[Libguestfs] [libnbd PATCH 3/3] api: Add new API nbd_set_pread_initialize()
Eric Blake
eblake at redhat.com
Thu Feb 10 14:50:07 UTC 2022
On Thu, Feb 10, 2022 at 09:38:30AM +0000, Richard W.M. Jones wrote:
> On Wed, Feb 09, 2022 at 04:07:26PM -0600, Eric Blake wrote:
> > + "set_pread_initialize", {
> > + default_call with
> > + args = [Bool "request"]; ret = RErr;
> > + shortdesc = "control whether libnbd pre-initializes read buffers";
> > + longdesc = "\
> > +By default, libnbd will pre-initialize the contents of a buffer
> > +passed to calls such as L<nbd_pread(3)> to all zeroes prior to checking
> > +for any other errors, so that even if a client application passed in an
> > +uninitialized buffer but fails to check for errors, it will not result
> > +in a potential security risk caused by an accidental leak of prior heap
> > +contents. However, for a client application that has audited that an
> > +uninitialized buffer is never dereferenced, or which performs its own
> > +pre-initialization, libnbd's sanitization efforts merely pessimize
> > +performance.
> > +
> > +Calling this function with C<request> set to false tells libnbd to
> > +skip the buffer initialization step in read commands.";
> > + see_also = [Link "get_pread_initialize";
> > + Link "set_strict_mode";
> > + Link "pread"; Link "pread_structured"; Link "aio_pread";
> > + Link "aio_pread_structured"];
> > + };
>
> Could it be worth mentioning CVE-2022-0485 by name in the text here?
> And/or linking to:
> https://listman.redhat.com/archives/libguestfs/2022-February/msg00104.html
Good idea, I went with:
diff --git i/generator/API.ml w/generator/API.ml
index 9b7eb545..aaba9951 100644
--- i/generator/API.ml
+++ w/generator/API.ml
@@ -784,14 +784,19 @@ "set_pread_initialize", {
shortdesc = "control whether libnbd pre-initializes read buffers";
longdesc = "\
By default, libnbd will pre-initialize the contents of a buffer
-passed to calls such as L<nbd_pread(3)> to all zeroes prior to checking
-for any other errors, so that even if a client application passed in an
-uninitialized buffer but fails to check for errors, it will not result
-in a potential security risk caused by an accidental leak of prior heap
-contents. However, for a client application that has audited that an
-uninitialized buffer is never dereferenced, or which performs its own
-pre-initialization, libnbd's sanitization efforts merely pessimize
-performance.
+passed to calls such as L<nbd_pread(3)> to all zeroes prior to
+checking for any other errors, so that even if a client application
+passed in an uninitialized buffer but fails to check for errors, it
+will not result in a potential security risk caused by an accidental
+leak of prior heap contents (see CVE-2022-0485 in
+L<libnbd-security(3)> for an example of a security hole in an
+application built against an earlier version of libnbd that lacked
+consistent pre-initialization). However, for a client application
+that has audited that an uninitialized buffer is never dereferenced,
+or which performs its own pre-initialization, libnbd's sanitization
+efforts merely pessimize performance (although the time spent in
+pre-initialization may pale in comparison to time spent waiting on
+network packets).
Calling this function with C<request> set to false tells libnbd to
skip the buffer initialization step in read commands.";
>
> Anyway the whole patch series looks good, so:
>
> Reviewed-by: Richard W.M. Jones <rjones at redhat.com>
Series is now checked in with amendments, as ab52914b..e0953cb7
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
More information about the Libguestfs
mailing list