vmm: validate virtio-fs tag length

Signed-off-by: Wei Liu <liuwe@microsoft.com>
2024-12-22 05:35:20 +00:00 · 2024-04-04 16:27:23 +00:00 · 2024-04-04 16:27:23 +00:00 · f3b0f59646
commit f3b0f59646
parent f09f5af16a
2 changed files with 13 additions and 2 deletions
--- a/virtio-devices/src/vhost_user/fs.rs
+++ b/virtio-devices/src/vhost_user/fs.rs
@ -271,17 +271,18 @@ impl VhostUserFrontendReqHandler for BackendReqHandler {
    }
 }

+pub const VIRTIO_FS_TAG_LEN: usize = 36;
 #[derive(Copy, Clone, Versionize)]
 #[repr(C, packed)]
 pub struct VirtioFsConfig {
-    pub tag: [u8; 36],
+    pub tag: [u8; VIRTIO_FS_TAG_LEN],
    pub num_request_queues: u32,
 }

 impl Default for VirtioFsConfig {
    fn default() -> Self {
        VirtioFsConfig {
-            tag: [0; 36],
+            tag: [0; VIRTIO_FS_TAG_LEN],
            num_request_queues: 0,
        }
    }
--- a/vmm/src/config.rs
+++ b/vmm/src/config.rs
@ -24,6 +24,8 @@ const MAX_NUM_PCI_SEGMENTS: u16 = 96;
 pub enum Error {
    /// Filesystem tag is missing
    ParseFsTagMissing,
+    /// Filesystem tag is too long
+    ParseFsTagTooLong,
    /// Filesystem socket is missing
    ParseFsSockMissing,
    /// Missing persistent memory file parameter.
@ -355,6 +357,11 @@ impl fmt::Display for Error {
            ParseFileSystem(o) => write!(f, "Error parsing --fs: {o}"),
            ParseFsSockMissing => write!(f, "Error parsing --fs: socket missing"),
            ParseFsTagMissing => write!(f, "Error parsing --fs: tag missing"),
+            ParseFsTagTooLong => write!(
+                f,
+                "Error parsing --fs: max tag length is {}",
+                virtio_devices::vhost_user::VIRTIO_FS_TAG_LEN
+            ),
            ParsePersistentMemory(o) => write!(f, "Error parsing --pmem: {o}"),
            ParsePmemFileMissing => write!(f, "Error parsing --pmem: file missing"),
            ParseVsock(o) => write!(f, "Error parsing --vsock: {o}"),
@ -1519,6 +1526,9 @@ impl FsConfig {
        parser.parse(fs).map_err(Error::ParseFileSystem)?;

        let tag = parser.get("tag").ok_or(Error::ParseFsTagMissing)?;
+        if tag.len() > virtio_devices::vhost_user::VIRTIO_FS_TAG_LEN {
+            return Err(Error::ParseFsTagTooLong);
+        }
        let socket = PathBuf::from(parser.get("socket").ok_or(Error::ParseFsSockMissing)?);

        let queue_size = parser