Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp1086846rwe; Thu, 1 Sep 2022 12:16:55 -0700 (PDT) X-Google-Smtp-Source: AA6agR5zHibwbM1OjrOGyThRqbf7X46W0IhgCeI+J3zxZeT/aZyPP50bbwNHawq0etythpfsPBM1 X-Received: by 2002:a17:907:7f21:b0:73d:6b7b:3e0 with SMTP id qf33-20020a1709077f2100b0073d6b7b03e0mr23835885ejc.680.1662059814885; Thu, 01 Sep 2022 12:16:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662059814; cv=none; d=google.com; s=arc-20160816; b=uUxhfeNK+UnqOyc1bxOqv5DNyvSBeUJj+bSxNRr56Ipo1UtUtJjat4NtVjrs6CVI+A KbXwddEjl3DQ9p1vz6XTnddMWtq7l3viEEwmtT1Bpdnz6zavLqbcVJ66vRvSWGUdynjx bBCj+OAZmGHMPw2XKl4fAK6A7OGViUdyf/r66yD7tPynJZlBWaWyuw3vFjrPPJU49IEv FZ1ESm95plLOASrsKt2woao6I2uksdd65xNOpCBgQBhuJUrtANWFmH6VUE7Vqc9zQAyn Qk5zR9GcFVANKf9MlrwnNDf9hcz9SaEP6JA2h1J3ZDbzHyR4engH57jftrbR0lgx9PgQ 8UUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:to:from:subject; bh=nTsigFjAaeoF05l7MgmP/D5Jt6EGDEn0bsPIti9Wpto=; b=xYde0ayeKnApCR77NdFheG3SdIO8aiuJ/utx1EslYrIxnocn2PxO+K9ANYSj2InGJ9 aAxw1XRt7JG3gqOcKQkLedyejh4UKbWZeazE3kSkBkm7ADCj+TWhvQ5Rh6S6RNf/NsdY ptXSHdTWsVWDkvBBX0/Fw9maSTkM0l4JrIIXvjnfVizU2z6FSAtndAvTWTC5xIf1qYN8 ao10BWJT6VKFvK6wPmFtboiyrUmHDGBvNuIMRDBkvV47+hG2rUYcPQ3RYK/WMkJvuOuS RoMRuCKzijoeea6AFW7qexb17NiXRNAX1vu4g7mEiBqDghIjTDlwaAXB6WI46nuN4m1C unhQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id cw19-20020a170906479300b0073d6b88fdc7si12231ejc.738.2022.09.01.12.16.29; Thu, 01 Sep 2022 12:16:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233787AbiIATKS (ORCPT + 99 others); Thu, 1 Sep 2022 15:10:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46304 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233729AbiIATKQ (ORCPT ); Thu, 1 Sep 2022 15:10:16 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B87581F2D5 for ; Thu, 1 Sep 2022 12:10:14 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D06B061D9B for ; Thu, 1 Sep 2022 19:10:13 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 26DB6C433D6; Thu, 1 Sep 2022 19:10:13 +0000 (UTC) Subject: [PATCH v3 4/6] NFSD: Protect against send buffer overflow in NFSv3 READDIR From: Chuck Lever To: linux-nfs@vger.kernel.org Date: Thu, 01 Sep 2022 15:10:12 -0400 Message-ID: <166205941213.1435.18172275008498406790.stgit@manet.1015granger.net> In-Reply-To: <166204973526.1435.6068003336048840051.stgit@manet.1015granger.net> References: <166204973526.1435.6068003336048840051.stgit@manet.1015granger.net> User-Agent: StGit/1.5.dev2+g9ce680a5 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org Since before the git era, NFSD has conserved the number of pages held by each nfsd thread by combining the RPC receive and send buffers into a single array of pages. This works because there are no cases where an operation needs a large RPC Call message and a large RPC Reply message at the same time. Once an RPC Call has been received, svc_process() updates svc_rqst::rq_res to describe the part of rq_pages that can be used for constructing the Reply. This means that the send buffer (rq_res) shrinks when the received RPC record containing the RPC Call is large. A client can force this shrinkage on TCP by sending a correctly- formed RPC Call header contained in an RPC record that is excessively large. The full maximum payload size cannot be constructed in that case. Thanks to Aleksi Illikainen and Kari Hulkko for uncovering this issue. Reported-by: Ben Ronallo Cc: Signed-off-by: Chuck Lever --- fs/nfsd/nfs3proc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c index a41cca619338..7a159785499a 100644 --- a/fs/nfsd/nfs3proc.c +++ b/fs/nfsd/nfs3proc.c @@ -563,13 +563,14 @@ static void nfsd3_init_dirlist_pages(struct svc_rqst *rqstp, { struct xdr_buf *buf = &resp->dirlist; struct xdr_stream *xdr = &resp->xdr; - - count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp)); + unsigned int sendbuf = min_t(unsigned int, rqstp->rq_res.buflen, + svc_max_payload(rqstp)); memset(buf, 0, sizeof(*buf)); /* Reserve room for the NULL ptr & eof flag (-2 words) */ - buf->buflen = count - XDR_UNIT * 2; + buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), sendbuf); + buf->buflen -= XDR_UNIT * 2; buf->pages = rqstp->rq_next_page; rqstp->rq_next_page += (buf->buflen + PAGE_SIZE - 1) >> PAGE_SHIFT;