git: 0c9df4afc239 - main - fusefs: fix a buffer overflow in the tests
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 22 Feb 2023 17:03:25 UTC
The branch main has been updated by asomers:
URL: https://cgit.FreeBSD.org/src/commit/?id=0c9df4afc239ee52961443e95bca8be81f0dea9e
commit 0c9df4afc239ee52961443e95bca8be81f0dea9e
Author: Alan Somers <asomers@FreeBSD.org>
AuthorDate: 2023-02-22 00:13:56 +0000
Commit: Alan Somers <asomers@FreeBSD.org>
CommitDate: 2023-02-22 17:03:01 +0000
fusefs: fix a buffer overflow in the tests
The actual overflow occured in the ReadAhead.readahead test.
Surprisingly it has never segfaulted or resulted in any bad behavior.
MFC after: 1 week
Sponsored by: Axcient
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D38718
---
tests/sys/fs/fusefs/bmap.cc | 2 ++
tests/sys/fs/fusefs/fallocate.cc | 3 +++
tests/sys/fs/fusefs/io.cc | 3 +++
tests/sys/fs/fusefs/mockfs.hh | 2 +-
tests/sys/fs/fusefs/setattr.cc | 1 +
tests/sys/fs/fusefs/utils.cc | 6 ++++++
tests/sys/fs/fusefs/write.cc | 2 ++
7 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/tests/sys/fs/fusefs/bmap.cc b/tests/sys/fs/fusefs/bmap.cc
index 56821f367a82..91d8ab563690 100644
--- a/tests/sys/fs/fusefs/bmap.cc
+++ b/tests/sys/fs/fusefs/bmap.cc
@@ -210,6 +210,8 @@ TEST_P(BmapEof, eof)
_)
).WillOnce(Invoke(ReturnImmediate([=](auto in, auto& out) {
size_t osize = in.body.read.size;
+
+ assert(osize < sizeof(out.body.bytes));
out.header.len = sizeof(struct fuse_out_header) + osize;
bzero(out.body.bytes, osize);
})));
diff --git a/tests/sys/fs/fusefs/fallocate.cc b/tests/sys/fs/fusefs/fallocate.cc
index 7ad2644980cf..e9d0ea997aa1 100644
--- a/tests/sys/fs/fusefs/fallocate.cc
+++ b/tests/sys/fs/fusefs/fallocate.cc
@@ -70,6 +70,7 @@ void expect_vop_stddeallocate(uint64_t ino, uint64_t off, uint64_t length)
}, Eq(true)),
_)
).WillOnce(Invoke(ReturnImmediate([=](auto in, auto& out) {
+ assert(in.body.read.size <= sizeof(out.body.bytes));
out.header.len = sizeof(struct fuse_out_header) +
in.body.read.size;
memset(out.body.bytes, 'X', in.body.read.size);
@@ -79,6 +80,8 @@ void expect_vop_stddeallocate(uint64_t ino, uint64_t off, uint64_t length)
const char *buf = (const char*)in.body.bytes +
sizeof(struct fuse_write_in);
+ assert(length <= sizeof(in.body.bytes) -
+ sizeof(struct fuse_write_in));
return (in.header.opcode == FUSE_WRITE &&
in.header.nodeid == ino &&
in.body.write.offset == off &&
diff --git a/tests/sys/fs/fusefs/io.cc b/tests/sys/fs/fusefs/io.cc
index 1502bd263f51..a8815434c6d8 100644
--- a/tests/sys/fs/fusefs/io.cc
+++ b/tests/sys/fs/fusefs/io.cc
@@ -141,6 +141,8 @@ void SetUp()
ssize_t isize = in.body.write.size;
off_t iofs = in.body.write.offset;
+ assert((size_t)isize <= sizeof(in.body.bytes) -
+ sizeof(struct fuse_write_in));
ASSERT_EQ(isize, pwrite(m_backing_fd, buf, isize, iofs))
<< strerror(errno);
SET_OUT_HEADER_LEN(out, write);
@@ -158,6 +160,7 @@ void SetUp()
void *buf = out.body.bytes;
ssize_t osize;
+ assert((size_t)isize <= sizeof(out.body.bytes));
osize = pread(m_backing_fd, buf, isize, iofs);
ASSERT_LE(0, osize) << strerror(errno);
out.header.len = sizeof(struct fuse_out_header) + osize;
diff --git a/tests/sys/fs/fusefs/mockfs.hh b/tests/sys/fs/fusefs/mockfs.hh
index 121d985e56fe..edbaf7ef770f 100644
--- a/tests/sys/fs/fusefs/mockfs.hh
+++ b/tests/sys/fs/fusefs/mockfs.hh
@@ -206,7 +206,7 @@ union fuse_payloads_out {
* The protocol places no limits on the size of bytes. Choose
* a size big enough for anything we'll test.
