| From 6521aaf4e6ec402cb2935afc9ebae3e2637a4ded Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Fri, 24 Jul 2020 17:08:57 -0400 |
| Subject: SUNRPC: Fix ("SUNRPC: Add "@len" parameter to gss_unwrap()") |
| |
| From: Chuck Lever <chuck.lever@oracle.com> |
| |
| [ Upstream commit 986a4b63d3bc5f2c0eb4083b05aff2bf883b7b2f ] |
| |
| Braino when converting "buf->len -=" to "buf->len = len -". |
| |
| The result is under-estimation of the ralign and rslack values. On |
| krb5p mounts, this has caused READDIR to fail with EIO, and KASAN |
| splats when decoding READLINK replies. |
| |
| As a result of fixing this oversight, the gss_unwrap method now |
| returns a buf->len that can be shorter than priv_len for small |
| RPC messages. The additional adjustment done in unwrap_priv_data() |
| can underflow buf->len. This causes the nfsd_request_too_large |
| check to fail during some NFSv3 operations. |
| |
| Reported-by: Marian Rainer-Harbach |
| Reported-by: Pierre Sauter <pierre.sauter@stwm.de> |
| BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886277 |
| Fixes: 31c9590ae468 ("SUNRPC: Add "@len" parameter to gss_unwrap()") |
| Reviewed-by: J. Bruce Fields <bfields@redhat.com> |
| Signed-off-by: Chuck Lever <chuck.lever@oracle.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| net/sunrpc/auth_gss/gss_krb5_wrap.c | 2 +- |
| net/sunrpc/auth_gss/svcauth_gss.c | 1 - |
| 2 files changed, 1 insertion(+), 2 deletions(-) |
| |
| diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c |
| index cf0fd170ac189..90b8329fef824 100644 |
| --- a/net/sunrpc/auth_gss/gss_krb5_wrap.c |
| +++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c |
| @@ -584,7 +584,7 @@ gss_unwrap_kerberos_v2(struct krb5_ctx *kctx, int offset, int len, |
| buf->head[0].iov_len); |
| memmove(ptr, ptr + GSS_KRB5_TOK_HDR_LEN + headskip, movelen); |
| buf->head[0].iov_len -= GSS_KRB5_TOK_HDR_LEN + headskip; |
| - buf->len = len - GSS_KRB5_TOK_HDR_LEN + headskip; |
| + buf->len = len - (GSS_KRB5_TOK_HDR_LEN + headskip); |
| |
| /* Trim off the trailing "extra count" and checksum blob */ |
| xdr_buf_trim(buf, ec + GSS_KRB5_TOK_HDR_LEN + tailskip); |
| diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c |
| index 46027d0c903f9..c28051f7d217d 100644 |
| --- a/net/sunrpc/auth_gss/svcauth_gss.c |
| +++ b/net/sunrpc/auth_gss/svcauth_gss.c |
| @@ -958,7 +958,6 @@ unwrap_priv_data(struct svc_rqst *rqstp, struct xdr_buf *buf, u32 seq, struct gs |
| |
| maj_stat = gss_unwrap(ctx, 0, priv_len, buf); |
| pad = priv_len - buf->len; |
| - buf->len -= pad; |
| /* The upper layers assume the buffer is aligned on 4-byte boundaries. |
| * In the krb5p case, at least, the data ends up offset, so we need to |
| * move it around. */ |
| -- |
| 2.25.1 |
| |