From patchwork Thu Oct 10 21:00:17 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 11184485 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6CC3214ED for ; Thu, 10 Oct 2019 21:03:44 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4CEDD2067B for ; Thu, 10 Oct 2019 21:03:44 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4CEDD2067B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Received: from localhost ([::1]:44230 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iIfb4-0006tc-On for patchwork-qemu-devel@patchwork.kernel.org; Thu, 10 Oct 2019 17:03:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60281) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iIfY5-0004ol-K4 for qemu-devel@nongnu.org; Thu, 10 Oct 2019 17:00:39 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iIfY3-0007HL-Hd for qemu-devel@nongnu.org; Thu, 10 Oct 2019 17:00:37 -0400 Received: from mx1.redhat.com ([209.132.183.28]:46568) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iIfXr-0007D1-IF; Thu, 10 Oct 2019 17:00:25 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E05D52BF73; Thu, 10 Oct 2019 21:00:20 +0000 (UTC) Received: from blue.redhat.com (ovpn-116-168.phx2.redhat.com [10.3.116.168]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5738460600; Thu, 10 Oct 2019 21:00:20 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Subject: [PATCH v2 1/2] nbd: Don't send oversize strings Date: Thu, 10 Oct 2019 16:00:17 -0500 Message-Id: <20191010210018.22000-2-eblake@redhat.com> In-Reply-To: <20191010210018.22000-1-eblake@redhat.com> References: <20191010210018.22000-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Thu, 10 Oct 2019 21:00:20 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, vsementsov@virtuozzo.com, Max Reitz , qemu-block@nongnu.org, mlevitsk@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" Qemu as server currently won't accept export names larger than 256 bytes, nor create dirty bitmap names longer than 1023 bytes, so most uses of qemu as client or server have no reason to get anywhere near the NBD spec maximum of a 4k limit per string. However, we weren't actually enforcing things, ignoring when the remote side violates the protocol on input, and also having several code paths where we send oversize strings on output (for example, qemu-nbd --description could easily send more than 4k). Tighten things up as follows: client: - Perform bounds check on export name and dirty bitmap request prior to handing it to server - Validate that copied server replies are not too long (ignoring NBD_INFO_* replies that are not copied is not too bad) server: - Perform bounds check on export name and description prior to advertising it to client - Reject client name or metadata query that is too long Signed-off-by: Eric Blake Reviewed-by: Vladimir Sementsov-Ogievskiy --- include/block/nbd.h | 1 + block/nbd.c | 9 +++++++++ blockdev-nbd.c | 5 +++++ nbd/client.c | 16 +++++++++++++--- nbd/server.c | 14 ++++++++++++-- qemu-nbd.c | 9 +++++++++ 6 files changed, 49 insertions(+), 5 deletions(-) diff --git a/include/block/nbd.h b/include/block/nbd.h index 316fd705a9e4..fcabdf0f37c3 100644 --- a/include/block/nbd.h +++ b/include/block/nbd.h @@ -232,6 +232,7 @@ enum { * going larger would require an audit of more code to make sure we * aren't overflowing some other buffer. */ #define NBD_MAX_NAME_SIZE 256 +#define NBD_MAX_STRING_SIZE 4096 /* Two types of reply structures */ #define NBD_SIMPLE_REPLY_MAGIC 0x67446698 diff --git a/block/nbd.c b/block/nbd.c index 813c40d8f067..76eb1dbe04df 100644 --- a/block/nbd.c +++ b/block/nbd.c @@ -1621,6 +1621,10 @@ static int nbd_process_options(BlockDriverState *bs, QDict *options, } s->export = g_strdup(qemu_opt_get(opts, "export")); + if (s->export && strlen(s->export) > NBD_MAX_STRING_SIZE) { + error_setg(errp, "export name too long to send to server"); + goto error; + } s->tlscredsid = g_strdup(qemu_opt_get(opts, "tls-creds")); if (s->tlscredsid) { @@ -1638,6 +1642,11 @@ static int nbd_process_options(BlockDriverState *bs, QDict *options, } s->x_dirty_bitmap = g_strdup(qemu_opt_get(opts, "x-dirty-bitmap")); + if (s->x_dirty_bitmap && strlen(s->x_dirty_bitmap) > NBD_MAX_STRING_SIZE) { + error_setg(errp, "x_dirty_bitmap query too long to send to server"); + goto error; + } + s->reconnect_delay = qemu_opt_get_number(opts, "reconnect-delay", 0); ret = 0; diff --git a/blockdev-nbd.c b/blockdev-nbd.c index 6a8b206e1d74..8c20baa4a4b9 100644 --- a/blockdev-nbd.c +++ b/blockdev-nbd.c @@ -162,6 +162,11 @@ void qmp_nbd_server_add(const char *device, bool has_name, const char *name, name = device; } + if (strlen(name) > NBD_MAX_STRING_SIZE) { + error_setg(errp, "export name '%s' too long", name); + return; + } + if (nbd_export_find(name)) { error_setg(errp, "NBD server already has export named '%s'", name); return; diff --git a/nbd/client.c b/nbd/client.c index f6733962b49b..d6e29daced63 100644 --- a/nbd/client.c +++ b/nbd/client.c @@ -289,8 +289,8 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, char **description, return -1; } len -= sizeof(namelen); - if (len < namelen) { - error_setg(errp, "incorrect option name length"); + if (len < namelen || namelen > NBD_MAX_STRING_SIZE) { + error_setg(errp, "incorrect list name length"); nbd_send_opt_abort(ioc); return -1; } @@ -303,6 +303,11 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, char **description, local_name[namelen] = '\0'; len -= namelen; if (len) { + if (len > NBD_MAX_STRING_SIZE) { + error_setg(errp, "incorrect list description length"); + nbd_send_opt_abort(ioc); + return -1; + } local_desc = g_malloc(len + 1); if (nbd_read(ioc, local_desc, len, "export description", errp) < 0) { nbd_send_opt_abort(ioc); @@ -479,6 +484,10 @@ static int nbd_opt_info_or_go(QIOChannel *ioc, uint32_t opt, break; default: + /* + * Not worth the bother to check if NBD_INFO_NAME or + * NBD_INFO_DESCRIPTION exceed NBD_MAX_STRING_SIZE. + */ trace_nbd_opt_info_unknown(type, nbd_info_lookup(type)); if (nbd_drop(ioc, len, errp) < 0) { error_prepend(errp, "Failed to read info payload: "); @@ -648,6 +657,7 @@ static int nbd_send_meta_query(QIOChannel *ioc, uint32_t opt, if (query) { query_len = strlen(query); data_len += sizeof(query_len) + query_len; + assert(query_len <= NBD_MAX_STRING_SIZE); } else { assert(opt == NBD_OPT_LIST_META_CONTEXT); } @@ -1009,7 +1019,7 @@ int nbd_receive_negotiate(AioContext *aio_context, QIOChannel *ioc, bool zeroes; bool base_allocation = info->base_allocation; - assert(info->name); + assert(info->name && strlen(info->name) <= NBD_MAX_STRING_SIZE); trace_nbd_receive_negotiate_name(info->name); result = nbd_start_negotiate(aio_context, ioc, tlscreds, hostname, outioc, diff --git a/nbd/server.c b/nbd/server.c index d8d1e6245532..dfbefd5a1ebc 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -375,6 +375,7 @@ static int nbd_negotiate_send_rep_list(NBDClient *client, NBDExport *exp, trace_nbd_negotiate_send_rep_list(name, desc); name_len = strlen(name); desc_len = strlen(desc); + assert(name_len <= NBD_MAX_STRING_SIZE && desc_len <= NBD_MAX_STRING_SIZE); len = name_len + desc_len + sizeof(len); ret = nbd_negotiate_send_rep_len(client, NBD_REP_SERVER, len, errp); if (ret < 0) { @@ -608,6 +609,7 @@ static int nbd_negotiate_handle_info(NBDClient *client, Error **errp) if (exp->description) { size_t len = strlen(exp->description); + assert(len <= NBD_MAX_STRING_SIZE); rc = nbd_negotiate_send_info(client, NBD_INFO_DESCRIPTION, len, exp->description, errp); if (rc < 0) { @@ -752,6 +754,7 @@ static int nbd_negotiate_send_meta_context(NBDClient *client, {.iov_base = (void *)context, .iov_len = strlen(context)} }; + assert(iov[1].iov_len <= NBD_MAX_STRING_SIZE); if (client->opt == NBD_OPT_LIST_META_CONTEXT) { context_id = 0; } @@ -900,7 +903,7 @@ static int nbd_meta_qemu_query(NBDClient *client, NBDExportMetaContexts *meta, * Parse namespace name and call corresponding function to parse body of the * query. * - * The only supported namespace now is 'base'. + * The only supported namespaces are 'base' and 'qemu'. * * The function aims not wasting time and