linux-hardened/fs/nfsd
J. Bruce Fields e6838a29ec nfsd: check for oversized NFSv2/v3 arguments
A client can append random data to the end of an NFSv2 or NFSv3 RPC call
without our complaining; we'll just stop parsing at the end of the
expected data and ignore the rest.

Encoded arguments and replies are stored together in an array of pages,
and if a call is too large it could leave inadequate space for the
reply.  This is normally OK because NFS RPC's typically have either
short arguments and long replies (like READ) or long arguments and short
replies (like WRITE).  But a client that sends an incorrectly long reply
can violate those assumptions.  This was observed to cause crashes.

Also, several operations increment rq_next_page in the decode routine
before checking the argument size, which can leave rq_next_page pointing
well past the end of the page array, causing trouble later in
svc_free_pages.

So, following a suggestion from Neil Brown, add a central check to
enforce our expectation that no NFSv2/v3 call has both a large call and
a large reply.

As followup we may also want to rewrite the encoding routines to check
more carefully that they aren't running off the end of the page array.

We may also consider rejecting calls that have any extra garbage
appended.  That would be safer, and within our rights by spec, but given
the age of our server and the NFS protocol, and the fact that we've
never enforced this before, we may need to balance that against the
possibility of breaking some oddball client.

Reported-by: Tuomas Haanpää <thaan@synopsys.com>
Reported-by: Ari Kauppi <ari@synopsys.com>
Cc: stable@vger.kernel.org
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2017-04-25 16:34:37 -04:00
..
acl.h nfsd4: remove nfs4_acl_new 2014-07-08 17:14:27 -04:00
auth.c cred: simpler, 1D supplementary groups 2016-10-07 18:46:30 -07:00
auth.h nfsd: Remove nfsd_luid, nfsd_lgid, nfsd_ruid and nfsd_rgid 2013-02-13 06:15:51 -08:00
blocklayout.c fs: add i_blocksize() 2017-02-27 18:43:46 -08:00
blocklayoutxdr.c Highlights: 2016-08-04 19:59:06 -04:00
blocklayoutxdr.h nfsd: add SCSI layout support 2016-03-18 11:42:53 -04:00
cache.h nfsd: Remove the cache_hash list 2014-08-17 12:00:12 -04:00
current_stateid.h
export.c nfsd: opt in to labeled nfs per export 2017-01-31 12:31:54 -05:00
export.h nfsd: allow nfsd to advertise multiple layout types 2016-07-15 15:31:32 -04:00
fault_inject.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
flexfilelayout.c nfsd: don't set a FL_LAYOUT lease for flexfiles layouts 2016-09-16 16:15:52 -04:00
flexfilelayoutxdr.c nfsd: Add a super simple flex file server 2016-07-13 15:40:48 -04:00
flexfilelayoutxdr.h nfsd: Add a super simple flex file server 2016-07-13 15:40:48 -04:00
idmap.h nfsd: Remove duplicate define of IDMAP_NAMESZ/IDMAP_TYPE_xx 2015-07-20 14:58:46 -04:00
Kconfig block: make scsi_request and scsi ioctl support optional 2017-01-31 10:53:05 -07:00
lockd.c lockd: constify nlmsvc_binding structure 2016-01-07 10:10:50 -05:00
Makefile nfsd: Add a super simple flex file server 2016-07-13 15:40:48 -04:00
netns.h netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
nfs2acl.c sunrpc: turn bitfield flags in svc_version into bools 2017-02-24 15:50:08 -05:00
nfs3acl.c sunrpc: turn bitfield flags in svc_version into bools 2017-02-24 15:50:08 -05:00
nfs3proc.c NFSD: cleanup dead codes and values in nfsd_write 2017-01-31 12:31:53 -05:00
nfs3xdr.c A very quiet cycle for nfsd, mainly just an RDMA update from Chuck Lever. 2016-05-24 14:39:20 -07:00
nfs4acl.c nfsd: check permissions when setting ACLs 2016-06-24 12:11:52 -04:00
nfs4callback.c nfsd/callback: Drop a useless data copy when comparing sessionid 2017-02-17 16:26:02 -05:00
nfs4idmap.c nfsd/idmap: return nfserr_inval for 0-length names 2017-02-17 16:25:59 -05:00
nfs4layouts.c driver core patches for 4.11-rc1 2017-02-22 11:44:32 -08:00
nfs4proc.c nfsd: fix oops on unsupported operation 2017-04-13 11:18:56 -04:00
nfs4recover.c Various bugfixes, a RDMA update from Chuck Lever, and support for a new 2016-03-24 10:41:00 -07:00
nfs4state.c nfsd: remove superfluous KERN_INFO 2017-02-24 15:45:13 -05:00
nfs4xdr.c statx: Add a system call to make enhanced file info available 2017-03-02 20:51:15 -05:00
nfscache.c lib/vsprintf.c: remove %Z support 2017-02-27 18:43:47 -08:00
nfsctl.c NFSD: further refinement of content of /proc/fs/nfsd/versions 2017-03-10 17:04:50 -05:00
nfsd.h nfsd: constify nfsd_suppatttrs 2017-01-31 12:31:54 -05:00
nfsfh.c nfsd: check d_can_lookup in fh_verify of directories 2016-08-04 17:11:48 -04:00
nfsfh.h wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
nfsproc.c nfsd: map the ENOKEY to nfserr_perm for avoiding warning 2017-03-10 16:54:55 -05:00
nfssvc.c nfsd: check for oversized NFSv2/v3 arguments 2017-04-25 16:34:37 -04:00
nfsxdr.c nfsd: Fix some indent inconsistancy 2016-07-13 15:53:41 -04:00
pnfs.h nfsd: don't set a FL_LAYOUT lease for flexfiles layouts 2016-09-16 16:15:52 -04:00
state.h nfsd/callback: Cleanup callback cred on shutdown 2017-02-17 16:26:00 -05:00
stats.c drop redundant ->owner initializations 2016-05-29 19:08:00 -04:00
stats.h nfsd: move <linux/nfsd/stats.h> to fs/nfsd 2014-05-06 17:54:55 -04:00
trace.c nfsd: move include of state.h from trace.c to trace.h 2015-10-23 15:57:29 -04:00
trace.h nfsd: add new io class tracepoint 2016-01-14 17:32:51 -05:00
vfs.c nfsd: special case truncates some more 2017-02-21 10:13:37 -05:00
vfs.h statx: Add a system call to make enhanced file info available 2017-03-02 20:51:15 -05:00
xdr.h nfsd: handle vfs_getattr errors in acl protocol 2013-02-26 02:46:09 -05:00
xdr3.h nfsd: fix encode_entryplus_baggage stack usage 2014-01-23 13:50:27 -05:00
xdr4.h NFSD: Implement the COPY call 2016-10-07 14:54:25 -04:00
xdr4cb.h nfsd: plumb in a CB_NOTIFY_LOCK operation 2016-09-26 15:20:35 -04:00