queue/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-4.8 - Git at Google

 From fd933d047f2c198484a337878787dfde40c8264f Mon Sep 17 00:00:00 2001
 From: "J. Bruce Fields" <bfields@redhat.com>
 Date: Fri, 21 Apr 2017 15:26:30 -0400
 Subject: [PATCH] nfsd: stricter decoding of write-like NFSv2/v3 ops
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 commit 13bf9fbff0e5e099e2b6f003a0ab8ae145436309 upstream.

 The NFSv2/v3 code does not systematically check whether we decode past
 the end of the buffer.  This generally appears to be harmless, but there
 are a few places where we do arithmetic on the pointers involved and
 don't account for the possibility that a length could be negative.  Add
 checks to catch these.

 Reported-by: Tuomas Haanpää <thaan@synopsys.com>
 Reported-by: Ari Kauppi <ari@synopsys.com>
 Reviewed-by: NeilBrown <neilb@suse.com>
 Cc: stable@vger.kernel.org
 Signed-off-by: J. Bruce Fields <bfields@redhat.com>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
 index d18cfddbe115..452334694a5d 100644
 --- a/fs/nfsd/nfs3xdr.c
 +++ b/fs/nfsd/nfs3xdr.c
 @@ -369,6 +369,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
  	args->count = ntohl(*p++);
  	args->stable = ntohl(*p++);
  	len = args->len = ntohl(*p++);
 +	if ((void *)p > head->iov_base + head->iov_len)
 +		return 0;
  	/*
  	 * The count must equal the amount of data passed.
  	 */
 @@ -472,6 +474,8 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, __be32 *p,
  	/* first copy and check from the first page */
  	old = (char*)p;
  	vec = &rqstp->rq_arg.head[0];
 +	if ((void *)old > vec->iov_base + vec->iov_len)
 +		return 0;
  	avail = vec->iov_len - (old - (char*)vec->iov_base);
  	while (len && avail && *old) {
  		*new++ = *old++;
 diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c
 index 59bd88a23a3d..de07ff625777 100644
 --- a/fs/nfsd/nfsxdr.c
 +++ b/fs/nfsd/nfsxdr.c
 @@ -302,6 +302,8 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
  	 * bytes.
  	 */
  	hdr = (void*)p - head->iov_base;
 +	if (hdr > head->iov_len)
 +		return 0;
  	dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;

  	/*
 --
 2.12.0
	From fd933d047f2c198484a337878787dfde40c8264f Mon Sep 17 00:00:00 2001
	From: "J. Bruce Fields" <bfields@redhat.com>
	Date: Fri, 21 Apr 2017 15:26:30 -0400
	Subject: [PATCH] nfsd: stricter decoding of write-like NFSv2/v3 ops
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	commit 13bf9fbff0e5e099e2b6f003a0ab8ae145436309 upstream.

	The NFSv2/v3 code does not systematically check whether we decode past
	the end of the buffer. This generally appears to be harmless, but there
	are a few places where we do arithmetic on the pointers involved and
	don't account for the possibility that a length could be negative. Add
	checks to catch these.

	Reported-by: Tuomas Haanpää <thaan@synopsys.com>
	Reported-by: Ari Kauppi <ari@synopsys.com>
	Reviewed-by: NeilBrown <neilb@suse.com>
	Cc: stable@vger.kernel.org
	Signed-off-by: J. Bruce Fields <bfields@redhat.com>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
	index d18cfddbe115..452334694a5d 100644
	--- a/fs/nfsd/nfs3xdr.c
	+++ b/fs/nfsd/nfs3xdr.c
	@@ -369,6 +369,8 @@ nfs3svc_decode_writeargs(struct svc_rqst rqstp, __be32 p,
	args->count = ntohl(*p++);
	args->stable = ntohl(*p++);
	len = args->len = ntohl(*p++);
	+ if ((void *)p > head->iov_base + head->iov_len)
	+ return 0;
	/*
	* The count must equal the amount of data passed.
	*/
	@@ -472,6 +474,8 @@ nfs3svc_decode_symlinkargs(struct svc_rqst rqstp, __be32 p,
	/* first copy and check from the first page */
	old = (char*)p;
	vec = &rqstp->rq_arg.head[0];
	+ if ((void *)old > vec->iov_base + vec->iov_len)
	+ return 0;
	avail = vec->iov_len - (old - (char*)vec->iov_base);
	while (len && avail && *old) {
	new++ = old++;
	diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c
	index 59bd88a23a3d..de07ff625777 100644
	--- a/fs/nfsd/nfsxdr.c
	+++ b/fs/nfsd/nfsxdr.c
	@@ -302,6 +302,8 @@ nfssvc_decode_writeargs(struct svc_rqst rqstp, __be32 p,
	* bytes.
	*/
	hdr = (void*)p - head->iov_base;
	+ if (hdr > head->iov_len)
	+ return 0;
	dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;

	/*
	--
	2.12.0