memory to read long unknown namespace * names. @@ -926,6 +929,10 @@ static int nbd_negotiate_meta_query(NBDClient *client, } len = cpu_to_be32(len); + if (len > NBD_MAX_STRING_SIZE) { + trace_nbd_negotiate_meta_query_skip("length too long"); + return nbd_opt_skip(client, len, errp); + } if (len < ns_len) { trace_nbd_negotiate_meta_query_skip("length too short"); return nbd_opt_skip(client, len, errp); @@ -1487,7 +1494,7 @@ NBDExport *nbd_export_new(BlockDriverState *bs, uint64_t dev_offset, * access since the export could be available before migration handover. * ctx was acquired in the caller. */ - assert(name); + assert(name && strlen(name) <= NBD_MAX_STRING_SIZE); ctx = bdrv_get_aio_context(bs); bdrv_invalidate_cache(bs, NULL); @@ -1513,6 +1520,7 @@ NBDExport *nbd_export_new(BlockDriverState *bs, uint64_t dev_offset, assert(dev_offset <= INT64_MAX); exp->dev_offset = dev_offset; exp->name = g_strdup(name); + assert(!desc || strlen(desc) <= NBD_MAX_STRING_SIZE); exp->description = g_strdup(desc); exp->nbdflags = (NBD_FLAG_HAS_FLAGS | NBD_FLAG_SEND_FLUSH | NBD_FLAG_SEND_FUA | NBD_FLAG_SEND_CACHE); @@ -1561,6 +1569,8 @@ NBDExport *nbd_export_new(BlockDriverState *bs, uint64_t dev_offset, exp->export_bitmap = bm; exp->export_bitmap_context = g_strdup_printf("qemu:dirty-bitmap:%s", bitmap); + /* See BME_MAX_NAME_SIZE in block/qcow2-bitmap.c */ + assert(strlen(exp->export_bitmap_context) <= NBD_MAX_STRING_SIZE); } exp->close = close; diff --git a/qemu-nbd.c b/qemu-nbd.c index 9032b6de2ace..55ce69b141f0 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -826,9 +826,18 @@ int main(int argc, char **argv) break; case 'x': export_name = optarg; + if (strlen(export_name) > NBD_MAX_STRING_SIZE) { + error_report("export name '%s' too long", export_name); + exit(EXIT_FAILURE); + } break; case 'D': export_description = optarg; + if (strlen(export_description) > NBD_MAX_STRING_SIZE) { + error_report("export description '%s' too long", + export_description); + exit(EXIT_FAILURE); + } break; case 'v': verbose = 1; From patchwork Thu Oct 10 21:00:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Blake X-Patchwork-Id: 11184483 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DFA14112B for ; Thu, 10 Oct 2019 21:03:38 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id BEA5B2067B for ; Thu, 10 Oct 2019 21:03:38 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BEA5B2067B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Received: from localhost ([::1]:44228 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iIfaz-0006q1-Eo for patchwork-qemu-devel@patchwork.kernel.org; Thu, 10 Oct 2019 17:03:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60261) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iIfY3-0004oQ-MN for qemu-devel@nongnu.org; Thu, 10 Oct 2019 17:00:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iIfY1-0007H7-IZ for qemu-devel@nongnu.org; Thu, 10 Oct 2019 17:00:35 -0400 Received: from mx1.redhat.com ([209.132.183.28]:47014) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iIfXt-0007DS-Dl; Thu, 10 Oct 2019 17:00:25 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D4FC43091755; Thu, 10 Oct 2019 21:00:23 +0000 (UTC) Received: from blue.redhat.com (ovpn-116-168.phx2.redhat.com [10.3.116.168]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1C05460600; Thu, 10 Oct 2019 21:00:21 +0000 (UTC) From: Eric Blake To: qemu-devel@nongnu.org Subject: [PATCH v2 2/2] nbd: Allow description when creating NBD blockdev Date: Thu, 10 Oct 2019 16:00:18 -0500 Message-Id: <20191010210018.22000-3-eblake@redhat.com> In-Reply-To: <20191010210018.22000-1-eblake@redhat.com> References: <20191010210018.22000-1-eblake@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Thu, 10 Oct 2019 21:00:23 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, vsementsov@virtuozzo.com, qemu-block@nongnu.org, Markus Armbruster , "Dr. David Alan Gilbert" , Max Reitz , mlevitsk@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" Allow blockdevs to match the feature already present in