From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>,
Laurent Vivier <lvivier@redhat.com>
Cc: passt-dev@passt.top
Subject: Re: [PATCH v2 1/4] packet: replace struct desc by struct iovec
Date: Fri, 19 Jul 2024 23:28:40 +0200 [thread overview]
Message-ID: <20240719232840.2ad9f8df@elisabeth> (raw)
In-Reply-To: <ZpSsvtn7tr7-C7J-@zatzit>
On Mon, 15 Jul 2024 14:59:42 +1000
David Gibson <david@gibson.dropbear.id.au> wrote:
> On Fri, Jul 12, 2024 at 05:32:41PM +0200, Laurent Vivier wrote:
> > To be able to manage buffers inside a shared memory provided
> > by a VM via a vhost-user interface, we cannot rely on the fact
> > that buffers are located in a pre-defined memory area and use
> > a base address and a 32bit offset to address them.
> >
> > We need a 64bit address, so replace struct desc by struct iovec
> > and update range checking.
> >
> > Signed-off-by: Laurent Vivier <lvivier@redhat.com>
> > ---
> > packet.c | 84 +++++++++++++++++++++++++++++++-------------------------
> > packet.h | 14 ++--------
> > 2 files changed, 49 insertions(+), 49 deletions(-)
> >
> > diff --git a/packet.c b/packet.c
> > index ccfc84607709..f7bb523c4ffa 100644
> > --- a/packet.c
> > +++ b/packet.c
> > @@ -22,6 +22,39 @@
> > #include "util.h"
> > #include "log.h"
> >
> > +/**
> > + * packet_check_range() - Check if a packet memory range is valid
> > + * @p: Packet pool
> > + * @offset: Offset of data range in packet descriptor
> > + * @len: Length of desired data range
> > + * @start: Start of the packet descriptor
> > + * @func: For tracing: name of calling function, NULL means no trace()
> > + * @line: For tracing: caller line of function call
> > + *
> > + * Return: 0 if the range is valid, -1 otherwise
> > + */
> > +static int packet_check_range(const struct pool *p, size_t offset, size_t len,
> > + const char *start, const char *func, int line)
> > +{
> > + if (start < p->buf) {
> > + if (func) {
>
> Omitting the message entirely if func is not set doesn't seem correct.
> I believe printf() should format NULL pointers sanely (typically as
> "<null>"), so I think you can just leave out this check.
That intention is actually pre-existing: look at the function comment
(coming from packet_add_do()).
Originally, I wanted to implement --trace like that: if no function
name was given, no messages would be printed. Then I realised it wasn't
really practical and changed to a static logging flag, but I still
accidentally left this in commit bb708111833e ("treewide: Packet
abstraction with mandatory boundary checks").
Anyway, yes, func is always passed, so there's no need for this check
(and sure, there would be no _need_ anyway). We just need to fix the
function comments.
> > + trace("add packet start %p before buffer start %p, "
It's not "add" if it's called from packet_get_do(). As we print the
function name anyway, we could drop "add " from this altogether, it
should be clear enough.
> > + "%s:%i", (void *)start, (void *)p->buf, func, line);
> > + }
> > + return -1;
> > + }
> > +
> > + if (start + len + offset > p->buf + p->buf_size) {
>
> It's not really clear to me why offset is needed in here. AIUI,
> offset is used when we want to talk about some piece of a larger
> packet/frame that's in the buffer. That's useful when we're
> dissecting packets,
...and that's packet_get_do()'s usage, passing a non-zero offset here
(stricter check anyway), while:
> but surely we always want the whole frame/whatever
> to be within the buffer,
packet_add_do() calls this with a zero offset, because the whole packet
should fit.
That is, this check replaces:
if (start + len > p->buf + p->buf_size) {
from packet_add_do(), and:
if (p->pkt[idx].offset + len + offset > p->buf_size) {
from packet_get_do(). It looks equivalent to me.
> so I don't know we need the extra complexity
> in this helper.
>
> I also think we should check for overflow on the LHS here, but that's
> pre-existing, so it doesn't need to go in this patch.
>
> > + if (func) {
> > + trace("packet offset plus length %lu from size %lu, "
> > + "%s:%i", start - p->buf + len + offset,
> > + p->buf_size, func, line);
> > + }
> > + return -1;
> > + }
> > +
> > + return 0;
> > +}
> > /**
> > * packet_add_do() - Add data as packet descriptor to given pool
> > * @p: Existing pool
> > @@ -41,34 +74,16 @@ void packet_add_do(struct pool *p, size_t len, const char *start,
> > return;
> > }
> >
> > - if (start < p->buf) {
> > - trace("add packet start %p before buffer start %p, %s:%i",
> > - (void *)start, (void *)p->buf, func, line);
> > + if (packet_check_range(p, 0, len, start, func, line))
> > return;
> > - }
> > -
> > - if (start + len > p->buf + p->buf_size) {
> > - trace("add packet start %p, length: %zu, buffer end %p, %s:%i",
> > - (void *)start, len, (void *)(p->buf + p->buf_size),
> > - func, line);
> > - return;
> > - }
> >
> > if (len > UINT16_MAX) {
> > trace("add packet length %zu, %s:%i", len, func, line);
> > return;
> > }
> >
> > -#if UINTPTR_MAX == UINT64_MAX
> > - if ((uintptr_t)start - (uintptr_t)p->buf > UINT32_MAX) {
> > - trace("add packet start %p, buffer start %p, %s:%i",
> > - (void *)start, (void *)p->buf, func, line);
> > - return;
> > - }
> > -#endif
> > -
> > - p->pkt[idx].offset = start - p->buf;
> > - p->pkt[idx].len = len;
> > + p->pkt[idx].iov_base = (void *)start;
> > + p->pkt[idx].iov_len = len;
> >
> > p->count++;
> > }
> > @@ -96,36 +111,31 @@ void *packet_get_do(const struct pool *p, size_t idx, size_t offset,
> > return NULL;
> > }
> >
> > - if (len > UINT16_MAX || len + offset > UINT32_MAX) {
> > + if (len > UINT16_MAX) {
> > if (func) {
> > - trace("packet data length %zu, offset %zu, %s:%i",
> > - len, offset, func, line);
> > + trace("packet data length %zu, %s:%i",
> > + len, func, line);
>
> Should this be an assert? Seems like something is wrong in the
> caller, if they're trying to pass in a ludicrously long packet.
