[Libguestfs] [libnbd PATCH 2/3] api: Guarantee sanitized buffer on pread failure
Eric Blake
eblake at redhat.com
Thu Feb 10 14:19:40 UTC 2022
On Thu, Feb 10, 2022 at 02:51:56PM +0100, Laszlo Ersek wrote:
> On 02/09/22 23:07, Eric Blake wrote:
> > As mentioned in the previous patch, we left the state of the buffer
> > undefined if we fail pread prior to attempting NBD_CMD_READ. Better
> > is to tweak the generator to sanitize the buffer unconditionally, as a
> > way of hardening against potential bugs in client applications that
> > fail to check for errors, but which should not be leaking
> > uninitialized data. In the process, we can document that the contents
> > of buf are now merely unspecified, rather than undefined (valgrind
> > will no longer complain if you read buf, regardless of how nbd_pread
> > failed).
> >
> > As always calling memset() can be a performance hit if the client also
> > sanitizes the buffer or is willing to take the audit risk, the next
> > patch will add a knob that allows the client to control when this
> > happens.
> > ---
> >
> > + (* Sanitize read buffers before any error is possible. *)
> > + List.iter (
> > + function
> > + | BytesOut (n, count)
> > + | BytesPersistOut (n, count) ->
> > + pr " memset (%s, 0, %s);\n" n count
> > + | _ -> ()
> > + ) args;
> > +
> > (* Check current state is permitted for this call. *)
> > if permitted_states <> [] then (
> > let value = match errcode with
>
> It tends to assist reviewers if you include a diff in the cover letter
> (or better yet, in the Notes section of the patch, suitably
> quoted/escaped) that shows the effect of the patch on the generated C
> source code.
Good idea. I'm adding the following to the commit message:
This patch causes changes to just the four APIs
nbd_{aio_,}pread{,_structured}, with the generated lib/api.c changes
looking like:
| --- lib/api.c.bak 2022-02-10 08:15:05.418371357 -0600
| +++ lib/api.c 2022-02-10 08:15:13.224372023 -0600
| @@ -2871,6 +2871,7 @@ nbd_pread (struct nbd_handle *h, void *b
| debug (h, "enter: buf=<buf> count=%zu offset=%" PRIu64 " flags=0x%x", count, offset, flags);
| }
|
| + memset (buf, 0, count);
| if (unlikely (!pread_in_permitted_state (h))) {
| ret = -1;
| goto out;
and similar in patch 3/3, which does
- memset (buf, 0, count);
+ if (h->pread_initialize)
+ memset (buf, 0, count);
>
> That said:
>
> Acked-by: Laszlo Ersek <lersek at redhat.com>
>
> Thanks,
> Laszlo
Thanks for the careful reviews.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
More information about the Libguestfs
mailing list