qemu-nbd -D. Enhance iotest 223 to cover it. Signed-off-by: Eric Blake Reviewed-by: Vladimir Sementsov-Ogievskiy Reviewed-by: Maxim Levitsky --- qapi/block.json | 8 +++++--- blockdev-nbd.c | 9 ++++++++- monitor/hmp-cmds.c | 4 ++-- tests/qemu-iotests/223 | 2 +- tests/qemu-iotests/223.out | 1 + 5 files changed, 17 insertions(+), 7 deletions(-) diff --git a/qapi/block.json b/qapi/block.json index 145c268bb646..a6617b5bd03a 100644 --- a/qapi/block.json +++ b/qapi/block.json @@ -250,9 +250,11 @@ # @name: Export name. If unspecified, the @device parameter is used as the # export name. (Since 2.12) # +# @description: Free-form description of the export. (Since 4.2) +# # @writable: Whether clients should be able to write to the device via the # NBD connection (default false). - +# # @bitmap: Also export the dirty bitmap reachable from @device, so the # NBD client can use NBD_OPT_SET_META_CONTEXT with # "qemu:dirty-bitmap:NAME" to inspect the bitmap. (since 4.0) @@ -263,8 +265,8 @@ # Since: 1.3.0 ## { 'command': 'nbd-server-add', - 'data': {'device': 'str', '*name': 'str', '*writable': 'bool', - '*bitmap': 'str' } } + 'data': {'device': 'str', '*name': 'str', '*description': 'str', + '*writable': 'bool', '*bitmap': 'str' } } ## # @NbdServerRemoveMode: diff --git a/blockdev-nbd.c b/blockdev-nbd.c index 8c20baa4a4b9..de2f2ff71320 100644 --- a/blockdev-nbd.c +++ b/blockdev-nbd.c @@ -144,6 +144,7 @@ void qmp_nbd_server_start(SocketAddressLegacy *addr, } void qmp_nbd_server_add(const char *device, bool has_name, const char *name, + bool has_description, const char *description, bool has_writable, bool writable, bool has_bitmap, const char *bitmap, Error **errp) { @@ -167,6 +168,11 @@ void qmp_nbd_server_add(const char *device, bool has_name, const char *name, return; } + if (has_description && strlen(description) > NBD_MAX_STRING_SIZE) { + error_setg(errp, "description '%s' too long", description); + return; + } + if (nbd_export_find(name)) { error_setg(errp, "NBD server already has export named '%s'", name); return; @@ -195,7 +201,8 @@ void qmp_nbd_server_add(const char *device, bool has_name, const char *name, writable = false; } - exp = nbd_export_new(bs, 0, len, name, NULL, bitmap, !writable, !writable, + exp = nbd_export_new(bs, 0, len, name, description, bitmap, + !writable, !writable, NULL, false, on_eject_blk, errp); if (!exp) { goto out; diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c index b2551c16d129..574c6321c9d0 100644 --- a/monitor/hmp-cmds.c +++ b/monitor/hmp-cmds.c @@ -2352,7 +2352,7 @@ void hmp_nbd_server_start(Monitor *mon, const QDict *qdict) continue; } - qmp_nbd_server_add(info->value->device, false, NULL, + qmp_nbd_server_add(info->value->device, false, NULL, false, NULL, true, writable, false, NULL, &local_err); if (local_err != NULL) { @@ -2374,7 +2374,7 @@ void hmp_nbd_server_add(Monitor *mon, const QDict *qdict) bool writable = qdict_get_try_bool(qdict, "writable", false); Error *local_err = NULL; - qmp_nbd_server_add(device, !!name, name, true, writable, + qmp_nbd_server_add(device, !!name, name, false, NULL, true, writable, false, NULL, &local_err); hmp_handle_error(mon, &local_err); } diff --git a/tests/qemu-iotests/223 b/tests/qemu-iotests/223 index 2ba3d8124b4f..06bdc96be48f 100755 --- a/tests/qemu-iotests/223 +++ b/tests/qemu-iotests/223 @@ -144,7 +144,7 @@ _send_qemu_cmd $QEMU_HANDLE '{"execute":"nbd-server-add", "bitmap":"b3"}}' "error" # Missing bitmap _send_qemu_cmd $QEMU_HANDLE '{"execute":"nbd-server-add", "arguments":{"device":"n", "name":"n2", "writable":true, - "bitmap":"b2"}}' "return" + "description":"some text", "bitmap":"b2"}}' "return" $QEMU_NBD_PROG -L -k "$TEST_DIR/nbd" echo diff --git a/tests/qemu-iotests/223.out b/tests/qemu-iotests/223.out index 23b34fcd202e..16d597585b4f 100644 --- a/tests/qemu-iotests/223.out +++ b/tests/qemu-iotests/223.out @@ -49,6 +49,7 @@ exports available: 2 base:allocation qemu:dirty-bitmap:b export: 'n2' + description: some text size: 4194304 flags: 0xced ( flush fua trim zeroes df cache fast-zero ) min block: 1