Re: [PATCH v2 2/3] tun: Pad virtio header with zero

From: Michael S. Tsirkin
Date: Thu Jan 09 2025 - 02:42:33 EST


On Thu, Jan 09, 2025 at 02:31:37AM -0500, Michael S. Tsirkin wrote:
> On Thu, Jan 09, 2025 at 03:58:44PM +0900, Akihiko Odaki wrote:
> > tun used to simply advance iov_iter when it needs to pad virtio header,
> > which leaves the garbage in the buffer as is. This is especially
> > problematic when tun starts to allow enabling the hash reporting
> > feature; even if the feature is enabled, the packet may lack a hash
> > value and may contain a hole in the virtio header because the packet
> > arrived before the feature gets enabled or does not contain the
> > header fields to be hashed. If the hole is not filled with zero, it is
> > impossible to tell if the packet lacks a hash value.
> >
> > In theory, a user of tun can fill the buffer with zero before calling
> > read() to avoid such a problem, but leaving the garbage in the buffer is
> > awkward anyway so fill the buffer in tun.
> >
> > Signed-off-by: Akihiko Odaki <akihiko.odaki@xxxxxxxxxx>
>
> But if the user did it, you have just overwritten his value,
> did you not?


To clearify, I mean if user pre-filled buffer with 1, you have now
regressed it. Patch 3 fixes it back, but - not pretty.

> > ---
> > drivers/net/tun_vnet.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/tun_vnet.c b/drivers/net/tun_vnet.c
> > index fe842df9e9ef..ffb2186facd3 100644
> > --- a/drivers/net/tun_vnet.c
> > +++ b/drivers/net/tun_vnet.c
> > @@ -138,7 +138,8 @@ int tun_vnet_hdr_put(int sz, struct iov_iter *iter,
> > if (copy_to_iter(hdr, sizeof(*hdr), iter) != sizeof(*hdr))
> > return -EFAULT;
> >
> > - iov_iter_advance(iter, sz - sizeof(*hdr));
> > + if (iov_iter_zero(sz - sizeof(*hdr), iter) != sz - sizeof(*hdr))
> > + return -EFAULT;
> >
> > return 0;
> > }
> >
> > --
> > 2.47.1