From patchwork Sat Oct 22 07:19:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 7206 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4242:0:0:0:0:0 with SMTP id s2csp1090116wrr; Sat, 22 Oct 2022 00:45:45 -0700 (PDT) X-Google-Smtp-Source: AMsMyM545eztdMuWLIfyrzfjsCBVVL8vREkMkV+KNZbjKPtKDeEY4A5FJ0efP7eK000Ar/CQbe81 X-Received: by 2002:a17:90b:1b4d:b0:20d:7bbf:46f0 with SMTP id nv13-20020a17090b1b4d00b0020d7bbf46f0mr26694547pjb.77.1666424744887; Sat, 22 Oct 2022 00:45:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666424744; cv=none; d=google.com; s=arc-20160816; b=Bf5PGODfEUzXFsgJ6hqJSM8H4xJCDG9yqlWjZM8PWZMQZfRyk4pNNH7VOg2LKldWX2 iTBM/VJV9q+vvGK2kiG4oooiKAsUXnUrzJc0jNH67qCV8uK900JCZJppidNVEZRZBNBw rGzPjY8hG8TsgUh2IM8tQodyIhFwFJUTI5M3ss+1w5lDRzl+jJmfgTiYBppYjpbh6w50 8utThlIJKF57oYl3hOsN99/9QDiiQCmKiFQWfsTCzph9rKTD2okvoNQ+V+hWM7Nit1Nh HhsqEAuNNRyi5IzQLhvAA9xCHjRAhheXfWFzYrTqI0MjpokIfxzjb3scQsHfcOtjirxw 1MpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=rQ1u1pFzgizaSGSACi1FtFXj6guKHfA/oRVGL+h0AeU=; b=mrJ1H/txbLDK2/ktyu3ZUZ85ryhsTRJAjkCll/lbiSKT6e/XxasRTvlsUaKxNXrLU9 tsc7IFKyy3AtEP44s2rYk2f1OOEwHM4eZxr4tND6CTcbS/cB9elD3A8B/kf697VrsVAC DamuBNoqolFKXoeupHsSOCix8oSckmrzCQtkWgbTCRvHpgVFxz+yAGBT+evulBEZheD+ aYZN6ElPgRf9EmRh+kX540oyI0YVNtbkQ6apC40o4cQA5++FgMo4qJi1XEJCPDfixDjw H+gW7znsaXhsi6E3tNch4loUuLjAqfiAgADEdtjc7ci9JoO9cywlMmSX+YVkUlaqx5Dg UQjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=04F9mXp6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y13-20020a17090a474d00b0020a880cf1cbsi2045511pjg.134.2022.10.22.00.45.32; Sat, 22 Oct 2022 00:45:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=04F9mXp6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231256AbiJVHpS (ORCPT + 99 others); Sat, 22 Oct 2022 03:45:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42986 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231304AbiJVHnT (ORCPT ); Sat, 22 Oct 2022 03:43:19 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 30F6359EAA; Sat, 22 Oct 2022 00:42:05 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 86FE960B0C; Sat, 22 Oct 2022 07:37:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9B8FEC433C1; Sat, 22 Oct 2022 07:37:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666424278; bh=A0Is1PxUY7niWdj5FSPHk6NtkiTu3ukWWosmSK3qcpU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=04F9mXp6CQJDaL39HbMzd+3TTHS18NobWCA5wkeqA3rvKbFdbitKO4wViGpuVYzQK udV2sWye7w4EloXpAIBdnaKA9UjDpQtFdU27yb3Nlizk0UROjXQ+sp4OtU0r/V2o1U t5esxEY56tiidRp9rwZuFqrH6gdHmTgufQY4m/Us= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ben Ronallo , Chuck Lever , Jeff Layton Subject: [PATCH 5.19 086/717] NFSD: Protect against send buffer overflow in NFSv3 READDIR Date: Sat, 22 Oct 2022 09:19:25 +0200 Message-Id: <20221022072430.597616922@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221022072415.034382448@linuxfoundation.org> References: <20221022072415.034382448@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747372993020567073?= X-GMAIL-MSGID: =?utf-8?q?1747372993020567073?= From: Chuck Lever commit 640f87c190e0d1b2a0fcb2ecf6d2cd53b1c41991 upstream. Since before the git era, NFSD has conserved the number of pages held by each nfsd thread by combining the RPC receive and send buffers into a single array of pages. This works because there are no cases where an operation needs a large RPC Call message and a large RPC Reply message at the same time. Once an RPC Call has been received, svc_process() updates svc_rqst::rq_res to describe the part of rq_pages that can be used for constructing the Reply. This means that the send buffer (rq_res) shrinks when the received RPC record containing the RPC Call is large. A client can force this shrinkage on TCP by sending a correctly- formed RPC Call header contained in an RPC record that is excessively large. The full maximum payload size cannot be constructed in that case. Thanks to Aleksi Illikainen and Kari Hulkko for uncovering this issue. Reported-by: Ben Ronallo Cc: Signed-off-by: Chuck Lever Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman --- fs/nfsd/nfs3proc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/fs/nfsd/nfs3proc.c +++ b/fs/nfsd/nfs3proc.c @@ -550,13 +550,14 @@ static void nfsd3_init_dirlist_pages(str { struct xdr_buf *buf = &resp->dirlist; struct xdr_stream *xdr = &resp->xdr; - - count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp)); + unsigned int sendbuf = min_t(unsigned int, rqstp->rq_res.buflen, + svc_max_payload(rqstp)); memset(buf, 0, sizeof(*buf)); /* Reserve room for the NULL ptr & eof flag (-2 words) */ - buf->buflen = count - XDR_UNIT * 2; + buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), sendbuf); + buf->buflen -= XDR_UNIT * 2; buf->pages = rqstp->rq_next_page; rqstp->rq_next_page += (buf->buflen + PAGE_SIZE - 1) >> PAGE_SHIFT;