Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
From:   Chuck Lever III <chuck.lever@oracle.com>
To:     yangerkun <yangerkun@huawei.com>
CC:     Jeff Layton <jlayton@kernel.org>,
        Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
        "yi.zhang@huawei.com" <yi.zhang@huawei.com>
Subject: Re: Question about CVE-2022-43945
Thread-Topic: Question about CVE-2022-43945
Thread-Index: AQHY9lPsG7m4h0F1H0mCkh/AgNtLPK46/vqAgAB3S4A=
Date:   Sat, 12 Nov 2022 16:11:47 +0000
Message-ID: <B00F6DD5-8215-457B-A681-39D7A64B7668@oracle.com>
References: <48b858aa-028b-1f56-3740-e59eb7a5fca2@huawei.com>
 <265166ff-cd0b-ea5f-ad28-fed756dfd4ff@huawei.com>
In-Reply-To: <265166ff-cd0b-ea5f-ad28-fed756dfd4ff@huawei.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?m66GFumwJpO2yBbsHb3a5sxngXAWbUHa9YV8HoD9l5FLQdUJTnrzGxGwE0A3?=
 =?us-ascii?Q?4RjtRrEw2KS+sEcUEuPOLgYru6ERiJ0iQ8+fzIaDq0mjRepAeFIcaqZeTRhh?=
 =?us-ascii?Q?DMcYtterjDiDTeb0ELsG3BWL32VpFu3CIVaWDU2X3qvQlvpOl8AkMWRalj/+?=
 =?us-ascii?Q?KpQ4XZ3AZvUZkCzcojTyG4npKd8K6jfHu+hTViZkxGQrY30ganv42ERAtsBA?=
 =?us-ascii?Q?fyBSDgsuZ8y31bQ7/SLEtArTPzlfZ1uxt32UJlzSYGssRUwhn02fT80ZpmOH?=
 =?us-ascii?Q?a9l4dPD9wpq4sbhffDIUwh5F7S8HDLLul0hEyiRbV2A9KELWNz8mvCceLZbj?=
 =?us-ascii?Q?UyBYAYwt3KUl7t0av4d9ozzWb/035cj9kabQMivT9NfW38wz1GJb1ZAItWMW?=
 =?us-ascii?Q?3G3y/INO37Z0Yaodzntlo6mttxUZR+J4UvhJiFEU9eFD0RC0UEH3iVt7X1oR?=
 =?us-ascii?Q?UkT1vDDyMFV8wBt4bdkh+jC3ndrHWKzBbEE4lyZ719SvQWxLT/lsjfyi61WR?=
 =?us-ascii?Q?mrLAAthaPOEB7i6xNNSU6XW+jbjvBmcWBycIeSdpX8TObxcmxbEk4N2s6pyU?=
 =?us-ascii?Q?5n4ytotVsDBPKSSZd1w4YIHBrNPc7X7GYM7SJXI1jxupB9G6afF9+T3NSEjA?=
 =?us-ascii?Q?u/pot3Mh/US/JZZzuCXgsB35aM+eSEJsRqtWSUanHQkXiyvz1aTkYJ57yV+x?=
 =?us-ascii?Q?fc/dKR23YWRXTdhCKYStPfYS8IgtjEO1oo2SIe4IrvjuQkODkYa2IT7PAJtx?=
 =?us-ascii?Q?8jlkNmoqZ2QD/+ltbmWTG7jnOwja5dIuCtmZp2PcT5OWuRm19sm2Hpgw3Upj?=
 =?us-ascii?Q?rsBnIiiD6UFkPn06bT/Ko3T7S8s13u4/aWWJ+BuVOQkBBx99PsV2VtW/QTVX?=
 =?us-ascii?Q?sVDirhq7YOPIR0z5rzUfIdAOlzzgmgyYruFMcUEnRODdR5iP4kkkMbu7dHEi?=
 =?us-ascii?Q?YR6wLUQGKYKsCho2JUM1H5MYW20CtTw3uegkKjsJYawEBMdYPcvmxucEz6rE?=
 =?us-ascii?Q?/apo2LXuKCwWTDIM5wXg9Lvt9fanJGZdH8HM+Aam+UaSXCt3uTXvkvTalR2U?=
 =?us-ascii?Q?wTUq+EFKog1YO/klKUWYSgTPPbQ6qdr0ra3n8jCdX/vdEIloU66QmqWhRMSX?=
 =?us-ascii?Q?TvYvsKyUNN9f64VNe7PX4ZzeBvwh43OrM/bo6HaNdthqRZ9JMzcVu0UqnbIp?=
 =?us-ascii?Q?TXj92ReN1hy5sOfQ/f8y3qQ0U1lBP3jCAmNJ6Ey6mOfXli//FYiGmb43fqmy?=
 =?us-ascii?Q?Cn0plnaOZj0mRY1RbQEaKbHwoQQxzXsR2DuICI+Xl4k+R8yAC+rFhr0Zl/+0?=
 =?us-ascii?Q?XaSXYP9IvHpczXslWYdblwSO5oLgDurTWo+l0I/qXfB0y6gmISyV2MQj4Spo?=
 =?us-ascii?Q?JTjn8VADqwYXUDuX9IbEJQRdYvOI+7sxRk3CbcilAyyns8SJM6xO10aMzLPC?=
 =?us-ascii?Q?BzNTiXCmyYHaggD185EuYEBSkWCC6f9G6aVLEtnTb/eWLWULjf5DPdvBQLPI?=
 =?us-ascii?Q?QcaSSCtY0TBCf8CwdxhC7ZbWpHZSP8QS4gDMdQgDtAWsalF8fU6jF2TkPN7e?=
 =?us-ascii?Q?znRZg/Dp5EHLXMCkXutqrBjvCoflTa+4CMkjTRaBYDXDUsdObGyEaCdQM+UL?=
 =?us-ascii?Q?SQ=3D=3D?=
Content-Type: text/plain; charset="us-ascii"
Content-ID: <0C82E23AA948374986C4C9AF0F9644CC@namprd10.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: oOTDCPHGzHvQv106deZJXTy7QcHa6nZmv/t5yWgUfKmHN5S+D2pJR1KrgwF9c4SoKh4JyOmnBnKL7Oo5KwEJHr8H1qCqwF0HRqQnSf2FiyJLqpo7lIhDKzurqoqXHC4lLM081qmJ+Hox7C96QARJKu7wCZXVe1ZEGEYgukJNzehx02OoUIlEFIr3jBzo7+LJnmnGO23fNFoUjvTa4smB98rfHmiwTEJJzqpi07rEukA9lDpbiuIszyRLQ7pH7JOu6qwaStjCiwFCyyV6kc69L+wrhIPDqIYrBgV8QC8p50XaIP6Gequ+Ni2YhEtDgXHCzIunw/svEN2wnV2HG9Sm0aLcYov/ok6eyfhnz4WW+x7jyJwF++C5pg19zVXpr/Wr51Duwk2zbAjTeaYs489mzTmOPD1DAvlFxUBYh3Bof/MnlM2QhU/KCnEmBiFjk9s0MgiW6RnHJw4fzJFrM0kKm/4vOSwcy9uTxm/hpehro/pu6KT1viA1RFXhe9vRHvk2NpaoxMzVtFBgX8z6wHsmoymdiHkM8vUlpCXe96XXIN/3a0fhKfJSdjnZodVnr6Y4cVrWTHztvWum6r8bhozkfGyVRB4mKfYnO/pW3N9FYDQRpEb78dJCiSlg6SVrVfLFHZJDQ7j3oDGJ5Fdkz1qEx/QC+AFPmP7/SCGuRd0nZXllXO51z/w90Q8TG1FVz45kHDtC+Tx92yg7DJ05mOtObK5AgylkYP6hrmoiABVaL/lFfFgAY+WMCXwYRFmCDfw5FOb5R463MtF41ulMvDwQIvB+sYu3LzMWLcl+eiczO15ytEaIZv/wu89IufxGH2jA1BCH/+Z0gM2TwdEqz98pUmJZ8H+OtEIfpQPxwHjsTeo=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0PR10MB5128.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0a2230c6-1fad-47fe-9614-08dac4c899c0
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Nov 2022 16:11:47.7760
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HCAujoO7+YCIPJuHD952dHBu0FEkQswibxR+VfHSqM3T/PW4/Co/WS9uGYgk+C2GTNSLIGwnBLnxCnrKsUKLUQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR10MB5969
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.219,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1
 definitions=2022-11-12_11,2022-11-11_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 spamscore=0 mlxscore=0
 malwarescore=0 adultscore=0 bulkscore=0 mlxlogscore=871 phishscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000
 definitions=main-2211120124
X-Proofpoint-GUID: dkAGCkfd5CrOgKfGbHpTkkzDod74fgaz
X-Proofpoint-ORIG-GUID: dkAGCkfd5CrOgKfGbHpTkkzDod74fgaz
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,
        RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org


