Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp7388724rwi; Mon, 24 Oct 2022 14:00:59 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5kViwxMvMVa6YviGHdid3uQLc3PFQpNS4KSI1M+zS+pAqG/hdZ52CuplLxXD8rK+DGbOGz X-Received: by 2002:a17:907:97c7:b0:79b:f7c7:35ec with SMTP id js7-20020a17090797c700b0079bf7c735ecmr15129370ejc.362.1666645258785; Mon, 24 Oct 2022 14:00:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666645258; cv=none; d=google.com; s=arc-20160816; b=oJOyiOXGIS9QPg58wy0CTgguAtj/4SUZ8B3jw/lkzpxWQvMiGgQtnswiELZcj/KJWD SB3X5zQkGw2L1i9Z13RP9To7H3xhXKt6VAhWfLoTEOFvUU+s1F0TFPmhOm8jE81je8zq I++n94gekxufzWCmgF1lDskSU2t71Vqv82m8sseC5Dlu7g4VcbXl+x94ROOm398azCXk Mx4MT3JjGW/sNhGsPBQRbrF6Ds76fEmSGQJMOtItVeixDg0HX4Tx6nnVQTlOFbuTXf8Z 5FAZDGKxzWEpez0sq9AmxA+f2ZqvcO6IAz4V993aYhYKTvYg/A/Cnoa9siMx2M33R0pW Blhg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=b1Dsi4XyApr1I0fuvndjNKibn0F/z8Z060rfQznD1NQ=; b=UFUZ9EXFPISD7/hUlk2S9rT/SpXgVmeWE9B2hDqVgF3mCRikKXahqiWtxyO0gyJtgE Tq++b15WTU0YoBYkRSa3/4Gd1fK96VCfmdZgPls2P6n3j+yxFeloaXsgKoEzPkhMnUDB bovXQf+LUi/KHyx7zG81WXRLOH87pvt8COa46t43BzO51JakHRNgKmpfpsqcDqrq2lQ/ JCd6h4DCKaecxXGFwbBUXjdIfP0fW6lvDSh7ZSlHHjwuXsiX/L2VQOFM8XIpcviNpLlo LfFXfl2uUV69BMFHFWVneyaZP/oF9q0aoObI0ndAWRTpeWW+OYi45veZJLQUQhZTdP1/ Es6A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GcBfzeTY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r11-20020a50aacb000000b00458ab55ccc9si739807edc.168.2022.10.24.14.00.33; Mon, 24 Oct 2022 14:00:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GcBfzeTY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233953AbiJXUBA (ORCPT + 99 others); Mon, 24 Oct 2022 16:01:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57254 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234259AbiJXT7e (ORCPT ); Mon, 24 Oct 2022 15:59:34 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8DB4C22537; Mon, 24 Oct 2022 11:22:12 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id A7DE4B81886; Mon, 24 Oct 2022 12:36:09 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 012E6C433D7; Mon, 24 Oct 2022 12:36:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666614968; bh=/AcIXoetPdzPf4/uB9B8l2ay+aVrATiWQ9JdhKzLDAM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GcBfzeTYUQhKve6OeR1UX/h2mKdMVIixCTlcs+Jk251SnGENqKUjaSUdUXmIzgq82 5pskOUEChk4gHmzZZ+p8oPzygCiU5qSVhG2L6sqnI3w3eCwIBzGJbSub0rZnllCPOE kxzUFVdJrLcqPHQBTOm0o8R62kbYGKuSP18LE48E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ben Ronallo , Chuck Lever , Jeff Layton Subject: [PATCH 5.15 064/530] NFSD: Protect against send buffer overflow in NFSv3 READDIR Date: Mon, 24 Oct 2022 13:26:48 +0200 Message-Id: <20221024113047.941028770@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221024113044.976326639@linuxfoundation.org> References: <20221024113044.976326639@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Chuck Lever commit 640f87c190e0d1b2a0fcb2ecf6d2cd53b1c41991 upstream. Since before the git era, NFSD has conserved the number of pages held by each nfsd thread by combining the RPC receive and send buffers into a single array of pages. This works because there are no cases where an operation needs a large RPC Call message and a large RPC Reply message at the same time. Once an RPC Call has been received, svc_process() updates svc_rqst::rq_res to describe the part of rq_pages that can be used for constructing the Reply. This means that the send buffer (rq_res) shrinks when the received RPC record containing the RPC Call is large. A client can force this shrinkage on TCP by sending a correctly- formed RPC Call header contained in an RPC record that is excessively large. The full maximum payload size cannot be constructed in that case. Thanks to Aleksi Illikainen and Kari Hulkko for uncovering this issue. Reported-by: Ben Ronallo Cc: Signed-off-by: Chuck Lever Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman --- fs/nfsd/nfs3proc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/fs/nfsd/nfs3proc.c +++ b/fs/nfsd/nfs3proc.c @@ -447,13 +447,14 @@ static void nfsd3_init_dirlist_pages(str { struct xdr_buf *buf = &resp->dirlist; struct xdr_stream *xdr = &resp->xdr; - - count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp)); + unsigned int sendbuf = min_t(unsigned int, rqstp->rq_res.buflen, + svc_max_payload(rqstp)); memset(buf, 0, sizeof(*buf)); /* Reserve room for the NULL ptr & eof flag (-2 words) */ - buf->buflen = count - XDR_UNIT * 2; + buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), sendbuf); + buf->buflen -= XDR_UNIT * 2; buf->pages = rqstp->rq_next_page; rqstp->rq_next_page += (buf->buflen + PAGE_SIZE - 1) >> PAGE_SHIFT;