hurd: Protect against servers returning bogus read/write lengths

There already was a branch checking for this case in _hurd_fd_read () when the data is returned out-of-line. Do the same for inline data, as well as for _hurd_fd_write (). It's also not possible for the length to be negative, since it's stored in an unsigned integer. Not verifying the returned length can confuse the callers who assume the returned length is always reasonable. This manifested as libzstd test suite failing on writes to /dev/zero, even though the write () call appeared to succeed. In fact, the zero store backing /dev/zero was returning a larger written length than the size actually submitted to it, which is a separate bug to be fixed on the Hurd side. With this patch, EGRATUITOUS is now propagated to the caller. Reported-by: Diego Nieto Cid <dnietoc@gmail.com> Signed-off-by: Sergey Bugaev <bugaevc@gmail.com> Message-ID: <20241204112915.540032-1-bugaevc@gmail.com>
2024-12-04 14:29:15 +03:00 · 2024-12-04 14:29:15 +03:00 · 8cbab3b729
parent 00de38e531
commit 8cbab3b729
2 changed files with 14 additions and 8 deletions
--- a/hurd/fd-read.c
+++ b/hurd/fd-read.c
@ -38,13 +38,15 @@ _hurd_fd_read (struct hurd_fd *fd, void *buf, size_t *nbytes, loff_t offset)
  if (err = HURD_FD_PORT_USE_CANCEL (fd, _hurd_ctty_input (port, ctty, readfd)))
    return err;

+  if (__glibc_unlikely (nread > *nbytes))	/* Sanity check for bogus server.  */
+    {
+      if (data != buf)
+	__vm_deallocate (__mach_task_self (), (vm_address_t) data, nread);
+      return EGRATUITOUS;
+    }
+
  if (data != buf)
    {
-      if (nread > *nbytes)	/* Sanity check for bogus server.  */
-	{
-	  __vm_deallocate (__mach_task_self (), (vm_address_t) data, nread);
-	  return EGRATUITOUS;
-	}
      memcpy (buf, data, nread);
      __vm_deallocate (__mach_task_self (), (vm_address_t) data, nread);
    }
--- a/hurd/fd-write.c
+++ b/hurd/fd-write.c
@ -34,9 +34,13 @@ _hurd_fd_write (struct hurd_fd *fd,
    }

  err = HURD_FD_PORT_USE_CANCEL (fd, _hurd_ctty_output (port, ctty, writefd));
+  if (err)
+    return err;

-  if (! err)
-    *nbytes = wrote;
+  if (__glibc_unlikely (wrote > *nbytes))	/* Sanity check for bogus server.  */
+    return EGRATUITOUS;

-  return err;
+  *nbytes = wrote;
+
+  return 0;
 }