From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <devel-bounces@spectrum-os.org>
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-4.5 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,
	RCVD_IN_MSPIKE_WL,SPF_HELO_PASS autolearn=unavailable
	autolearn_force=no version=3.4.4
Received: by atuin.qyliss.net (Postfix, from userid 496)
	id 7571A83BB; Fri, 19 Mar 2021 03:01:58 +0000 (UTC)
Received: from [127.0.0.1] (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id BEF9F8390;
	Fri, 19 Mar 2021 03:01:47 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 496)
	id 5F6568384; Fri, 19 Mar 2021 03:01:46 +0000 (UTC)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27])
	by atuin.qyliss.net (Postfix) with ESMTPS id 1FCF58382
	for <devel@spectrum-os.org>; Fri, 19 Mar 2021 03:01:44 +0000 (UTC)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
	by mailout.nyi.internal (Postfix) with ESMTP id 67F2A5C00F3
	for <devel@spectrum-os.org>; Thu, 18 Mar 2021 23:01:43 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
  by compute4.internal (MEProxy); Thu, 18 Mar 2021 23:01:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=
	from:to:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding; s=fm2; bh=1NB/Z9UdNfHGE
	qg40vdRLn/4w4gK8dVIHcBGfhw9FNY=; b=Oq2J/im+8q5BOaXLCvb+E7FPFPzwz
	lEiWquBcMJYVMBxulbNV47pEdxcgLxdXPPXzigT8qz80sk+IIxCitXNwfE06wkga
	sWq36jOobQJh5e4jG7SNEO8l4dWqPo3ZiiPNT7hrwiGERVfsFOiTU6Vx07bSwq9W
	UUm3gbI4/IdbHdw5UcNcprnU9VK0VDvUfotsrXRHu5TZB7sLOjnXN9xyrFBKVKFX
	g+UTDYnweMEiCUp7DgCJVxVgaGW0TovmGsBkFAItoNY+bxq0K9jVIbfhecKKRxug
	zHAuQ7UYlOQkuj78ftL++mIWpHhgsof/K1MgUyyMopTRDIdCCrw9GEwrw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=content-transfer-encoding:date:from
	:in-reply-to:message-id:mime-version:references:subject:to
	:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
	fm2; bh=1NB/Z9UdNfHGEqg40vdRLn/4w4gK8dVIHcBGfhw9FNY=; b=ioKs9io0
	00GjE+ePlUqbSEet76cl0bDCRbGz4bjqYVTsIrB1NMfQnLTrooA2c9OjhmcW6s+t
	PDTlucQMdb+KGN237tl/v2VScxPAgPBffdcf3WSHRwhku0X3EVFCm5apFEyedwLW
	VClL4ZuJZj9vR/QdUigZ+Ur2YuX1AzUQhq8UMe+nYepLOWPBRDLiRDJfd1AbDJlH
	oHZjktMWEQMid6G74YdVV4FCKEACWqm+nQjLciebdm7W/93rdeqFv9bOk6OCKInK
	FJEgXgZrGuZHFgmyo/GNzD7cmKY7AL4aIIIQqmIMC5oUCBCWfiM9baib0gaMVfHD
	Wc4l4D3ee1vDvg==
X-ME-Sender: <xms:FxRUYHG7VziVsszgS6Tz-Dc_g8KysUWYZk0CjbCdqkYLwGZpDpsqag>
    <xme:FxRUYEVx5OHgUfrQr2jiznUjc2r2Odqx36UknAaBR89EWYK8IPRS7bY5aYVHuhJvd
    _rNIy-v1XgiX3Bc5g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudefjedghedvucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkofgjfhgggfestdekre
    dtredttdenucfhrhhomheptehlhihsshgrucftohhsshcuoehhihesrghlhihsshgrrdhi
    sheqnecuggftrfgrthhtvghrnhepgfefudekvdelieelledufeevheeglefggedvudejvd
    dtffeuueevffehleejkedvnecukfhppeekgedrudekgedrvdefvddrudektdenucevlhhu
    shhtvghrufhiiigvpedunecurfgrrhgrmhepmhgrihhlfhhrohhmpehqhihlihhsshesgi
    dvvddtrdhqhihlihhsshdrnhgvth
X-ME-Proxy: <xmx:FxRUYJKQBKU3GYWEb4aCnvLuNgeu71rKeitO8qfLwLOZuXyO3hLoxw>
    <xmx:FxRUYFEmUITKY6f1zz_czUogCjSosquzN7VWm3P1ndVq8kSfm-Tbaw>
    <xmx:FxRUYNXafCXRWB30CZyrwB0XXjj2PH5ei7SxM8uX_UNVM2f4OBcovw>
    <xmx:FxRUYFjDX5P2Zx7Ng1zXBfaKZlH4ItcLY4VnU1vfd53EOV82XRFYgA>
Received: from x220.qyliss.net (p54b8e8b4.dip0.t-ipconnect.de [84.184.232.180])
	by mail.messagingengine.com (Postfix) with ESMTPA id 20ABE24005A
	for <devel@spectrum-os.org>; Thu, 18 Mar 2021 23:01:43 -0400 (EDT)
Received: by x220.qyliss.net (Postfix, from userid 1000)
	id 188281F89; Fri, 19 Mar 2021 03:01:42 +0000 (UTC)
From: Alyssa Ross <hi@alyssa.is>
To: devel@spectrum-os.org
Subject: [PATCH ucspi-vsock 2/7] vsock: check socket family before reading sockaddr
Date: Fri, 19 Mar 2021 02:56:45 +0000
Message-Id: <20210319025648.17925-2-hi@alyssa.is>
X-Mailer: git-send-email 2.30.0
In-Reply-To: <20210319025349.8839-2-hi@alyssa.is>
References: <20210319025349.8839-2-hi@alyssa.is>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: IEM3YLCF4YU7TJ77HVPI7QVEKLCL7HYZ
X-Message-ID-Hash: IEM3YLCF4YU7TJ77HVPI7QVEKLCL7HYZ
X-MailFrom: qyliss@x220.qyliss.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header
X-Mailman-Version: 3.3.1
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/IEM3YLCF4YU7TJ77HVPI7QVEKLCL7HYZ/>
List-Archive: <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