> On Nov 12, 2022, at 4:04 AM, yangerkun <yangerkun@huawei.com> wrote:
>=20
> On 2022/11/12 13:01, yangerkun wrote:
>> Hi, Chuck Lever,
>> CVE-2022-43945(https://nvd.nist.gov/vuln/detail/CVE-2022-43945) describe=
 that a normal request header ended with garbage data can trigger the nfsd =
overflow since nfsd share the request and response with the same pages arra=
y.
>> It seems that the patchset(https://lore.kernel.org/linux-nfs/16620497352=
6.1435.6068003336048840051.stgit@manet.1015granger.net/T/#t) has solved NFS=
v2/NFSv3, but leave NFSv4 still vulnerably?

I asked the folks who reported this issue to check NFSv4 as well.
They were not able to exploit NFSv4 in the same way. For now we
believe this vulnerability does not impact the NFSv4 code paths.


>> Another question, for stable branch like lts-5.10, since NFSv2/NFSv3 did=
 not switch to xdr_stream, the nfs_request_too_big in nfsd_dispatch will re=
ject the request like READ/READDIR with too large request. So it seems bran=
ch without that "switch" seems ok for NFSv2/NFSv3, but NFSv3 still vulnerab=
ly. right?
>> Looking forward to your reply!
>=20
> Sorry, notice that 76ce4dcec0dc ("NFSD: Cap rsize_bop result based on sen=
d buffer size") fix same problem for NFSv4.

76ce4dcec0dc is a defensive fix. But, as I stated above, we haven't
yet found that NFSD's NFSv4 implementation is vulnerable to this
issue.


> So, for the stable branch like lts-5.10 which NFSv2/NFSv3 do not switch t=
o xdr_stream, it seems we only need 76ce4dcec0dc"NFSD: Cap rsize_bop result=
 based on send buffer size"). Right?

At this time we don't believe 76ce4dcec0dc is required. But if
you want it applied to v5.10 (or any LTS kernel) please first
test that it does not result in a regression, and then make a
request to the usual stable maintainers.


--
Chuck Lever