From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Trond Myklebust <trond.myklebust@hammerspace.com>,
Sasha Levin <sashal@kernel.org>,
linux-nfs@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 21/31] NFSv4.2: Don't error when exiting early on a READ_PLUS buffer overflow
Date: Wed, 30 Dec 2020 08:03:03 -0500 [thread overview]
Message-ID: <20201230130314.3636961-21-sashal@kernel.org> (raw)
In-Reply-To: <20201230130314.3636961-1-sashal@kernel.org>
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 503b934a752f7e789a5f33217520e0a79f3096ac ]
Expanding the READ_PLUS extents can cause the read buffer to overflow.
If it does, then don't error, but just exit early.
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/nfs42xdr.c | 36 +++++++++++++++++-------------------
1 file changed, 17 insertions(+), 19 deletions(-)
diff --git a/fs/nfs/nfs42xdr.c b/fs/nfs/nfs42xdr.c
index 8432bd6b95f08..c078f88552695 100644
--- a/fs/nfs/nfs42xdr.c
+++ b/fs/nfs/nfs42xdr.c
@@ -1019,29 +1019,24 @@ static int decode_deallocate(struct xdr_stream *xdr, struct nfs42_falloc_res *re
return decode_op_hdr(xdr, OP_DEALLOCATE);
}
-static int decode_read_plus_data(struct xdr_stream *xdr, struct nfs_pgio_res *res,
- uint32_t *eof)
+static int decode_read_plus_data(struct xdr_stream *xdr,
+ struct nfs_pgio_res *res)
{
uint32_t count, recvd;
uint64_t offset;
__be32 *p;
p = xdr_inline_decode(xdr, 8 + 4);
- if (unlikely(!p))
- return -EIO;
+ if (!p)
+ return 1;
p = xdr_decode_hyper(p, &offset);
count = be32_to_cpup(p);
recvd = xdr_align_data(xdr, res->count, count);
res->count += recvd;
- if (count > recvd) {
- dprintk("NFS: server cheating in read reply: "
- "count %u > recvd %u\n", count, recvd);
- *eof = 0;
+ if (count > recvd)
return 1;
- }
-
return 0;
}
@@ -1052,18 +1047,16 @@ static int decode_read_plus_hole(struct xdr_stream *xdr, struct nfs_pgio_res *re
__be32 *p;
p = xdr_inline_decode(xdr, 8 + 8);
- if (unlikely(!p))
- return -EIO;
+ if (!p)
+ return 1;
p = xdr_decode_hyper(p, &offset);
p = xdr_decode_hyper(p, &length);
recvd = xdr_expand_hole(xdr, res->count, length);
res->count += recvd;
- if (recvd < length) {
- *eof = 0;
+ if (recvd < length)
return 1;
- }
return 0;
}
@@ -1088,12 +1081,12 @@ static int decode_read_plus(struct xdr_stream *xdr, struct nfs_pgio_res *res)
for (i = 0; i < segments; i++) {
p = xdr_inline_decode(xdr, 4);
- if (unlikely(!p))
- return -EIO;
+ if (!p)
+ goto early_out;
type = be32_to_cpup(p++);
if (type == NFS4_CONTENT_DATA)
- status = decode_read_plus_data(xdr, res, &eof);
+ status = decode_read_plus_data(xdr, res);
else if (type == NFS4_CONTENT_HOLE)
status = decode_read_plus_hole(xdr, res, &eof);
else
@@ -1102,12 +1095,17 @@ static int decode_read_plus(struct xdr_stream *xdr, struct nfs_pgio_res *res)
if (status < 0)
return status;
if (status > 0)
- break;
+ goto early_out;
}
out:
res->eof = eof;
return 0;
+early_out:
+ if (unlikely(!i))
+ return -EIO;
+ res->eof = 0;
+ return 0;
}
static int decode_seek(struct xdr_stream *xdr, struct nfs42_seek_res *res)
--
2.27.0
next prev parent reply other threads:[~2020-12-30 13:11 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-30 13:02 [PATCH AUTOSEL 5.10 01/31] ARM: 9014/2: Replace string mem* functions for KASan Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 02/31] rtc: sun6i: Fix memleak in sun6i_rtc_clk_init Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 03/31] module: set MODULE_STATE_GOING state when a module fails to load Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 04/31] quota: Don't overflow quota file offsets Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 05/31] rtc: pl031: fix resource leak in pl031_probe Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 06/31] powerpc: sysdev: add missing iounmap() on error in mpic_msgr_probe() Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 07/31] i3c master: fix missing destroy_workqueue() on error in i3c_master_register Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 08/31] reiserfs: add check for an invalid ih_entry_count Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 09/31] NFSv4: Fix a pNFS layout related use-after-free race when freeing the inode Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 10/31] f2fs: Handle casefolding with Encryption Sasha Levin
2020-12-30 18:01 ` [f2fs-dev] " Eric Biggers
2021-01-04 14:20 ` Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 11/31] f2fs: avoid race condition for shrinker count Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 12/31] f2fs: fix race of pending_pages in decompression Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 13/31] module: delay kobject uevent until after module init call Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 14/31] powerpc/64: irq replay remove decrementer overflow check Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 15/31] f2fs: fix shift-out-of-bounds in sanity_check_raw_super() Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 16/31] fs/namespace.c: WARN if mnt_count has become negative Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 17/31] watchdog: rti-wdt: fix reference leak in rti_wdt_probe Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 18/31] um: random: Register random as hwrng-core device Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 19/31] um: ubd: Submit all data segments atomically Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 20/31] um: allocate a guard page to helper threads Sasha Levin
2020-12-30 14:48 ` Johannes Berg
2021-01-04 14:21 ` Sasha Levin
2020-12-30 13:03 ` Sasha Levin [this message]
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 22/31] ceph: fix inode refcount leak when ceph_fill_inode on non-I_NEW inode fails Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 23/31] drm/amd/display: updated wm table for Renoir Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 24/31] tick/sched: Remove bogus boot "safety" check Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 25/31] s390: always clear kernel stack backchain before calling functions Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 26/31] io_uring: remove racy overflow list fast checks Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 27/31] ext4: check for invalid block size early when mounting a file system Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 28/31] ALSA: pcm: Clear the full allocated memory at hw_params Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 29/31] dm verity: skip verity work if I/O error when system is shutting down Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 30/31] ext4: avoid s_mb_prefetch to be zero in individual scenarios Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 31/31] device-dax: Fix range release Sasha Levin
2020-12-30 14:18 ` [PATCH AUTOSEL 5.10 01/31] ARM: 9014/2: Replace string mem* functions for KASan Ahmad Fatoum
2021-01-04 14:29 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201230130314.3636961-21-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=trond.myklebust@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).