*/
- uint8_t bytes[0x20000];
+ uint8_t bytes[0x40000];
fuse_entry_out entry;
fuse_entry_out_7_8 entry_7_8;
fuse_lk_out getlk;
diff --git a/tests/sys/fs/fusefs/setattr.cc b/tests/sys/fs/fusefs/setattr.cc
index e245c274ba07..e08f2124e06f 100644
--- a/tests/sys/fs/fusefs/setattr.cc
+++ b/tests/sys/fs/fusefs/setattr.cc
@@ -530,6 +530,7 @@ TEST_F(Setattr, truncate_discards_cached_data) {
auto osize = std::min(
static_cast<uint64_t>(cur_size) - in.body.read.offset,
static_cast<uint64_t>(in.body.read.size));
+ assert(osize <= sizeof(out.body.bytes));
out.header.len = sizeof(struct fuse_out_header) + osize;
if (should_have_data)
memset(out.body.bytes, 'X', osize);
diff --git a/tests/sys/fs/fusefs/utils.cc b/tests/sys/fs/fusefs/utils.cc
index d4edca5ca945..b13ecfd9cb88 100644
--- a/tests/sys/fs/fusefs/utils.cc
+++ b/tests/sys/fs/fusefs/utils.cc
@@ -400,6 +400,7 @@ void FuseTest::expect_read(uint64_t ino, uint64_t offset, uint64_t isize,
}, Eq(true)),
_)
).WillOnce(Invoke(ReturnImmediate([=](auto in __unused, auto& out) {
+ assert(osize <= sizeof(out.body.bytes));
out.header.len = sizeof(struct fuse_out_header) + osize;
memmove(out.body.bytes, contents, osize);
}))).RetiresOnSaturation();
@@ -502,6 +503,8 @@ void FuseTest::expect_write(uint64_t ino, uint64_t offset, uint64_t isize,
bool pid_ok;
uint32_t wf = in.body.write.write_flags;
+ assert(isize <= sizeof(in.body.bytes) -
+ sizeof(struct fuse_write_in));
if (wf & FUSE_WRITE_CACHE)
pid_ok = true;
else
@@ -534,6 +537,9 @@ void FuseTest::expect_write_7_8(uint64_t ino, uint64_t offset, uint64_t isize,
const char *buf = (const char*)in.body.bytes +
FUSE_COMPAT_WRITE_IN_SIZE;
bool pid_ok = (pid_t)in.header.pid == getpid();
+
+ assert(isize <= sizeof(in.body.bytes) -
+ FUSE_COMPAT_WRITE_IN_SIZE);
return (in.header.opcode == FUSE_WRITE &&
in.header.nodeid == ino &&
in.body.write.fh == FH &&
diff --git a/tests/sys/fs/fusefs/write.cc b/tests/sys/fs/fusefs/write.cc
index 4e76414a601a..800376395e97 100644
--- a/tests/sys/fs/fusefs/write.cc
+++ b/tests/sys/fs/fusefs/write.cc
@@ -97,6 +97,8 @@ void maybe_expect_write(uint64_t ino, uint64_t offset, uint64_t size,
const char *buf = (const char*)in.body.bytes +
sizeof(struct fuse_write_in);
+ assert(size <= sizeof(in.body.bytes) -
+ sizeof(struct fuse_write_in));
return (in.header.opcode == FUSE_WRITE &&
in.header.nodeid == ino &&
in.body.write.offset == offset &&