Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp3214917rwb; Sat, 12 Nov 2022 01:07:31 -0800 (PST) X-Google-Smtp-Source: AA0mqf4u+m+zO3MTwkf26cVBCyidwoZ9cEep2UWxP6zK4tjqMr38/TC02iNREg6HHucHWdEplQAq X-Received: by 2002:a17:90a:7acd:b0:215:d767:4863 with SMTP id b13-20020a17090a7acd00b00215d7674863mr5621793pjl.233.1668244051424; Sat, 12 Nov 2022 01:07:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668244051; cv=none; d=google.com; s=arc-20160816; b=eeeHef57twbC7OkVQgPPg2e8DtOj+pXuChAX+CWWTeU4eDJ54gdrlsBV2PuEXPCWTo 4iKoOIpkF1FezljLwkz7vOZV/qnoTkLRpBXPBiYV/7OD8nlnmPW864EVZlPiFKmXBivF TzUB51TdOViifmsIK/fI4yPG7E/7vO3JsOjaN4HvLScudohxiaLL+4IJm0OcvgUQVj2q Ph2AAkSCpcMzVvfhit3ZGJyZNdaCV5y8TsDbkpqXf86YzKH7lGl5ntnyQDXy75psG8M3 7enEhmyRHmS2Pq8oTCz0wlTLbhm5TuUMUygrB/2chhvmeyD5M2xFk7A8cCQkFyItrxGr cBRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=sicJ7fWzsMoc381SQ9IAQP04osU0RaebZ1LwaUjo2+0=; b=FpjzAF4OYWkR82EPwTBIxMXr8+N05MB6qUEdfQGwzPz9vxk02FEZxvdcEjtogVPGrx eCyHtBomwtxnM4Td0NcXvTJfY6MyBCSB/IffgU+mr0lZWpGUPuwTgGGKe+GUN7DwMxm+ bWtEvjMfHgjYX0eGQP5fH4DGyvzoaZ/fSygw9kKCBot6afvEdBmArlkodjsKCr0GyRTH o332aFI1Cl/wi9kcJU5z0pELkOkW0KcXj5Kr8io02YH05ZWzUXpttT89eM8T+aDUkIlm T5F7s8E+slSv1BxUr3q/jkeIMaY7jHi9Y2e4aWTiteBmNbE6DGFzA8xSvpUfkJ9ZuANw uasg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c4-20020a170902aa4400b00178488bcbccsi4206245plr.239.2022.11.12.01.07.05; Sat, 12 Nov 2022 01:07:30 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233552AbiKLJEx (ORCPT + 99 others); Sat, 12 Nov 2022 04:04:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50460 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230043AbiKLJEw (ORCPT ); Sat, 12 Nov 2022 04:04:52 -0500 Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 20D49FD4 for ; Sat, 12 Nov 2022 01:04:52 -0800 (PST) Received: from dggemv704-chm.china.huawei.com (unknown [172.30.72.57]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4N8V4y2ZdCz15Lxh; Sat, 12 Nov 2022 17:04:34 +0800 (CST) Received: from kwepemm600019.china.huawei.com (7.193.23.64) by dggemv704-chm.china.huawei.com (10.3.19.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Sat, 12 Nov 2022 17:04:50 +0800 Received: from [10.174.177.210] (10.174.177.210) by kwepemm600019.china.huawei.com (7.193.23.64) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Sat, 12 Nov 2022 17:04:49 +0800 Subject: Re: Question about CVE-2022-43945 To: , CC: , References: <48b858aa-028b-1f56-3740-e59eb7a5fca2@huawei.com> From: yangerkun Message-ID: <265166ff-cd0b-ea5f-ad28-fed756dfd4ff@huawei.com> Date: Sat, 12 Nov 2022 17:04:49 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: <48b858aa-028b-1f56-3740-e59eb7a5fca2@huawei.com> Content-Type: text/plain; charset="utf-8"; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.177.210] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To kwepemm600019.china.huawei.com (7.193.23.64) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On 2022/11/12 13:01, yangerkun wrote: > Hi, Chuck Lever, > > CVE-2022-43945(https://nvd.nist.gov/vuln/detail/CVE-2022-43945) describe > that a normal request header ended with garbage data can trigger the > nfsd overflow since nfsd share the request and response with the same > pages array. > > It seems that the > patchset(https://lore.kernel.org/linux-nfs/166204973526.1435.6068003336048840051.stgit@manet.1015granger.net/T/#t) > has solved NFSv2/NFSv3, but leave NFSv4 still vulnerably? > > Another question, for stable branch like lts-5.10, since NFSv2/NFSv3 did > not switch to xdr_stream, the nfs_request_too_big in nfsd_dispatch will > reject the request like READ/READDIR with too large request. So it seems > branch without that "switch" seems ok for NFSv2/NFSv3, but NFSv3 still > vulnerably. right? > > Looking forward to your reply! Sorry, notice that 76ce4dcec0dc"NFSD: Cap rsize_bop result based on send buffer size") fix same problem for NFSv4. So, for the stable branch like lts-5.10 which NFSv2/NFSv3 do not switch to xdr_stream, it seems we only need 76ce4dcec0dc"NFSD: Cap rsize_bop result based on send buffer size"). Right? > > Thanks, > Erkun Yang > .