Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3990988rwa; Tue, 23 Aug 2022 14:04:24 -0700 (PDT) X-Google-Smtp-Source: AA6agR7gMPvG3STTkzbrhWM8w4/OS1PbGdGeoFZrCICB3GkXvW/2NIbcB5hffNspfciBkoD0R/xA X-Received: by 2002:a17:907:3f88:b0:73d:7e00:4437 with SMTP id hr8-20020a1709073f8800b0073d7e004437mr883668ejc.490.1661288663876; Tue, 23 Aug 2022 14:04:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661288663; cv=none; d=google.com; s=arc-20160816; b=Y01RehoTIHjAezcNFhiHgwm67P2DiSGa92TiI2qd9LDB34Uol+WNmMj4u6hGyT2n3X 3Eot2qI13vZUTjERqL4BJ0dsScvjegQ+b7doBgjrFmy2iLCl9/1xCbqkVNex03Vky6B1 7qo4pyz6Mkx8bGRpu4HoROBBR6x5VXEqtKubLA3XRURaezRN9iFfYUZ8sHxvNWNjpUuW lwPd6pBHHbDt2qaEWffTmioW3TDuV7jzu2r8BUpNcwT9lu/LANMXM+q59lcvy7mH5Pd7 /cQx2L5iBULG/f64NY3cd1vbjZmxOtOXWbWRBZJkpfBh7Bw2ZckKsWmGnoNDsUybJznE IHCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:to:from:subject; bh=5J+aJbcvZ7ZOiTsjxrXfEw33MFDbwGjBZzjhcM5iDJE=; b=j4jtvU0PH/B2JnOJGCIp/1qzx8xJZAzu64oca/UmfVLRp8M+MkfCm+YH1qGnKamwgA 7cOPCG3Wwp5Yk3h/ZI4FZJE7Vp8B9Nw2DOHFgm7g/14mYBIcgLTM4ETmp2CpMNQzsVaK AG10UmTI0tG/mVqihWpW1oTaMaTadi/0SvkLcFLE+6Gt2laIh9JycvdMdnxPTrhnXqaU yqeumZI4+n6QY+ax27DDlBE4ZwpCjp9hJbdZA3NLbTvfGYVIP20nuyDEQp11GGf45vet lv53aNmUdAD3D219Ph167snTtVw89FyvWJZ/PGizN91XzkvX/PYdHI4diWlgM48lPPZ4 ZgjA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id jr16-20020a170906a99000b007313312730esi510272ejb.85.2022.08.23.14.03.59; Tue, 23 Aug 2022 14:04:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229954AbiHWVAe (ORCPT + 99 others); Tue, 23 Aug 2022 17:00:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48414 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231517AbiHWVAb (ORCPT ); Tue, 23 Aug 2022 17:00:31 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 324987963F for ; Tue, 23 Aug 2022 14:00:30 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E40D8B81F3B for ; Tue, 23 Aug 2022 21:00:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8FC05C433D6; Tue, 23 Aug 2022 21:00:27 +0000 (UTC) Subject: [PATCH v1 4/7] lockd: Check for junk after RPC Call messages From: Chuck Lever To: linux-nfs@vger.kernel.org Date: Tue, 23 Aug 2022 17:00:26 -0400 Message-ID: <166128842661.2788.12824170997837980965.stgit@manet.1015granger.net> In-Reply-To: <166128840714.2788.7887913547062461761.stgit@manet.1015granger.net> References: <166128840714.2788.7887913547062461761.stgit@manet.1015granger.net> User-Agent: StGit/1.5.dev2+g9ce680a5 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org The current RPC server code allows incoming RPC messages up to about a megabyte in size. For TCP, this is based on the size value contained in the RPC record marker. Currently, lockd ignores anything in the message that is past the end of the encoded RPC Call message. A very large RPC message can arrive with just an NLM LOCK operation in it, and lockd ignores the rest of the message until the next RPC fragment in the TCP stream. That ignored data still consumes pages in the svc_rqst's page array, however. The current arrangement is that each svc_rqst gets about 260 pages, assuming that all supported NLM operations will never require more than a total of 260 pages to decode a Call message and construct its corresponding Reply message. A clever attacker can add garbage at the end of an RPC Call message. At the least, it can result in a short or empty NLM result. So, let's teach lockd to look for such shenanigans and reject any Call where the incoming RPC frame has content remaining in the receive buffer after lockd has decoded the Call arguments. Signed-off-by: Chuck Lever --- fs/lockd/svc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/lockd/svc.c b/fs/lockd/svc.c index 59ef8a1f843f..80b3f1a006f6 100644 --- a/fs/lockd/svc.c +++ b/fs/lockd/svc.c @@ -694,9 +694,12 @@ module_exit(exit_nlm); static int nlmsvc_dispatch(struct svc_rqst *rqstp, __be32 *statp) { const struct svc_procedure *procp = rqstp->rq_procinfo; + struct xdr_stream *xdr = &rqstp->rq_arg_stream; svcxdr_init_decode(rqstp); - if (!procp->pc_decode(rqstp, &rqstp->rq_arg_stream)) + if (!procp->pc_decode(rqstp, xdr)) + goto out_decode_err; + if (xdr_stream_remaining(xdr)) goto out_decode_err; *statp = procp->pc_func(rqstp);