From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "J. Bruce Fields" <bfields@redhat.com>,
Trond Myklebust <trond.myklebust@hammerspace.com>,
Sasha Levin <sashal@kernel.org>,
linux-nfs@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 054/150] sunrpc: safely reallow resvport min/max inversion
Date: Sat, 16 Nov 2019 10:45:52 -0500 [thread overview]
Message-ID: <20191116154729.9573-54-sashal@kernel.org> (raw)
In-Reply-To: <20191116154729.9573-1-sashal@kernel.org>
From: "J. Bruce Fields" <bfields@redhat.com>
[ Upstream commit 826799e66e8683e5698e140bb9ef69afc8c0014e ]
Commits ffb6ca33b04b and e08ea3a96fc7 prevent setting xprt_min_resvport
greater than xprt_max_resvport, but may also break simple code that sets
one parameter then the other, if the new range does not overlap the old.
Also it looks racy to me, unless there's some serialization I'm not
seeing. Granted it would probably require malicious privileged processes
(unless there's a chance these might eventually be settable in unprivileged
containers), but still it seems better not to let userspace panic the
kernel.
Simpler seems to be to allow setting the parameters to whatever you want
but interpret xprt_min_resvport > xprt_max_resvport as the empty range.
Fixes: ffb6ca33b04b "sunrpc: Prevent resvport min/max inversion..."
Fixes: e08ea3a96fc7 "sunrpc: Prevent rexvport min/max inversion..."
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/xprtsock.c | 34 ++++++++++++++++++----------------
1 file changed, 18 insertions(+), 16 deletions(-)
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index 05a58cc1b0cdb..5aec408d1cb3f 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -127,7 +127,7 @@ static struct ctl_table xs_tunables_table[] = {
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
.extra1 = &xprt_min_resvport_limit,
- .extra2 = &xprt_max_resvport
+ .extra2 = &xprt_max_resvport_limit
},
{
.procname = "max_resvport",
@@ -135,7 +135,7 @@ static struct ctl_table xs_tunables_table[] = {
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
- .extra1 = &xprt_min_resvport,
+ .extra1 = &xprt_min_resvport_limit,
.extra2 = &xprt_max_resvport_limit
},
{
@@ -1751,11 +1751,17 @@ static void xs_udp_timer(struct rpc_xprt *xprt, struct rpc_task *task)
spin_unlock_bh(&xprt->transport_lock);
}
-static unsigned short xs_get_random_port(void)
+static int xs_get_random_port(void)
{
- unsigned short range = xprt_max_resvport - xprt_min_resvport + 1;
- unsigned short rand = (unsigned short) prandom_u32() % range;
- return rand + xprt_min_resvport;
+ unsigned short min = xprt_min_resvport, max = xprt_max_resvport;
+ unsigned short range;
+ unsigned short rand;
+
+ if (max < min)
+ return -EADDRINUSE;
+ range = max - min + 1;
+ rand = (unsigned short) prandom_u32() % range;
+ return rand + min;
}
/**
@@ -1812,9 +1818,9 @@ static void xs_set_srcport(struct sock_xprt *transport, struct socket *sock)
transport->srcport = xs_sock_getport(sock);
}
-static unsigned short xs_get_srcport(struct sock_xprt *transport)
+static int xs_get_srcport(struct sock_xprt *transport)
{
- unsigned short port = transport->srcport;
+ int port = transport->srcport;
if (port == 0 && transport->xprt.resvport)
port = xs_get_random_port();
@@ -1835,7 +1841,7 @@ static int xs_bind(struct sock_xprt *transport, struct socket *sock)
{
struct sockaddr_storage myaddr;
int err, nloop = 0;
- unsigned short port = xs_get_srcport(transport);
+ int port = xs_get_srcport(transport);
unsigned short last;
/*
@@ -1853,8 +1859,8 @@ static int xs_bind(struct sock_xprt *transport, struct socket *sock)
* transport->xprt.resvport == 1) xs_get_srcport above will
* ensure that port is non-zero and we will bind as needed.
