Plan 9 from Bell Labs’s /usr/web/sources/contrib/mospak/webfs-readline-overflow/README

Copyright © 2021 Plan 9 Foundation.
Distributed under the MIT License.
Download the Plan 9 distribution. 


webfs-readline-overflow: fix Ibuf overflow in webfs readline()

A memory-safety bug in 9legacy's sys/src/cmd/webfs/buf.c:
readline() never resets its Ibuf rp/wp pointers when the
4096-byte buffer drains, so under sustained traffic across
parallel connections the pointers walk past the end of buf[]
and the next ioread overflows into the adjacent pointer
fields of the same struct.  The next read dereferences a
corrupted pointer and webfs faults inside readline.

Independent of TLS and independent of abaco: affects any
webfs consumer that drives enough parallel reads to exhaust
the buffer.  Surfaces in practice because abaco loading
modern HTTPS pages via the tls-modern-client series
exercises exactly that pattern.

CHANGES
    v1 — 2026-04-25 (initial)
        webfs-readline-overflow   readline() resets rp/wp to
                                  &b->buf[0] on drain.

Scope
    One-line change to sys/src/cmd/webfs/buf.c.  No kernel,
    libsec, or /mnt/web ABI change.  No reboot.

Files
    webfs-readline-overflow.patch   the fix

Apply
    cd /
    ape/patch -p0 < /path/to/webfs-readline-overflow/webfs-readline-overflow.patch

Rebuild
    cd /sys/src/cmd/webfs && mk clean && mk install

    Then restart webfs (echo halt > /mnt/web/ctl, then
    re-mount) or log out and back in so consumers pick up the
    new binary.

Prerequisites
    A 9legacy tree with sys/src/cmd/webfs present.  No other
    patches required; this fix stands alone.

    Sanity-check:
        grep -c 'b->rp >= b->wp' /sys/src/cmd/webfs/buf.c   # non-zero

Verification
    Before: load a large HTTPS page (e.g. Wikipedia Main
    Page) in abaco with tls-modern-client installed.  After
    sustained traffic one or more webfs fsthread procs enter
    Broken state; abaco hangs in Open/Pread on
    /mnt/web/<conn>/body.  ps shows identical faulting PC
    inside readline, with stack return addresses above etext.

    After: same URL loads cleanly.  hget alone does not
    reproduce — single-connection reads don't cycle the Ibuf
    enough to walk the pointers off the end; a reliable
    reproducer needs a multi-connection consumer.

Rollback
    cd /
    ape/patch -R -p0 < /path/to/webfs-readline-overflow/webfs-readline-overflow.patch

    Then rebuild and restart webfs as above.

See also
    contrib/tls-modern-client/ — modern HTTPS client stack.
    Recommended alongside this fix for parallel-fetch
    consumers (abaco), though neither depends on the other.

Bell Labs OSI certified Powered by Plan 9

(Return to Plan 9 Home Page)

Copyright © 2021 Plan 9 Foundation. All Rights Reserved.
Comments to webmaster@9p.io.