Skip to content

Addresses an issue of multiple invalid loops in the rpmsgfs_mkpath function#17270

Open
sszllxos wants to merge 1 commit intoapache:masterfrom
sszllxos:25110101
Open

Addresses an issue of multiple invalid loops in the rpmsgfs_mkpath function#17270
sszllxos wants to merge 1 commit intoapache:masterfrom
sszllxos:25110101

Conversation

@sszllxos
Copy link

@sszllxos sszllxos commented Nov 1, 2025
edited by linguini1
Loading

Summary

This commit addresses an issue of multiple invalid loops in the rpmsgfs_mkpath function under specific cross-system mount scenarios.

Problem Description:
The mount command in the NuttX shell is as follows:

mount -t rpmsgfs -o cpu=server,fs=/root/demo/fold /nuttx_fold

Running “ls nuttx_fold“ correctly lists the contents of the /root/demo/fold directory on the Linux side. However, if NuttX is compromised by a hacker, the hacker could modify the input parameters of the ls command. Without directory access restrictions implemented on the Linux side, this would allow the hacker to arbitrarily access any directory on the Linux system.

When directory access restrictions are implemented on the Linux side—such as modifying the rpmsgfs driver on the Linux side to return "permission deny" upon detecting unauthorized access—the rpmsgfs_client_stat function in rpmsgfs_mkpath (on the NuttX side) fails to handle this error and continues waiting in the while loop.

Impact

Only modifies the error handling branch in rpmsgfs_mkpath, with no impact on other functions of the rpmsgfs module.

Testing

In the Linux shell, create the directory /root/demo/fold, and restrict NuttX from accessing the fold directory itself by configuring the rpmsg_fs driver.

In Nuttx shell:

mount -t rpmsgfs -o cpu=server,fs=/root/demo/fold /nuttx_fold
ls /nuttx_fold

Nuttx shell output:

proxy> mount -t rpmsgfs -o cpu=server,fs=/root/demo/fold nuttx_fold
proxy> ls
proxy> ls nuttx_fold
nsh: ls: stat failed: 13

Signed-off-by: Lijing lijing.ly@bytedance.com

fs/rpmsgfs: Add handling for errors returned by rpmsgfs_client_stat
20504d8 
    This commit addresses an issue of multiple invalid loops in the rpmsgfs_mkpath function under specific cross-system mount scenarios.

    Problem Description:
    When performing directory access restriction on the Linux side, users execute the mount command in the NuttX shell:mount -t rpmsgfs -o cpu=server,fs=/root/demo/fold /nuttx_foldThe Linux side restricts NuttX from accessing directories outside /root/demo/fold and returns a permission deny error (or other negative return codes). However, the existing code in rpmsgfs_mkpath only handles the case where rpmsgfs_client_stat returns ret = 0, and lacks processing logic for negative return values. This omission causes the while loop in rpmsgfs_mkpath to run indefinitely.

    Solution Implemented:
    Added error handling for negative return values of rpmsgfs_client_stat in rpmsgfs_mkpath.
    When rpmsgfs_client_stat returns a value < 0, the function will break out of the while loop.

Signed-off-by: Lijing lijing.ly@bytedance.com
@github-actions github-actions bot added Area: File System File System issues Size: XS The size of the change in this PR is very small labels Nov 1, 2025
xiaoxiang781216
xiaoxiang781216 requested changes Nov 1, 2025
View reviewed changes
fs/rpmsgfs/rpmsgfs.c

ret = rpmsgfs_client_stat(fs->handle, fs->fs_root, &buf);
if (ret == 0)
if (ret <= 0)
Copy link
Contributor

@xiaoxiang781216 xiaoxiang781216 Nov 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but we need consider the case that the server mayn't be ready yet.

@linguini1
Copy link
Contributor

linguini1 commented Nov 1, 2025

Note: I re-formatted your PR description so that it displays with wrapped lines on GitHub. Otherwise it was very difficult to read because text required scrolling to the right quite far.

@acassis
Copy link
Contributor

acassis commented Nov 1, 2025

@sszllxos nice finding. Could you please tell me which link interface are you using to connect Linux and NuttX?

@xiaoxiang781216 did you submit the RPMsg SPI driver to Linux mainline?

@xiaoxiang781216
Copy link
Contributor

xiaoxiang781216 commented Nov 2, 2025

@xiaoxiang781216 did you submit the RPMsg SPI driver to Linux mainline?

not yet.

@sszllxos
Copy link
Author

sszllxos commented Nov 2, 2025

@acassis RPMsg SPI driver

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xiaoxiang781216 xiaoxiang781216 xiaoxiang781216 requested changes

@GUIDINGLI GUIDINGLI Awaiting requested review from GUIDINGLI GUIDINGLI is a code owner

@Donny9 Donny9 Awaiting requested review from Donny9 Donny9 is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

Area: File System File System issues Size: XS The size of the change in this PR is very small

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sszllxos @linguini1 @acassis @xiaoxiang781216