From patchwork Wed Oct 19 08:23:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 4552 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp204485wrs; Wed, 19 Oct 2022 01:46:15 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6DEhjCKmQgyH6w+3uLotYCtsK4WsQa8vI+pvPqpZBgNKLaywlpQgCifKMHkcuwRI0RZ77d X-Received: by 2002:a17:90b:1b4f:b0:20d:6ddd:9ef6 with SMTP id nv15-20020a17090b1b4f00b0020d6ddd9ef6mr8493741pjb.200.1666169175264; Wed, 19 Oct 2022 01:46:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666169175; cv=none; d=google.com; s=arc-20160816; b=r79rLjIZoyHOJLxQEYaGaMaIkRScx4afxCBQFqcvHXxd0Oc2gDKPpLa+pFNX5EYxIX oAai+S/RErnlhxz76A113ktROWepPIh14Z5S3aXESV41xO4+UvlUisOxVwntVjjB0YOz yvBL3yoBZncqYz34RIO5cI6VZfJREKRbApmByrlcVejsGuySd7/XYF2MaZk8GkmsY3G6 MaK9o4ohkql92I81FeeFKeX19AQCluKqGULxTSaOTDHnhYRSuFqa/nft5XkSMFlr+k5e 1LSiK0juPo8ura+loniyIZcl4hRG1ZZ+r5bugoey8CvCTMj7Ml5VwMnIrgEPEJmTUjWK I9tg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=PEIrDojAwxTfeN7i7xWFl2K+at3eToOyC4NJGEI2D0c=; b=Gz1uURA5SgHXhhV68g7qajfobzDD0/BRNDfp3S14VTsQoxJiUxqWW3erBFPMuqb+zs gU/qRrAd5DDebVwnofOw7hWM7YERjwCLE1LUqiP/Mvxai+78cFQLTbZvKtbOw9jwJk5T 4R7eL26Hx0UnqxwTKa1aE6m374Pkp+e0fUtRkWUJuyASPA6/v1MLe4x0rvF97qHMDt3J 3YmhF67o9Thbh0/kpcyofc3C5kvZbZCYKFQdpHyFTGiNgBmKc0WZyo3muq2A3JCMic+7 N/YXTNErjZewCAgJYBllMHF0MJ/HGoIhf2Kff8KQSWgkGB7pcp7I2S3pYrTPYHePfU// CrLA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YW5rqpOf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k9-20020aa788c9000000b00565977791a3si19242756pff.202.2022.10.19.01.45.59; Wed, 19 Oct 2022 01:46:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YW5rqpOf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231301AbiJSIpo (ORCPT + 99 others); Wed, 19 Oct 2022 04:45:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44010 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231389AbiJSIoF (ORCPT ); Wed, 19 Oct 2022 04:44:05 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9FDA080F58; Wed, 19 Oct 2022 01:41:57 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E354F617F0; Wed, 19 Oct 2022 08:41:53 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 01394C433D7; Wed, 19 Oct 2022 08:41:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666168913; bh=h3+uSWwiOmr3NWvZgRpyVR7rxSNYaUIg45Onin/ZWNM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YW5rqpOfH9eEvo3jMpr76Hz9bpFP1aVSIHaubI2uPNYg6WjtQ/UbHevT9AZtzJvXp 70aGSJZmM/0OFOqeI/hzeZmUn82l4AqmVHLOQA4HUOdDttVz5FM2k/kYdHbmpPuevm M4o29nhV64YRLZU7u1o7yhaCgFbFzILy3rVypOnU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ben Ronallo , Chuck Lever , Jeff Layton Subject: [PATCH 6.0 096/862] NFSD: Protect against send buffer overflow in NFSv3 READDIR Date: Wed, 19 Oct 2022 10:23:03 +0200 Message-Id: <20221019083254.182334043@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221019083249.951566199@linuxfoundation.org> References: <20221019083249.951566199@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747105008921369740?= X-GMAIL-MSGID: =?utf-8?q?1747105008921369740?= From: Chuck Lever commit 640f87c190e0d1b2a0fcb2ecf6d2cd53b1c41991 upstream. Since before the git era, NFSD has conserved the number of pages held by each nfsd thread by combining the RPC receive and send buffers into a single array of pages. This works because there are no cases where an operation needs a large RPC Call message and a large RPC Reply message at the same time. Once an RPC Call has been received, svc_process() updates svc_rqst::rq_res to describe the part of rq_pages that can be used for constructing the Reply. This means that the send buffer (rq_res) shrinks when the received RPC record containing the RPC Call is large. A client can force this shrinkage on TCP by sending a correctly- formed RPC Call header contained in an RPC record that is excessively large. The full maximum payload size cannot be constructed in that case. Thanks to Aleksi Illikainen and Kari Hulkko for uncovering this issue. Reported-by: Ben Ronallo Cc: Signed-off-by: Chuck Lever Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman --- fs/nfsd/nfs3proc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/fs/nfsd/nfs3proc.c +++ b/fs/nfsd/nfs3proc.c @@ -563,13 +563,14 @@ static void nfsd3_init_dirlist_pages(str { struct xdr_buf *buf = &resp->dirlist; struct xdr_stream *xdr = &resp->xdr; - - count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp)); + unsigned int sendbuf = min_t(unsigned int, rqstp->rq_res.buflen, + svc_max_payload(rqstp)); memset(buf, 0, sizeof(*buf)); /* Reserve room for the NULL ptr & eof flag (-2 words) */ - buf->buflen = count - XDR_UNIT * 2; + buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), sendbuf); + buf->buflen -= XDR_UNIT * 2; buf->pages = rqstp->rq_next_page; rqstp->rq_next_page += (buf->buflen + PAGE_SIZE - 1) >> PAGE_SHIFT;