9p/xen: do not memcpy header into req->rc

martinetd · martinetd · commit f15e006b8313 · 2022-12-03T00:04:37.000+09:00
while 'h' is packed and can be assumed to match the request payload, req->rc is a struct p9_fcall which is not packed and that memcpy could be wrong. Fix this by copying each fields individually instead. Reported-by: Christian Schoenebeck <linux_oss@crudebyte.com> Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com> Suggested-by: Stefano Stabellini <sstabellini@kernel.org> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Link: https://lkml.kernel.org/r/alpine.DEB.2.22.394.2211211454540.1049131@ubuntu-linux-20-04-desktop Link: https://lkml.kernel.org/r/20221122001025.119121-1-asmadeus@codewreck.org Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
@@ -216,7 +216,9 @@ static void p9_xen_response(struct work_struct *work)
 			goto recv_error;
 		}
 
-		memcpy(&req->rc, &h, sizeof(h));
+		req->rc.size = h.size;
+		req->rc.id = h.id;
+		req->rc.tag = h.tag;
 		req->rc.offset = 0;
 
 		masked_cons = xen_9pfs_mask(cons, XEN_9PFS_RING_SIZE(ring));

Original file line number	Diff line number	Diff line change
`@@ -216,7 +216,9 @@ static void p9_xen_response(struct work_struct *work)`
`216`	`216`	`goto recv_error;`
`217`	`217`	`}`
`218`	`218`
`219`		`- memcpy(&req->rc, &h, sizeof(h));`
	`219`	`+ req->rc.size = h.size;`
	`220`	`+ req->rc.id = h.id;`
	`221`	`+ req->rc.tag = h.tag;`
`220`	`222`	`req->rc.offset = 0;`
`221`	`223`
`222`	`224`	`masked_cons = xen_9pfs_mask(cons, XEN_9PFS_RING_SIZE(ring));`