Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2698729pxj; Mon, 31 May 2021 08:31:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwJ/aq0v5b770Il1Z2AcoYzFUvYQ9SFzQPHflyRE/N2Rwu+kvYbzf8BvTH3jWIgzjmetDWm X-Received: by 2002:a05:6402:51ce:: with SMTP id r14mr26502358edd.151.1622475118690; Mon, 31 May 2021 08:31:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622475118; cv=none; d=google.com; s=arc-20160816; b=TUOYKtLI/SnWjqm/bTCkot/mqMBXMHpaM8HLqCiUkufE3dxu038uTb7IXbCbFbGtNt mLMIHBJZG97LOPw1so1J1KlzxK1HkCfE6vq5ZLEbtj0Hccdym1PSP5iGeOYitDepC0ir 0fgdz1nLgFSEkIZsoaLMOZrTvqlx4tEuu3WjGYgsqqI/VxCFfL68rXOS6ONMkeI/KT1m lCuCRoYsRUvtxRtApkVj41NYbjG+9VzcWrIjdhPYFB/8/3t9FrcZ3oTIhJCroLlTXlni pv44khism2Z5bfMgW+0G1k4K1A4ym8C6kaAhzoNtMnqfrusHBuKDAPayYbyh3RU1mXFp VBHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=4sz1x5KmZnXYSViAUtOu8JuMm4p9nKv97zzOOeuqQQY=; b=mB65kQYX7jDQr+A9FUTYpwkWSql3suulE9/UW2YwX+E+IAjMTxw9K7m1ve5djCSGPL w7kbjBBPWb1QilT20EIJ+q8PEh+Cnbw+5e+KUo39/1PhZtw4mjyNY5e1EyfaIN4Gbx72 6QIVNAWyEVcCoOmwsP9c6Gmw90ipcT6CMVfyvtabBGsGQfy6/N9n9o0b4QHHnwK+lnp0 oVMH25QWUimlkCH56nI9Cesxj0169Ejgb6465Oz49il2IW8LDFaMj16uXVz+gl8fKsP0 000I15/QRkfncZUwjzlmY/2m8Dcg3o5ZfYDHEGm408342t5JmqQARo2TB0sfShBHfN5z BQCA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=nZGzlEfK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bh4si15389980ejb.358.2021.05.31.08.31.36; Mon, 31 May 2021 08:31:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=nZGzlEfK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231713AbhEaPaQ (ORCPT + 99 others); Mon, 31 May 2021 11:30:16 -0400 Received: from mail.kernel.org ([198.145.29.99]:43710 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233434AbhEaOR7 (ORCPT ); Mon, 31 May 2021 10:17:59 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 12CC1619B4; Mon, 31 May 2021 13:43:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1622468636; bh=2uHQSuBtQrpPAeM3h7B7iaCFgz3x0WTe7FSIOTqt+Us=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nZGzlEfKSDnJGSCNkzJqwBAYjDNM7ioXPX+JhPGetoGpmxl9vfcxtQXOfnJs1M8mW Mt7RdHGSd4L4pFFahky/797llzxP4oNvCEkrtqZZSeCdNH67WTg6Y1udjjUC4dYb05 Tn4ywilMOhtt9G6vXuwhf7fyJT9OtA1kpnymWLTM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Trond Myklebust Subject: [PATCH 5.4 067/177] NFS: fix an incorrect limit in filelayout_decode_layout() Date: Mon, 31 May 2021 15:13:44 +0200 Message-Id: <20210531130650.217775067@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210531130647.887605866@linuxfoundation.org> References: <20210531130647.887605866@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter commit 769b01ea68b6c49dc3cde6adf7e53927dacbd3a8 upstream. The "sizeof(struct nfs_fh)" is two bytes too large and could lead to memory corruption. It should be NFS_MAXFHSIZE because that's the size of the ->data[] buffer. I reversed the size of the arguments to put the variable on the left. Fixes: 16b374ca439f ("NFSv4.1: pnfs: filelayout: add driver's LAYOUTGET and GETDEVICEINFO infrastructure") Signed-off-by: Dan Carpenter Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman --- fs/nfs/filelayout/filelayout.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/nfs/filelayout/filelayout.c +++ b/fs/nfs/filelayout/filelayout.c @@ -717,7 +717,7 @@ filelayout_decode_layout(struct pnfs_lay if (unlikely(!p)) goto out_err; fl->fh_array[i]->size = be32_to_cpup(p++); - if (sizeof(struct nfs_fh) < fl->fh_array[i]->size) { + if (fl->fh_array[i]->size > NFS_MAXFHSIZE) { printk(KERN_ERR "NFS: Too big fh %d received %d\n", i, fl->fh_array[i]->size); goto out_err;