[Libguestfs] [PATCH nbdkit v2 2/2] server: Use a thread-local pread/pwrite buffer to avoid leaking heap data.
Richard W.M. Jones
rjones at redhat.com
Tue Apr 23 15:53:07 UTC 2019
On Tue, Apr 23, 2019 at 10:31:06AM -0500, Eric Blake wrote:
> On 4/23/19 10:09 AM, Richard W.M. Jones wrote:
> > If the plugin .pread method did not fill the buffer with data then the
> > contents of the heap could be leaked back to the client. To avoid
> > this create a thread-local data buffer which is initialized to zero
> > and expanded (with zeroes) as required.
> >
> > This buffer is shared between pread and pwrite which makes the code a
> > little bit simpler. Also this may improve locality by reusing the
> > same memory for all pread and pwrite calls in the same thread.
> >
> > I have checked plugins shipped with nbdkit and none of them are
> > vulnerable in this way. They all do one of these things:
> >
> > - They fully set the buffer with a single call to something like
> > memcpy, memset, etc.
> >
> > - They use a loop like ‘while (count > 0)’ and correctly update count
> > and the buffer pointer on each iteration.
> >
> > - For language plugins (except OCaml), they check that the string
> > length returned from the language plugin is at least as long as the
> > requested data, before memcpy-ing the data to the return buffer.
> >
> > - For OCaml, see the previous commit.
>
> Could merge these last two paragraphs into one and drop the special-case
> mention of OCaml (now that the previous commit makes OCaml like all the
> other plugins).
>
> >
> > Of course I cannot check plugins which may be supplied by others.
> >
> > Credit: Eric Blake for finding the bug.
> > ---
> > server/internal.h | 1 +
> > server/protocol.c | 16 +++++++++-------
> > server/threadlocal.c | 37 +++++++++++++++++++++++++++++++++++++
> > 3 files changed, 47 insertions(+), 7 deletions(-)
> >
>
> > if (cmd == NBD_CMD_READ || cmd == NBD_CMD_WRITE) {
> > - buf = malloc (count);
> > + buf = threadlocal_buffer ((size_t) count);
> > if (buf == NULL) {
> > - out_of_memory:
> > - perror ("malloc");
> > error = ENOMEM;
>
> Old code called perror() when nbdkit_extents_new() failed...
Yes, I believe that was a mistake. nbdkit_extents_new already calls
nbdkit_error so calling perror isn't necessary. Perhaps I should
split this into a separate patch.
> > if (cmd == NBD_CMD_WRITE &&
> > skip_over_write_buffer (conn->sockin, count) < 0)
> > @@ -673,8 +673,10 @@ protocol_recv_request_send_reply (struct connection *conn)
> > /* Allocate the extents list for block status only. */
> > if (cmd == NBD_CMD_BLOCK_STATUS) {
> > extents = nbdkit_extents_new (offset, conn->exportsize);
> > - if (extents == NULL)
> > - goto out_of_memory;
> > + if (extents == NULL) {
> > + error = ENOMEM;
> > + goto send_reply;
> > + }
>
> ...new code does not. nbdkit_error() might be nicer than perror()
> anyways. I'll let you decide what, if any, error reporting needs to be
> done beyond merely sending ENOMEM to the client.
>
>
> > +extern void *
> > +threadlocal_buffer (size_t size)
> > +{
> > + struct threadlocal *threadlocal = pthread_getspecific (threadlocal_key);
> > +
> > + if (!threadlocal)
> > + abort ();
> > +
> > + if (threadlocal->buffer_size < size) {
> > + void *ptr;
> > +
> > + ptr = realloc (threadlocal->buffer, size);
> > + if (ptr == NULL) {
> > + nbdkit_error ("threadlocal_buffer: realloc: %m");
> > + return NULL;
> > + }
> > + memset (ptr, 0, size);
>
> You could memset just the tail of the enlarged buffer compared to its
> previous size, but this is fine, too.
>
> > + threadlocal->buffer = ptr;
> > + threadlocal->buffer_size = size;
> > + }
> > +
> > + return threadlocal->buffer;
> > +}
> >
>
> Other than my question about extent allocation failure, LGTM.
OK, I'll split that other thing out into a separate patch, and
push it all.
Thanks,
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
More information about the Libguestfs
mailing list