similar to: [PATCH nbdkit 0/2] Be careful not to leak heap memory to the client.

Version 1 was here: https://www.redhat.com/archives/libguestfs/2019-April/msg00144.html Version 2 makes a couple of much larger changes: The OCaml patch changes the API of the pread method so it matches what other language bindings are already doing, ie. get the language plugin to return a newly allocated buffer, check it is long enough, copy out the data. The server patch implements a

In the C part of the OCaml plugin we create a ‘bytes’ [byte array] and pass it to the OCaml pread method. The plugin should overwrite the array with the returned data. However if (eg. because of a bug) the plugin does not fill the array then whatever was in the OCaml or possibly even the C heap before the allocation is returned to the client, possibly resulting in a leak of sensitive data. We

On 4/23/19 10:09 AM, Richard W.M. Jones wrote: > If the plugin .pread method did not fill the buffer with data then the > contents of the heap could be leaked back to the client. To avoid > this create a thread-local data buffer which is initialized to zero > and expanded (with zeroes) as required. > > This buffer is shared between pread and pwrite which makes the code a >

In the C part of the OCaml plugin we created a ‘bytes’ [byte array] and passed it to the OCaml pread method. The plugin is supposed to overwrite the array with the returned data. However if (eg. because of a bug) the plugin does not fill the array then whatever was in the OCaml or possibly even the C heap before the allocation is returned to the client, possibly resulting in a leak of sensitive

On Thu, Jan 26, 2017 at 08:58:34PM -0600, Eric Blake wrote: > diff --git a/plugins/ocaml/ocaml.c b/plugins/ocaml/ocaml.c > index e2b433e..5d7aeeb 100644 > --- a/plugins/ocaml/ocaml.c > +++ b/plugins/ocaml/ocaml.c > @@ -499,6 +499,17 @@ SET(pwrite) > SET(flush) > SET(trim) > > +/* We can't guarantee that errno is stable across language binding > + * glue code,

This cleans up the existing code base with regards to implicit use of errno from language bindings, then rebases the previous work in python on top of that. I'm still playing with the perl bindings, but got further after reading 'perldoc perlembed'. Eric Blake (4): plugins: Don't use bogus errno from non-C plugins plugins: Add new nbdkit_set_error() utility function python:

On 4/23/19 10:09 AM, Richard W.M. Jones wrote: > In the C part of the OCaml plugin we created a ‘bytes’ [byte array] > and passed it to the OCaml pread method. The plugin is supposed to > overwrite the array with the returned data. > > However if (eg. because of a bug) the plugin does not fill the array > then whatever was in the OCaml or possibly even the C heap before the

If the plugin .pread method did not fill the buffer with data then the contents of the heap could be leaked back to the client. The simplest way to avoid any possibility of this happening is to zero the buffer before passing it to the .pread method. I have checked plugins shipped with nbdkit and none of them are vulnerable in this way. They all do one of these things: - They fully set the

Since v1: - rework .can_cache to be tri-state, with default of no advertisement (ripple effect through other patches) - add a lot more patches in order to round out filter support And in the meantime, Rich pushed NBD_CMD_CACHE support into libnbd, so in theory we now have a way to test cache commands through the entire stack. Eric Blake (24): server: Internal hooks for implementing

libvirt-ocaml is used only by virt-v2v, so move it to this repository, instead of having it around in the common submodule. The removal from common will happen later. Pino Toscano (2): common: Bundle the libvirt-ocaml library for use by virt-v2v build: switch embedded copy of libvirt-ocaml .gitignore | 2 + 3rdparty/libvirt-ocaml/Makefile.am |

On 4/23/19 4:01 AM, Richard W.M. Jones wrote: > If the plugin .pread method did not fill the buffer with data then the > contents of the heap could be leaked back to the client. The simplest > way to avoid any possibility of this happening is to zero the buffer > before passing it to the .pread method. > > I have checked plugins shipped with nbdkit and none of them are >

If the plugin .pread method did not fill the buffer with data then the contents of the heap could be leaked back to the client. To avoid this create a thread-local data buffer which is initialized to zero and expanded (with zeroes) as required. This buffer is shared between pread and pwrite which makes the code a little bit simpler. Also this may improve locality by reusing the same memory for

Sorry Dan, but I really do dislike golang with a passion :-) Here is a patch that allows you to write nbdkit plugins in golang. As with C, OCaml and Rust, you can write a plugin in Go which compiles directly to a .so file that can be loaded into golang, so in that sense it works completely differently from scripting language plugins like Perl and Python where there's an

Fix for: https://bugzilla.redhat.com/show_bug.cgi?id=1354507 Main explanation is in patch #3. Rich.

This doesn't yet work. However it does make me more convinced than ever that we really need to sort out persistent buffer lifetimes in the library (similar to what we did for closures). Rich.

Hi, this is a mostly done attempt to switch to ocaml-libvirt, embedding the latest version of it from git. This way, it is possible to improve the way v2v connects to libvirt for both input, and output modules, and interacts with libvirt (e.g. no more virsh calls needed in virt-v2v). As side effect, virt-v2v now requires libvirt, as keeping it optional would create too much burden. I could not

Hi, this series switches virt-2v to ocaml-libvirt, embedding the latest version of it from git. This way, it is possible to improve the way v2v connects to libvirt for both input, and output modules, and interacts with libvirt (e.g. no more virsh calls needed in virt-v2v). As side effect, virt-v2v now requires libvirt, as keeping it optional would create too much burden. I could not test all

Hi, this is a mostly done attempt to switch to ocaml-libvirt, embedding the latest version of it from git. This way, it is possible to improve the way v2v connects to libvirt for both input, and output modules, and interacts with libvirt (e.g. no more virsh calls needed in virt-v2v). As side effect, virt-v2v now requires libvirt, as keeping it optional would create too much burden. I could not

Hi, this is a mostly done attempt to switch to ocaml-libvirt, embedding the latest version of it from git. This way, it is possible to improve the way v2v connects to libvirt for both input, and output modules, and interacts with libvirt (e.g. no more virsh calls needed in virt-v2v). As side effect, virt-v2v now requires libvirt, as keeping it optional would create too much burden. I could not

For existing commits, this is almost identical to v1, except that I updated some commit messages and reordered the commits in a somewhat more logical sequence. The main changes are the extra commits: [06/11] plugins: Return NBD_FLAG_CAN_MULTI_CONN from some readonly plugins. - Readonly plugins that can set the flag unconditionally. [09/11] partitioning: Return NBD_FLAG_CAN_MULTI_CONN. [10/11]