Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp2601488imb; Mon, 4 Mar 2019 09:09:25 -0800 (PST) X-Google-Smtp-Source: APXvYqyTYCqlbQzlGUMEvAw6+bM7dSyKae0iVVXNNXU/lPdPmkeOyL0hWHOyR246coFwwVtj1Vn2 X-Received: by 2002:a17:902:8e8b:: with SMTP id bg11mr20748710plb.328.1551719365186; Mon, 04 Mar 2019 09:09:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551719365; cv=none; d=google.com; s=arc-20160816; b=lkQSvLGB3ghAOI3vurAV8d9GMEREhX4sJ+AnDY2DeWDK7keqUtCtSnbOtPzYWqaHAg rwCxb5edWdtrYpt7+tfpzu2LCxZYnBLp6vU4yVzWEZyU/BV3MK6w4eAwPrKn49okwAjL hNnFxf62O6efs8m4hBRTARyCgUJM57I45JHwLHdr14Ib6ep7sthuS+P0ax4u7N/rV1wI x4wgtQ5r28nXO3XiMNb8o1aOmuF9r1lspH9A8bXgTKYv5U8TkaWKCUG9UHiHmkij+Urb bG0DIge+XDRiOpxY66c9pOzJl8FYtr2p5AiRu1rCPnH0oY1vfij2Cn/+FjyHPBLylPu4 0Zfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=LCTw7QciLN/H1rN4oV/dr9ULDCMlFdJ9vox9Vyssh0I=; b=lGCR8BviETj2Y9o2TGy2Y/xMxDlhTRo1Rrr/JY6IhCLzLgCGWbGap+2rZBQBm8ZXxU OvwG7ASEr8k2uNGgWzd9KlrMSJPjfUxvT4ZExR1XjV7tXD/fS+VmeeGQKcfi8LDsBJro A5VDoD2/ym+Lmsp2cOGDmQ+Qz63+EBKqU0qzF/pkvanT7GcnfXmK/kLfvXZNmphcqeg9 jkiiDOY0xQVmeTdf5+rXGOe1j0OENTl5itHLcL/nn5LxWrAz56nKF35i4Zf73pKEheKj LngPp4F1B2W4fGnqOu8BkAFEVGD4WGOyR9eMuba6xwqGAAKVbJFEMa6KNaD6nGKCQAOm p3GA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 72si5728900pgd.113.2019.03.04.09.09.09; Mon, 04 Mar 2019 09:09:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726955AbfCDQr0 (ORCPT + 99 others); Mon, 4 Mar 2019 11:47:26 -0500 Received: from fieldses.org ([173.255.197.46]:39004 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726063AbfCDQr0 (ORCPT ); Mon, 4 Mar 2019 11:47:26 -0500 Received: by fieldses.org (Postfix, from userid 2815) id C7F6649A; Mon, 4 Mar 2019 11:47:25 -0500 (EST) Date: Mon, 4 Mar 2019 11:47:25 -0500 From: "J. Bruce Fields" To: NeilBrown Cc: Jeff Layton , linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] nfsd: fix memory corruption caused by readdir Message-ID: <20190304164725.GE13690@fieldses.org> References: <87lg1vs5eh.fsf@notabene.neil.brown.name> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87lg1vs5eh.fsf@notabene.neil.brown.name> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 04, 2019 at 02:08:22PM +1100, NeilBrown wrote: > (Note that the commit hash in the Fixes tag is from the 'history' > tree - this bug predates git). > Fixes: eb229d253e6c ("[PATCH] kNFSd: fix two xdr-encode bugs for readdirplus reply") It'd be nice to provide a URL for that. The one I originally cloned one seems to have disappeared. > Cc: stable@vger.kernel.org (v2.6.12+) > Signed-off-by: NeilBrown > --- > > Can I still get extra credit for fixing a bug that is 14.5 years old, if > I'm the one who introduced it? Good grief, yes! Great fix. Is that a record? And how did it go undetected so long, and what caused it to surface just now? I once thought about converting this over to the xdr_stream api that NFSv4 uses to hide the page-crossing logic now. But I think it's better to leave it alone. --b. > > fs/nfsd/nfs3proc.c | 16 ++++++++++++++-- > fs/nfsd/nfs3xdr.c | 1 + > 2 files changed, 15 insertions(+), 2 deletions(-) > > diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c > index 9eb8086ea841..c9cf46e0c040 100644 > --- a/fs/nfsd/nfs3proc.c > +++ b/fs/nfsd/nfs3proc.c > @@ -463,8 +463,19 @@ nfsd3_proc_readdir(struct svc_rqst *rqstp) > &resp->common, nfs3svc_encode_entry); > memcpy(resp->verf, argp->verf, 8); > resp->count = resp->buffer - argp->buffer; > - if (resp->offset) > - xdr_encode_hyper(resp->offset, argp->cookie); > + if (resp->offset) { > + loff_t offset = argp->cookie; > + > + if (unlikely(resp->offset1)) { > + /* we ended up with offset on a page boundary */ > + *resp->offset = htonl(offset >> 32); > + *resp->offset1 = htonl(offset & 0xffffffff); > + resp->offset1 = NULL; > + } else { > + xdr_encode_hyper(resp->offset, offset); > + } > + resp->offset = NULL; > + } > > RETURN_STATUS(nfserr); > } > @@ -533,6 +544,7 @@ nfsd3_proc_readdirplus(struct svc_rqst *rqstp) > } else { > xdr_encode_hyper(resp->offset, offset); > } > + resp->offset = NULL; > } > > RETURN_STATUS(nfserr); > diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c > index 9b973f4f7d01..83919116d5cb 100644 > --- a/fs/nfsd/nfs3xdr.c > +++ b/fs/nfsd/nfs3xdr.c > @@ -921,6 +921,7 @@ encode_entry(struct readdir_cd *ccd, const char *name, int namlen, > } else { > xdr_encode_hyper(cd->offset, offset64); > } > + cd->offset = NULL; > } > > /* > -- > 2.14.0.rc0.dirty >