* [PATCH v2] SUNRPC: Fix ("SUNRPC: Add "@len" parameter to gss_unwrap()")
@ 2020-07-24 18:55 Chuck Lever
2020-07-24 20:28 ` J. Bruce Fields
0 siblings, 1 reply; 2+ messages in thread
From: Chuck Lever @ 2020-07-24 18:55 UTC (permalink / raw)
To: bfields; +Cc: linux-nfs
Braino when converting "buf->len -=" to "buf->len = len -".
The result is under-estimation of the ralign and rslack values. On
krb5p mounts, this has caused READDIR to fail with EIO, and KASAN
splats when decoding READLINK replies.
As a result of fixing this oversight, the gss_unwrap method now
returns a buf->len that can be shorter than priv_len for small
RPC messages. The additional adjustment done in unwrap_priv_data()
can underflow buf->len. This causes the nfsd_request_too_large
check to fail during some NFSv3 operations.
Reported-by: Marian Rainer-Harbach
Reported-by: Pierre Sauter <pierre.sauter@stwm.de>
BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886277
Fixes: 31c9590ae468 ("SUNRPC: Add "@len" parameter to gss_unwrap()")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
net/sunrpc/auth_gss/gss_krb5_wrap.c | 2 +-
net/sunrpc/auth_gss/svcauth_gss.c | 1 -
2 files changed, 1 insertion(+), 2 deletions(-)
Hi Bruce-
I can take this in v5.9 if you agree it's a righteous fix.
Changes since RFC:
- series squashed into a single patch
- "pad" is still calculated in unwrap_priv_data for later use
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
index cf0fd170ac18..90b8329fef82 100644
--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -584,7 +584,7 @@ gss_unwrap_kerberos_v2(struct krb5_ctx *kctx, int offset, int len,
buf->head[0].iov_len);
memmove(ptr, ptr + GSS_KRB5_TOK_HDR_LEN + headskip, movelen);
buf->head[0].iov_len -= GSS_KRB5_TOK_HDR_LEN + headskip;
- buf->len = len - GSS_KRB5_TOK_HDR_LEN + headskip;
+ buf->len = len - (GSS_KRB5_TOK_HDR_LEN + headskip);
/* Trim off the trailing "extra count" and checksum blob */
xdr_buf_trim(buf, ec + GSS_KRB5_TOK_HDR_LEN + tailskip);
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 7d83f54aaaa6..258b04372f85 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -990,7 +990,6 @@ unwrap_priv_data(struct svc_rqst *rqstp, struct xdr_buf *buf, u32 seq, struct gs
maj_stat = gss_unwrap(ctx, 0, priv_len, buf);
pad = priv_len - buf->len;
- buf->len -= pad;
/* The upper layers assume the buffer is aligned on 4-byte boundaries.
* In the krb5p case, at least, the data ends up offset, so we need to
* move it around. */
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v2] SUNRPC: Fix ("SUNRPC: Add "@len" parameter to gss_unwrap()")
2020-07-24 18:55 [PATCH v2] SUNRPC: Fix ("SUNRPC: Add "@len" parameter to gss_unwrap()") Chuck Lever
@ 2020-07-24 20:28 ` J. Bruce Fields
0 siblings, 0 replies; 2+ messages in thread
From: J. Bruce Fields @ 2020-07-24 20:28 UTC (permalink / raw)
To: Chuck Lever; +Cc: linux-nfs
On Fri, Jul 24, 2020 at 02:55:07PM -0400, Chuck Lever wrote:
> Braino when converting "buf->len -=" to "buf->len = len -".
>
> The result is under-estimation of the ralign and rslack values. On
> krb5p mounts, this has caused READDIR to fail with EIO, and KASAN
> splats when decoding READLINK replies.
>
> As a result of fixing this oversight, the gss_unwrap method now
> returns a buf->len that can be shorter than priv_len for small
> RPC messages. The additional adjustment done in unwrap_priv_data()
> can underflow buf->len. This causes the nfsd_request_too_large
> check to fail during some NFSv3 operations.
>
> Reported-by: Marian Rainer-Harbach
> Reported-by: Pierre Sauter <pierre.sauter@stwm.de>
> BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886277
> Fixes: 31c9590ae468 ("SUNRPC: Add "@len" parameter to gss_unwrap()")
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
> net/sunrpc/auth_gss/gss_krb5_wrap.c | 2 +-
> net/sunrpc/auth_gss/svcauth_gss.c | 1 -
> 2 files changed, 1 insertion(+), 2 deletions(-)
>
> Hi Bruce-
>
> I can take this in v5.9 if you agree it's a righteous fix.
Righteous!
Well, seems like a reasonable step, anyway.
I just wish I had a more complete understanding. Anyway,
Reviewed-by: J. Bruce Fields <bfields@redhat.com>
--b.
> Changes since RFC:
> - series squashed into a single patch
> - "pad" is still calculated in unwrap_priv_data for later use
>
> diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
> index cf0fd170ac18..90b8329fef82 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
> @@ -584,7 +584,7 @@ gss_unwrap_kerberos_v2(struct krb5_ctx *kctx, int offset, int len,
> buf->head[0].iov_len);
> memmove(ptr, ptr + GSS_KRB5_TOK_HDR_LEN + headskip, movelen);
> buf->head[0].iov_len -= GSS_KRB5_TOK_HDR_LEN + headskip;
> - buf->len = len - GSS_KRB5_TOK_HDR_LEN + headskip;
> + buf->len = len - (GSS_KRB5_TOK_HDR_LEN + headskip);
>
> /* Trim off the trailing "extra count" and checksum blob */
> xdr_buf_trim(buf, ec + GSS_KRB5_TOK_HDR_LEN + tailskip);
> diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
> index 7d83f54aaaa6..258b04372f85 100644
> --- a/net/sunrpc/auth_gss/svcauth_gss.c
> +++ b/net/sunrpc/auth_gss/svcauth_gss.c
> @@ -990,7 +990,6 @@ unwrap_priv_data(struct svc_rqst *rqstp, struct xdr_buf *buf, u32 seq, struct gs
>
> maj_stat = gss_unwrap(ctx, 0, priv_len, buf);
> pad = priv_len - buf->len;
> - buf->len -= pad;
> /* The upper layers assume the buffer is aligned on 4-byte boundaries.
> * In the krb5p case, at least, the data ends up offset, so we need to
> * move it around. */
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-07-24 20:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-24 18:55 [PATCH v2] SUNRPC: Fix ("SUNRPC: Add "@len" parameter to gss_unwrap()") Chuck Lever
2020-07-24 20:28 ` J. Bruce Fields
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).