Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2655850pxj; Mon, 31 May 2021 07:31:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxgHotLmYbIMeb+MtD1O2dFUOqlg/M0PB+E3JhibDAxaxz4TQFFEsjAwLh2hFIVxSpYW8I+ X-Received: by 2002:a05:6638:134c:: with SMTP id u12mr21093610jad.67.1622471513414; Mon, 31 May 2021 07:31:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622471513; cv=none; d=google.com; s=arc-20160816; b=sN/hO4EpLriGhqHNSWD64oYYjoPjVSW7Wi+oxi2NIb1mP5Xon4N1NJLFuRLCsE7K5d oZ1USr8d4K4OFxVGd3GOivuk/ndWYFgrcglr7W2LxSh4LvDMbyhlsUUJmYKNR1NuM9Dw heR62psLc3cs5yz2+7JNW8ZNM96ivDETDg1hqVupeWi6Oc/BmjoEWZwLOf3cqA6xr6Mo rfB8a593IVZTcZj+DD9oyDsAwnDEYQwuIK9sO4AmXq9ZG1v8z2J9rj41Kvgj6UDkHVUP 66akwbQ1QxBs/b+G28Ahzi0p2ZNhZCATlfYkBU3iLUdo0UnSxoGPRufEX6NYQhjIgyrM WpJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=DN7ffu35C8a7BC8Ksjr1dihhDbMt5I/BscJJZI5zIUw=; b=lWgZgKeHSR+lsoedz33ymwR0LGirTVcRWoXzeDjkefxuHhS+Cd6haVMyemg5q3JnEi sWGnfRjVibVtm+xhsKnIMYgAV/RBC/CYg28pNahYqi8Xs9oBPDCt5Tkh1yLy8dCy2mB7 m1hEIe1mtUFBKa/2Iq68Ev0BQGnM+PQx54AlRk2uidJ5xq7I1oW1CD3BymwDHqi2Z1LD tE71GTJ4LYDX0883NkfN/eqA9blXe+Oc5tpyjVFC7dZgewDmotRb9fZwWpN5fM5gcQKR qHLQmQ9Xf2LuyxNCl29pv2TVRfl7cCF5d5Nv15YfoTrCpm5bilCDGVb5Q3WkJeOQMDmO Bm0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=N2wC98wt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p20si8291771ilc.83.2021.05.31.07.31.40; Mon, 31 May 2021 07:31:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=N2wC98wt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232431AbhEaOcs (ORCPT + 99 others); Mon, 31 May 2021 10:32:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:56074 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233193AbhEaNyt (ORCPT ); Mon, 31 May 2021 09:54:49 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C1BD36143B; Mon, 31 May 2021 13:33:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1622468033; bh=7aU17wpJD5FM3EuHAtTb3q/DPaJl6R++Mh/lZDtvag0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=N2wC98wt4AaiNu/N+2gg/L0LoS360nXhwgA+fvHpraplglpq2WStAW0hQ/ZJKGRUb 5iFU2tByuE4kYFI8+e6pwxDFn5xtigC6SOm1zan5aP9nNn0blEvQClbZ+cHo68Mzl1 RCuXUev6QyLTtaHGJhLqNLhwdWI2fB8iNeXugBCA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Trond Myklebust Subject: [PATCH 5.10 092/252] NFS: fix an incorrect limit in filelayout_decode_layout() Date: Mon, 31 May 2021 15:12:37 +0200 Message-Id: <20210531130701.095374234@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210531130657.971257589@linuxfoundation.org> References: <20210531130657.971257589@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter commit 769b01ea68b6c49dc3cde6adf7e53927dacbd3a8 upstream. The "sizeof(struct nfs_fh)" is two bytes too large and could lead to memory corruption. It should be NFS_MAXFHSIZE because that's the size of the ->data[] buffer. I reversed the size of the arguments to put the variable on the left. Fixes: 16b374ca439f ("NFSv4.1: pnfs: filelayout: add driver's LAYOUTGET and GETDEVICEINFO infrastructure") Signed-off-by: Dan Carpenter Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman --- fs/nfs/filelayout/filelayout.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/nfs/filelayout/filelayout.c +++ b/fs/nfs/filelayout/filelayout.c @@ -718,7 +718,7 @@ filelayout_decode_layout(struct pnfs_lay if (unlikely(!p)) goto out_err; fl->fh_array[i]->size = be32_to_cpup(p++); - if (sizeof(struct nfs_fh) < fl->fh_array[i]->size) { + if (fl->fh_array[i]->size > NFS_MAXFHSIZE) { printk(KERN_ERR "NFS: Too big fh %d received %d\n", i, fl->fh_array[i]->size); goto out_err;