search for: d854f48

This bug was found by Eric Blake. In the .pread method we allocate a buffer in the server and pass it to the plugin. The plugin is supposed to fill it with data. The buffer was uninitialized so initially contained random heap data, but that's OK provided the plugin fully overwrote it with data. All correctly written plugins ought to do this, however there is the possibility of an

...ed to the client, possibly resulting in a leak of sensitive data. We can avoid this by initializing the array with zeroes. Credit: Eric Blake for finding the bug. --- plugins/ocaml/ocaml.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/plugins/ocaml/ocaml.c b/plugins/ocaml/ocaml.c index d854f48..7193842 100644 --- a/plugins/ocaml/ocaml.c +++ b/plugins/ocaml/ocaml.c @@ -444,6 +444,10 @@ pread_wrapper (void *h, void *buf, uint32_t count, uint64_t offset, caml_leave_blocking_section (); strv = caml_alloc_string (count); + /* Initialize the buffer with zeroes in case the plugin does...

...ng the bug. --- plugins/ocaml/ocaml.c | 16 ++++++++++++---- plugins/ocaml/NBDKit.ml | 4 ++-- plugins/ocaml/NBDKit.mli | 2 +- tests/test_ocaml_plugin.ml | 8 +++++--- 4 files changed, 20 insertions(+), 10 deletions(-) diff --git a/plugins/ocaml/ocaml.c b/plugins/ocaml/ocaml.c index d854f48..39704e2 100644 --- a/plugins/ocaml/ocaml.c +++ b/plugins/ocaml/ocaml.c @@ -439,15 +439,16 @@ pread_wrapper (void *h, void *buf, uint32_t count, uint64_t offset, uint32_t flags) { CAMLparam0 (); - CAMLlocal4 (rv, strv, offsetv, flagsv); + CAMLlocal4 (rv, countv, offsetv, flags...

Version 1 was here: https://www.redhat.com/archives/libguestfs/2019-April/msg00144.html Version 2 makes a couple of much larger changes: The OCaml patch changes the API of the pread method so it matches what other language bindings are already doing, ie. get the language plugin to return a newly allocated buffer, check it is long enough, copy out the data. The server patch implements a