Extracting a helper function for this has the nice side effect of
making the `cid' and `port' parameters to vsock_accept nullable, which
is nice for consistency with vsock_get_cid_and_port.
---
This didn't matter so much in the world where the same program was 
responsible for both creating the socket and accepting connections on 
it, but now that we're splitting those up it's important that 
vsockserverd validates its input.

 vsock.c | 31 +++++++++++++++++++++++--------
 vsock.h | 11 ++++++++++-
 2 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/vsock.c b/vsock.c
index 99945c3..6f1f466 100644
--- a/vsock.c
+++ b/vsock.c
@@ -5,6 +5,7 @@
 
 #include "vsock.h"
 
+#include <errno.h>
 #include <sys/ioctl.h>
 #include <sys/socket.h>
 
@@ -17,6 +18,25 @@ static void fill_sockaddr(struct sockaddr_vm *addr, uint32_t cid, uint32_t port)
 	addr->svm_port = port;
 }
 
+static int fill_cid_and_port(const struct sockaddr_vm *addr,
+			     uint32_t *cid, uint32_t *port)
+{
+	// Check that this sockaddr info is actually for the socket
+	// type we think it is, or we could get some very confusing
+	// data out of it.
+	if (addr->svm_family != AF_VSOCK) {
+		errno = EPROTOTYPE;
+		return -1;
+	}
+
+	if (cid)
+		*cid = addr->svm_cid;
+	if (port)
+		*port = addr->svm_port;
+
+	return 0;
+}
+
 int vsock_bind(int fd, uint32_t cid, uint32_t port)
 {
 	struct sockaddr_vm addr = { 0 };
@@ -37,8 +57,8 @@ int vsock_accept(int sockfd, uint32_t *cid, uint32_t *port)
 	if ((fd = accept(sockfd, (struct sockaddr *)&addr, &addr_size)) == -1)
 		return -1;
 
-	*cid = addr.svm_cid;
-	*port = addr.svm_port;
+	if (fill_cid_and_port(&addr, cid, port) == -1)
+		return -1;
 
 	return fd;
 }
@@ -70,10 +90,5 @@ int vsock_get_cid_and_port(int fd, uint32_t *cid, uint32_t *port)
 	if (getsockname(fd, (struct sockaddr *)&addr, &addrlen) == -1)
 		return -1;
 
-	if (cid)
-		*cid = addr.svm_cid;
-	if (port)
-		*port = addr.svm_port;
-
-	return 0;
+	return fill_cid_and_port(&addr, cid, port);
 }
diff --git a/vsock.h b/vsock.h
index e7ffd62..0b7d157 100644
--- a/vsock.h
+++ b/vsock.h
@@ -3,11 +3,20 @@
 
 #include <stdint.h>
 
+// All functions taking `cid'/`port' output parameters will fail with
+// EPROTOTYPE if the given file descriptor is not an AF_VSOCK socket.
+// The socket is left in an undefined state after this.
+//
+// `cid'/`port' output parameters can be NULL if the information is
+// not required.
+//
+// A return value of -1 indicates failure.  `errno' can be consulted for
+// further information.
+
 int vsock_bind(int fd, uint32_t cid, uint32_t port);
 int vsock_accept(int sockfd, uint32_t *cid, uint32_t *port);
 
 int vsock_connect(int fd, uint32_t cid, uint32_t port);
 int vsock_open(uint32_t cid, uint32_t port);
 
-// `cid' and `port' can be null.
 int vsock_get_cid_and_port(int fd, uint32_t *cid, uint32_t *port);
-- 
2.30.0