Maybe something is wrong in the caller, but these are sanity checks for
security's sake, so if somebody finds out how to reach here with a
ludicrously long packet, I think it's preferable to discard the packet
rather than crashing and turning whatever issue into a vulnerability.
> > }
> > return NULL;
> > }
> >
> > - if (p->pkt[idx].offset + len + offset > p->buf_size) {
> > + if (len + offset > p->pkt[idx].iov_len) {
> > if (func) {
> > - trace("packet offset plus length %zu from size %zu, "
> > - "%s:%i", p->pkt[idx].offset + len + offset,
> > - p->buf_size, func, line);
> > + trace("data length %zu, offset %zu from length %zu, "
> > + "%s:%i", len, offset, p->pkt[idx].iov_len,
> > + func, line);
> > }
> > return NULL;
> > }
> >
> > - if (len + offset > p->pkt[idx].len) {
> > - if (func) {
> > - trace("data length %zu, offset %zu from length %u, "
> > - "%s:%i", len, offset, p->pkt[idx].len,
> > - func, line);
> > - }
> > + if (packet_check_range(p, offset, len, p->pkt[idx].iov_base,
> > + func, line))
> > return NULL;
> > - }
> >
> > if (left)
> > - *left = p->pkt[idx].len - offset - len;
> > + *left = p->pkt[idx].iov_len - offset - len;
> >
> > - return p->buf + p->pkt[idx].offset + offset;
> > + return (char *)p->pkt[idx].iov_base + offset;
> > }
> >
> > /**
> > diff --git a/packet.h b/packet.h
> > index a784b07bbed5..8377dcf678bb 100644
> > --- a/packet.h
> > +++ b/packet.h
> > @@ -6,16 +6,6 @@
> > #ifndef PACKET_H
> > #define PACKET_H
> >
> > -/**
> > - * struct desc - Generic offset-based descriptor within buffer
> > - * @offset: Offset of descriptor relative to buffer start, 32-bit limit
> > - * @len: Length of descriptor, host order, 16-bit limit
> > - */
> > -struct desc {
> > - uint32_t offset;
> > - uint16_t len;
> > -};
> > -
> > /**
> > * struct pool - Generic pool of packets stored in a buffer
> > * @buf: Buffer storing packet descriptors
> > @@ -29,7 +19,7 @@ struct pool {
> > size_t buf_size;
> > size_t size;
> > size_t count;
> > - struct desc pkt[1];
> > + struct iovec pkt[1];
> > };
> >
> > void packet_add_do(struct pool *p, size_t len, const char *start,
> > @@ -54,7 +44,7 @@ struct _name ## _t { \
> > size_t buf_size; \
> > size_t size; \
> > size_t count; \
> > - struct desc pkt[_size]; \
> > + struct iovec pkt[_size]; \
> > }
> >
> > #define PACKET_POOL_INIT_NOCAST(_size, _buf, _buf_size) \
--
Stefano
next prev parent reply other threads:[~2024-07-19 21:29 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-12 15:32 [PATCH v2 0/4] Add vhost-user support to passt. (part 3) Laurent Vivier
2024-07-12 15:32 ` [PATCH v2 1/4] packet: replace struct desc by struct iovec Laurent Vivier
2024-07-15 4:59 ` David Gibson
2024-07-19 21:28 ` Stefano Brivio [this message]
2024-07-12 15:32 ` [PATCH v2 2/4] vhost-user: introduce virtio API Laurent Vivier
2024-07-17 5:21 ` David Gibson
2024-08-14 12:47 ` Laurent Vivier
2024-08-15 4:52 ` David Gibson
2024-07-19 21:29 ` Stefano Brivio
2024-07-12 15:32 ` [PATCH v2 3/4] vhost-user: introduce vhost-user API Laurent Vivier
2024-07-19 21:29 ` Stefano Brivio
2024-08-14 14:44 ` Laurent Vivier
2024-07-12 15:32 ` [PATCH v2 4/4] vhost-user: add vhost-user Laurent Vivier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240719232840.2ad9f8df@elisabeth \
--to=sbrivio@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=lvivier@redhat.com \
--cc=passt-dev@passt.top \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).