[Libguestfs] [nbdkit PATCH] connections: Don't use uninit memory on early client EOF

Richard W.M. Jones rjones at redhat.com
Fri Dec 21 07:56:13 UTC 2018 

On Thu, Dec 20, 2018 at 08:57:02PM -0600, Eric Blake wrote:
> Fuzzing with afl found a bug where a 27 byte client sequence
> can cause nbdkit to report a strange error message:
> 
> $ printf %s $'000\1IHAVEOPT000\6'$'000\7'$'000\1x00' | tr 0 '\0' |
>   ./nbdkit -s memory size=1m >/dev/null
> nbdkit: memory: error: client exceeded maximum number of options (32)
> 
> The culprit? The client is hanging up on a message boundary,
> so conn->recv() returns 0 for EOF instead of -1 for read error,
> and our code blindly continues on in a for loop (re-)parsing
> the leftover data from the previous option.
> 
> Let's fix things to uniformly quit trying to negotiate with a client
> that has early EOF at a message boundary, just as we do for one that
> quits mid-field, with the one difference that we treat a message
> boundary as a warning instead of an error because a client hanging up
> after an option response that it didn't like (rather than sending
> NBD_OPT_ABORT to inform the server that it won't be negotiating
> further) is a surprisingly common behavior among some existing clients.
> 
> Signed-off-by: Eric Blake <eblake at redhat.com>
> ---
>  src/connections.c | 60 ++++++++++++++++++++++++++++++-----------------
>  1 file changed, 39 insertions(+), 21 deletions(-)
> 
> diff --git a/src/connections.c b/src/connections.c
> index 58ed6b0..577f466 100644
> --- a/src/connections.c
> +++ b/src/connections.c
> @@ -600,6 +600,31 @@ send_newstyle_option_reply_info_export (struct connection *conn,
>    return 0;
>  }
> 
> +/* Sub-function during _negotiate_handshake_newstyle, to uniformly handle
> + * a client hanging up on a message boundary.
> + */
> +static int __attribute__ ((format (printf, 4, 5)))
> +conn_recv_full (struct connection *conn, void *buf, size_t len,
> +                const char *fmt, ...)
> +{
> +  int r = conn->recv (conn, buf, len);
> +  va_list args;
> +
> +  if (r == -1) {
> +    va_start (args, fmt);
> +    nbdkit_verror (fmt, args);
> +    va_end (args);
> +    return -1;
> +  }
> +  if (r == 0) {
> +    /* During negotiation, client EOF on message boundary is less
> +     * severe than failure in the middle of the buffer. */
> +    debug ("client closed input socket, closing connection");
> +    return -1;
> +  }
> +  return r;
> +}
> +
>  /* Sub-function of _negotiate_handshake_newstyle_options below.  It
>   * must be called on all non-error paths out of the options for-loop
>   * in that function.
> @@ -639,10 +664,9 @@ _negotiate_handshake_newstyle_options (struct connection *conn)
>    const char *optname;
> 
>    for (nr_options = 0; nr_options < MAX_NR_OPTIONS; ++nr_options) {
> -    if (conn->recv (conn, &new_option, sizeof new_option) == -1) {
> -      nbdkit_error ("read: %m");
> +    if (conn_recv_full (conn, &new_option, sizeof new_option,
> +                        "read: %m") == -1)
>        return -1;
> -    }
> 
>      version = be64toh (new_option.version);
>      if (version != NEW_VERSION) {
> @@ -675,10 +699,9 @@ _negotiate_handshake_newstyle_options (struct connection *conn)
> 
>      switch (option) {
>      case NBD_OPT_EXPORT_NAME:
> -      if (conn->recv (conn, data, optlen) == -1) {
> -        nbdkit_error ("read: %s: %m", name_of_nbd_opt (option));
> +      if (conn_recv_full (conn, data, optlen,
> +                          "read: %s: %m", name_of_nbd_opt (option)) == -1)
>          return -1;
> -      }
>        /* Apart from printing it, ignore the export name. */
>        data[optlen] = '\0';
>        debug ("newstyle negotiation: %s: "
> @@ -715,10 +738,9 @@ _negotiate_handshake_newstyle_options (struct connection *conn)
>          if (send_newstyle_option_reply (conn, option, NBD_REP_ERR_INVALID)
>              == -1)
>            return -1;
> -        if (conn->recv (conn, data, optlen) == -1) {
> -          nbdkit_error ("read: %s: %m", name_of_nbd_opt (option));
> +        if (conn_recv_full (conn, data, optlen,
> +                            "read: %s: %m", name_of_nbd_opt (option)) == -1)
>            return -1;
> -        }
>          continue;
>        }
> 
> @@ -738,10 +760,9 @@ _negotiate_handshake_newstyle_options (struct connection *conn)
>          if (send_newstyle_option_reply (conn, option, NBD_REP_ERR_INVALID)
>              == -1)
>            return -1;
> -        if (conn->recv (conn, data, optlen) == -1) {
> -          nbdkit_error ("read: %s: %m", name_of_nbd_opt (option));
> +        if (conn_recv_full (conn, data, optlen,
> +                            "read: %s: %m", name_of_nbd_opt (option)) == -1)
>            return -1;
> -        }
>          continue;
>        }
> 
> @@ -780,10 +801,9 @@ _negotiate_handshake_newstyle_options (struct connection *conn)
>      case NBD_OPT_INFO:
>      case NBD_OPT_GO:
>        optname = name_of_nbd_opt (option);
> -      if (conn->recv (conn, data, optlen) == -1) {
> -        nbdkit_error ("read: %s: %m", optname);
> +      if (conn_recv_full (conn, data, optlen,
> +                          "read: %s: %m", optname) == -1)
>          return -1;
> -      }
> 
>        if (optlen < 6) { /* 32 bit export length + 16 bit nr info */
>          debug ("newstyle negotiation: %s option length < 6", optname);
> @@ -880,10 +900,9 @@ _negotiate_handshake_newstyle_options (struct connection *conn)
>        /* Unknown option. */
>        if (send_newstyle_option_reply (conn, option, NBD_REP_ERR_UNSUP) == -1)
>          return -1;
> -      if (conn->recv (conn, data, optlen) == -1) {
> -        nbdkit_error ("read: %m");
> +      if (conn_recv_full (conn, data, optlen,
> +                          "read: %m") == -1)
>          return -1;
> -      }
>      }
> 
>      /* Note, since it's not very clear from the protocol doc, that the
> @@ -931,10 +950,9 @@ _negotiate_handshake_newstyle (struct connection *conn)
>    }
> 
>    /* Client now sends us its 32 bit flags word ... */
> -  if (conn->recv (conn, &conn->cflags, sizeof conn->cflags) == -1) {
> -    nbdkit_error ("read: %m");
> +  if (conn_recv_full (conn, &conn->cflags, sizeof conn->cflags,
> +                      "read: %m") == -1)
>      return -1;
> -  }
>    conn->cflags = be32toh (conn->cflags);
>    /* ... which we check for accuracy. */
>    debug ("newstyle negotiation: client flags: 0x%x", conn->cflags);
> -- 
> 2.17.2

Thanks for diagnosing this.

I have pushed the patch because I wanted to continue with fuzzing.
There are some small changes (only in the error message text) because
I rebased it on top of a patch I had queued up to improve error
reporting.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top

More information about the Libguestfs mailing list