*/
- if (port == 0)
- return 0;
+ if (port <= 0)
+ return port;
memcpy(&myaddr, &transport->srcaddr, transport->xprt.addrlen);
do {
@@ -3284,12 +3290,8 @@ static int param_set_uint_minmax(const char *val,
static int param_set_portnr(const char *val, const struct kernel_param *kp)
{
- if (kp->arg == &xprt_min_resvport)
- return param_set_uint_minmax(val, kp,
- RPC_MIN_RESVPORT,
- xprt_max_resvport);
return param_set_uint_minmax(val, kp,
- xprt_min_resvport,
+ RPC_MIN_RESVPORT,
RPC_MAX_RESVPORT);
}
--
2.20.1
next prev parent reply other threads:[~2019-11-16 16:11 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20191116154729.9573-1-sashal@kernel.org>
2019-11-16 15:45 ` [PATCH AUTOSEL 4.14 010/150] brcmsmac: AP mode: update beacon when TIM changes Sasha Levin
2019-11-16 15:45 ` [PATCH AUTOSEL 4.14 011/150] ath10k: allocate small size dma memory in ath10k_pci_diag_write_mem Sasha Levin
2019-11-16 15:45 ` [PATCH AUTOSEL 4.14 026/150] qed: Align local and global PTT to propagate through the APIs Sasha Levin
2019-11-16 15:45 ` [PATCH AUTOSEL 4.14 041/150] net: dsa: mv88e6xxx: Fix 88E6141/6341 2500mbps SERDES speed Sasha Levin
2019-11-16 15:45 ` [PATCH AUTOSEL 4.14 042/150] net: fix warning in af_unix Sasha Levin
2019-11-16 15:45 ` [PATCH AUTOSEL 4.14 043/150] net: ena: Fix Kconfig dependency on X86 Sasha Levin
2019-11-16 15:45 ` [PATCH AUTOSEL 4.14 053/150] SUNRPC: Fix a compile warning for cmpxchg64() Sasha Levin
2019-11-16 15:45 ` Sasha Levin [this message]
2019-11-16 15:45 ` [PATCH AUTOSEL 4.14 055/150] atm: zatm: Fix empty body Clang warnings Sasha Levin
2019-11-16 15:45 ` [PATCH AUTOSEL 4.14 061/150] libceph: don't consume a ref on pagelist in ceph_msg_data_add_pagelist() Sasha Levin
2019-11-16 15:46 ` [PATCH AUTOSEL 4.14 064/150] mISDN: Fix type of switch control variable in ctrl_teimanager Sasha Levin
2019-11-16 15:46 ` [PATCH AUTOSEL 4.14 065/150] qlcnic: fix a return in qlcnic_dcb_get_capability() Sasha Levin
2019-11-16 15:46 ` [PATCH AUTOSEL 4.14 066/150] net: ethernet: ti: cpsw: unsync mcast entries while switch promisc mode Sasha Levin
2019-11-16 15:46 ` [PATCH AUTOSEL 4.14 075/150] bpf: devmap: fix wrong interface selection in notifier_call Sasha Levin
2019-11-16 15:46 ` [PATCH AUTOSEL 4.14 077/150] sparc64: Rework xchg() definition to avoid warnings Sasha Levin
2019-11-16 15:46 ` [PATCH AUTOSEL 4.14 081/150] macsec: update operstate when lower device changes Sasha Levin
2019-11-16 15:46 ` [PATCH AUTOSEL 4.14 082/150] macsec: let the administrator set UP state even if lowerdev is down Sasha Levin
2019-11-16 15:46 ` [PATCH AUTOSEL 4.14 105/150] igb: shorten maximum PHC timecounter update interval Sasha Levin
2019-11-16 15:46 ` [PATCH AUTOSEL 4.14 106/150] net: hns3: bugfix for buffer not free problem during resetting Sasha Levin
2019-11-16 15:46 ` [PATCH AUTOSEL 4.14 107/150] ntb_netdev: fix sleep time mismatch Sasha Levin
2019-11-16 15:46 ` [PATCH AUTOSEL 4.14 113/150] net: do not abort bulk send on BQL status Sasha Levin
2019-11-16 15:46 ` [PATCH AUTOSEL 4.14 116/150] openvswitch: fix linking without CONFIG_NF_CONNTRACK_LABELS Sasha Levin
2019-11-16 15:46 ` [PATCH AUTOSEL 4.14 120/150] wil6210: fix locking in wmi_call Sasha Levin
2019-11-16 15:46 ` [PATCH AUTOSEL 4.14 121/150] wlcore: Fix the return value in case of error in 'wlcore_vendor_cmd_smart_config_start()' Sasha Levin
2019-11-16 15:47 ` [PATCH AUTOSEL 4.14 122/150] rtl8xxxu: Fix missing break in switch Sasha Levin
2019-11-16 15:47 ` [PATCH AUTOSEL 4.14 123/150] brcmsmac: never log "tid x is not agg'able" by default Sasha Levin
2019-11-16 15:47 ` [PATCH AUTOSEL 4.14 124/150] wireless: airo: potential buffer overflow in sprintf() Sasha Levin
2019-11-16 15:47 ` [PATCH AUTOSEL 4.14 125/150] rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information Sasha Levin
2019-11-16 15:47 ` [PATCH AUTOSEL 4.14 126/150] net: dsa: bcm_sf2: Turn on PHY to allow successful registration Sasha Levin
2019-11-16 15:47 ` [PATCH AUTOSEL 4.14 136/150] vrf: mark skb for multicast or link-local as enslaved to VRF Sasha Levin
2019-11-16 15:47 ` [PATCH AUTOSEL 4.14 138/150] net: bcmgenet: return correct value 'ret' from bcmgenet_power_down Sasha Levin
2019-11-16 15:47 ` [PATCH AUTOSEL 4.14 139/150] sock: Reset dst when changing sk_mark via setsockopt Sasha Levin
2019-11-16 15:47 ` [PATCH AUTOSEL 4.14 141/150] cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces Sasha Levin
2019-11-16 15:47 ` [PATCH AUTOSEL 4.14 149/150] ipv6: Fix handling of LLA with VRF and sockets bound to VRF Sasha Levin
2019-11-16 15:47 ` [PATCH AUTOSEL 4.14 150/150] cfg80211: call disconnect_wk when AP stops Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191116154729.9573-54-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=bfields@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=trond.myklebust@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).