fzbxvzz@zatzit>
References: <20240626234536.3306466-1-sbrivio@redhat.com>
	<20240626234536.3306466-5-sbrivio@redhat.com>
	<ZnzAmiFK5fzbxvzz@zatzit>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: B76SVSUJTWYLYRYSOHA2HPS77Z5S7NXD
X-Message-ID-Hash: B76SVSUJTWYLYRYSOHA2HPS77Z5S7NXD
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Matej Hrica <mhrica@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240627102057.2f452002@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/B76SVSUJTWYLYRYSOHA2HPS77Z5S7NXD/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Thu, 27 Jun 2024 11:30:02 +1000
David Gibson <david@gibson.dropbear.id.au> wrote:

> On Thu, Jun 27, 2024 at 01:45:36AM +0200, Stefano Brivio wrote:
> > This was reported by Matej a while ago, but we forgot to fix it. Even
> > if the hypervisor is necessarily trusted by passt, as it can in any
> > case terminate the guest or disrupt guest connectivity, it's a good
> > idea to be robust against possible issues.
> > 
> > Instead of resetting the connection to the hypervisor, just skip the
> > offending frame, as we had a few cases where QEMU would get the
> > length descriptor wrong, in the past.
> > 
> > Reported-by: Matej Hrica <mhrica@redhat.com>
> > Suggested-by: Matej Hrica <mhrica@redhat.com>
> > Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> > ---
> >  tap.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/tap.c b/tap.c
> > index 7f8c26d..bb993e0 100644
> > --- a/tap.c
> > +++ b/tap.c
> > @@ -1026,6 +1026,9 @@ redo:  
> 
> So.. I just realised there's a different pre-existing problem here,
> above what's quoted in the patch we have:
> 
> 		ssize_t l2len = ntohl(*(uint32_t *)p);
> 
> On a platform where ssize_t is only 32-bits we could get a negative
> value here, which would be very bad.

We can't, because the length is anyway limited to the maximum IPv4 path
MTU in any hypervisor we might be talking to.

> So l2len should be a uint32_t, not ssize_t.

True, I can also change that while at it.

> We do then need to make sure that the comparison between
> l2len and n is unsigned - it's safe to cast n to size_t there, because
> we've verified it's positive as the loop condition.
>
> Or... maybe it's simpler.  The frame length is encoded as 32-bits, but
> we can't meaningfully have frames above 64k (maybe 64k+ETH_HLEN).  So
> possibly we should just reset the tap connection if we see such a
> frame (most likely it means we've somehow gotten out of sync, anyway).

I'd rather "fix" type and comparison, for the sake of whatever static
checkers might eventually come up with.

> >  		p += sizeof(uint32_t);
> >  		n -= sizeof(uint32_t);  
> 
> 
> > +		if (l2len > (ssize_t)TAP_BUF_BYTES - n)  
> 
> I hate to discard valid frames from the guest.

That won't happen because of how TAP_BUF_FILL and TAP_BUF_BYTES are
defined. If this condition is true, the length descriptor actually
mismatched. If you have a better proposal, let me know.

> > +			goto next;  
> 
> ..and this is not safe.  This skips (l2len > n) check, which means
> that the n -= l2len at next could now have a signed overflow, which is
> UB.

It's safe because of the change from 3/4, which will just return on
overflow. In any case, yes, I can add a return directly, it's not very
productive to speculate what kind of issues a hypervisor might have,
let's just avoid crashing in case.

> > +
> >  		/* At most one packet might not fit in a single read, and this
> >  		 * needs to be blocking.
> >  		 */  
> 

-- 
Stefano