From nobody Wed Mar 15 22:40:53 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PcQN54D3Lz3xtvW; Wed, 15 Mar 2023 22:40:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PcQN53hnzz47Yj; Wed, 15 Mar 2023 22:40:53 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1678920053; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=VBhUw2KEeclBdML5leEWssv7rvrwb6RDlzkQ7Fkb3wo=; b=C3DvDEH0IHb3wd7bDTOAUnnN7LCa2Me885GbezZ8nmPb/13QGZnwUeEGL8VcfUwHlQ/+4H pNi9ZWeWbi/KnSbfkfeNiKe5d74JpB3AHXj9fb3PfImk1BIQ2rzg8hX5OyUHvWzVU2xl+V /D8JekWg0cf+cMhz/sQgL0QDbtDGq5SoX+IH1sDHddL62+9nRJzO5c9wNqxOvXIvld3IX5 SRv0DOI6rJA0wU+z0lTgw8IvpVvkUHfYFtJLY/xKefj00ZYWX551IYqOOeZdbSwAIePFqB cMMNxG6sNuse0PRrh2zCZtzsScW6gQOPEdka8V2S7zjsq9CorS+k61thwrVZhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1678920053; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=VBhUw2KEeclBdML5leEWssv7rvrwb6RDlzkQ7Fkb3wo=; b=ve1AlBoDcNTOxPPH7sW6rhS9K6KzBXhg2ENGXhGPHkG0ZzK0Vpj3D9oAR0y0wsZOmARYBp miUXsBhVF1E6hx807rhOgDvsx7gWea3VRk8ProB3EdeN4U+HgFBR7U8bPgoFR7fdwy1rQN WIqy4Ze8AIFcgFKodAxe7PaRvATiPi0DpFUmrpJTjlbe3O5G4wHKFMflBjSprcf7h/VTTI C0lgYQaiK2ZMKaGiSF/rLWFwtWHXCbR/FHOxrVfvyuHQkt5Vzqub5m1ZqOKqFCIYXYxA7Z +uuXKkFXRjrrppQFjbVaYU4SpKwD1U/J+lV/3CVjJ4gFRnvitlpFfWBjtpH1tg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1678920053; a=rsa-sha256; cv=none; b=i3JVW56FmFpjnhU4AfKLR5zMNMw7O+1+DfckX4+hBm/cCOc6NvzFyAOOkp7AsDozhheXaa WwFbGWrgTr4EuDksZpmI6/T+JnZxSDEF7PpiG64Id6gnjKs4noswjTUNMW2mOMY+eyquuL XvudzRr0e1JpwIpjTsD+oGysqXsy/WGCddCADt+lPj9YV2jGc2T3QNE5fh1tKK4vfR/Qw1 d5H4eya9PEBNWnfgOCTJbuyUw4xshb53M3KB5ueKuvgaTFQ9ceEz+hRdsG+Iq257zJhzb8 quuJmAmdt7xL1QHaUrb36rrIfHLlq6lot/JVa249PtHgo5awPy9+yZKjDrrtbA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PcQN52mTGzK2h; Wed, 15 Mar 2023 22:40:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 32FMer74042483; Wed, 15 Mar 2023 22:40:53 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 32FMerRI042482; Wed, 15 Mar 2023 22:40:53 GMT (envelope-from git) Date: Wed, 15 Mar 2023 22:40:53 GMT Message-Id: <202303152240.32FMerRI042482@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Alan Somers Subject: git: 3205b36fba10 - stable/13 - fusefs: fix a buffer overflow in the tests List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: asomers X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 3205b36fba10f31ac715957aa41fd0d1ccd41ec9 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by asomers: URL: https://cgit.FreeBSD.org/src/commit/?id=3205b36fba10f31ac715957aa41fd0d1ccd41ec9 commit 3205b36fba10f31ac715957aa41fd0d1ccd41ec9 Author: Alan Somers AuthorDate: 2023-02-22 00:13:56 +0000 Commit: Alan Somers CommitDate: 2023-03-15 22:39:40 +0000 fusefs: fix a buffer overflow in the tests The actual overflow occured in the ReadAhead.readahead test. Surprisingly it has never segfaulted or resulted in any bad behavior. Sponsored by: Axcient Reviewed by: emaste Differential Revision: https://reviews.freebsd.org/D38718 (cherry picked from commit 0c9df4afc239ee52961443e95bca8be81f0dea9e) --- tests/sys/fs/fusefs/bmap.cc | 2 ++ tests/sys/fs/fusefs/io.cc | 3 +++ tests/sys/fs/fusefs/mockfs.hh | 2 +- tests/sys/fs/fusefs/setattr.cc | 1 + tests/sys/fs/fusefs/utils.cc | 6 ++++++ tests/sys/fs/fusefs/write.cc | 2 ++ 6 files changed, 15 insertions(+), 1 deletion(-) diff --git a/tests/sys/fs/fusefs/bmap.cc b/tests/sys/fs/fusefs/bmap.cc index 56821f367a82..91d8ab563690 100644 --- a/tests/sys/fs/fusefs/bmap.cc +++ b/tests/sys/fs/fusefs/bmap.cc @@ -210,6 +210,8 @@ TEST_P(BmapEof, eof) _) ).WillOnce(Invoke(ReturnImmediate([=](auto in, auto& out) { size_t osize = in.body.read.size; + + assert(osize < sizeof(out.body.bytes)); out.header.len = sizeof(struct fuse_out_header) + osize; bzero(out.body.bytes, osize); }))); diff --git a/tests/sys/fs/fusefs/io.cc b/tests/sys/fs/fusefs/io.cc index 1502bd263f51..a8815434c6d8 100644 --- a/tests/sys/fs/fusefs/io.cc +++ b/tests/sys/fs/fusefs/io.cc @@ -141,6 +141,8 @@ void SetUp() ssize_t isize = in.body.write.size; off_t iofs = in.body.write.offset; + assert((size_t)isize <= sizeof(in.body.bytes) - + sizeof(struct fuse_write_in)); ASSERT_EQ(isize, pwrite(m_backing_fd, buf, isize, iofs)) << strerror(errno); SET_OUT_HEADER_LEN(out, write); @@ -158,6 +160,7 @@ void SetUp() void *buf = out.body.bytes; ssize_t osize; + assert((size_t)isize <= sizeof(out.body.bytes)); osize = pread(m_backing_fd, buf, isize, iofs); ASSERT_LE(0, osize) << strerror(errno); out.header.len = sizeof(struct fuse_out_header) + osize; diff --git a/tests/sys/fs/fusefs/mockfs.hh b/tests/sys/fs/fusefs/mockfs.hh index 121d985e56fe..edbaf7ef770f 100644 --- a/tests/sys/fs/fusefs/mockfs.hh +++ b/tests/sys/fs/fusefs/mockfs.hh @@ -206,7 +206,7 @@ union fuse_payloads_out { * The protocol places no limits on the size of bytes. Choose * a size big enough for anything we'll test. */ - uint8_t bytes[0x20000]; + uint8_t bytes[0x40000]; fuse_entry_out entry; fuse_entry_out_7_8 entry_7_8; fuse_lk_out getlk; diff --git a/tests/sys/fs/fusefs/setattr.cc b/tests/sys/fs/fusefs/setattr.cc index e245c274ba07..e08f2124e06f 100644 --- a/tests/sys/fs/fusefs/setattr.cc +++ b/tests/sys/fs/fusefs/setattr.cc @@ -530,6 +530,7 @@ TEST_F(Setattr, truncate_discards_cached_data) { auto osize = std::min( static_cast(cur_size) - in.body.read.offset, static_cast(in.body.read.size)); + assert(osize <= sizeof(out.body.bytes)); out.header.len = sizeof(struct fuse_out_header) + osize; if (should_have_data) memset(out.body.bytes, 'X', osize); diff --git a/tests/sys/fs/fusefs/utils.cc b/tests/sys/fs/fusefs/utils.cc index d4edca5ca945..b13ecfd9cb88 100644 --- a/tests/sys/fs/fusefs/utils.cc +++ b/tests/sys/fs/fusefs/utils.cc @@ -400,6 +400,7 @@ void FuseTest::expect_read(uint64_t ino, uint64_t offset, uint64_t isize, }, Eq(true)), _) ).WillOnce(Invoke(ReturnImmediate([=](auto in __unused, auto& out) { + assert(osize <= sizeof(out.body.bytes)); out.header.len = sizeof(struct fuse_out_header) + osize; memmove(out.body.bytes, contents, osize); }))).RetiresOnSaturation(); @@ -502,6 +503,8 @@ void FuseTest::expect_write(uint64_t ino, uint64_t offset, uint64_t isize, bool pid_ok; uint32_t wf = in.body.write.write_flags; + assert(isize <= sizeof(in.body.bytes) - + sizeof(struct fuse_write_in)); if (wf & FUSE_WRITE_CACHE) pid_ok = true; else @@ -534,6 +537,9 @@ void FuseTest::expect_write_7_8(uint64_t ino, uint64_t offset, uint64_t isize, const char *buf = (const char*)in.body.bytes + FUSE_COMPAT_WRITE_IN_SIZE; bool pid_ok = (pid_t)in.header.pid == getpid(); + + assert(isize <= sizeof(in.body.bytes) - + FUSE_COMPAT_WRITE_IN_SIZE); return (in.header.opcode == FUSE_WRITE && in.header.nodeid == ino && in.body.write.fh == FH && diff --git a/tests/sys/fs/fusefs/write.cc b/tests/sys/fs/fusefs/write.cc index 4e76414a601a..800376395e97 100644 --- a/tests/sys/fs/fusefs/write.cc +++ b/tests/sys/fs/fusefs/write.cc @@ -97,6 +97,8 @@ void maybe_expect_write(uint64_t ino, uint64_t offset, uint64_t size, const char *buf = (const char*)in.body.bytes + sizeof(struct fuse_write_in); + assert(size <= sizeof(in.body.bytes) - + sizeof(struct fuse_write_in)); return (in.header.opcode == FUSE_WRITE && in.header.nodeid == ino && in.body.write.offset == offset &&