| From 6b3dccd48de8a4c650b01499a0b09d1e2279649e Mon Sep 17 00:00:00 2001 |
| From: Chuck Lever <chuck.lever@oracle.com> |
| Date: Thu, 1 Oct 2020 18:58:56 -0400 |
| Subject: NFSD: Add missing NFSv2 .pc_func methods |
| |
| From: Chuck Lever <chuck.lever@oracle.com> |
| |
| commit 6b3dccd48de8a4c650b01499a0b09d1e2279649e upstream. |
| |
| There's no protection in nfsd_dispatch() against a NULL .pc_func |
| helpers. A malicious NFS client can trigger a crash by invoking the |
| unused/unsupported NFSv2 ROOT or WRITECACHE procedures. |
| |
| The current NFSD dispatcher does not support returning a void reply |
| to a non-NULL procedure, so the reply to both of these is wrong, for |
| the moment. |
| |
| Cc: <stable@vger.kernel.org> |
| Signed-off-by: Chuck Lever <chuck.lever@oracle.com> |
| Signed-off-by: J. Bruce Fields <bfields@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/nfsd/nfsproc.c | 16 ++++++++++++++++ |
| 1 file changed, 16 insertions(+) |
| |
| --- a/fs/nfsd/nfsproc.c |
| +++ b/fs/nfsd/nfsproc.c |
| @@ -118,6 +118,13 @@ done: |
| return nfsd_return_attrs(nfserr, resp); |
| } |
| |
| +/* Obsolete, replaced by MNTPROC_MNT. */ |
| +static __be32 |
| +nfsd_proc_root(struct svc_rqst *rqstp) |
| +{ |
| + return nfs_ok; |
| +} |
| + |
| /* |
| * Look up a path name component |
| * Note: the dentry in the resp->fh may be negative if the file |
| @@ -203,6 +210,13 @@ nfsd_proc_read(struct svc_rqst *rqstp) |
| return fh_getattr(&resp->fh, &resp->stat); |
| } |
| |
| +/* Reserved */ |
| +static __be32 |
| +nfsd_proc_writecache(struct svc_rqst *rqstp) |
| +{ |
| + return nfs_ok; |
| +} |
| + |
| /* |
| * Write data to a file |
| * N.B. After this call resp->fh needs an fh_put |
| @@ -617,6 +631,7 @@ static const struct svc_procedure nfsd_p |
| .pc_xdrressize = ST+AT, |
| }, |
| [NFSPROC_ROOT] = { |
| + .pc_func = nfsd_proc_root, |
| .pc_decode = nfssvc_decode_void, |
| .pc_encode = nfssvc_encode_void, |
| .pc_argsize = sizeof(struct nfsd_void), |
| @@ -654,6 +669,7 @@ static const struct svc_procedure nfsd_p |
| .pc_xdrressize = ST+AT+1+NFSSVC_MAXBLKSIZE_V2/4, |
| }, |
| [NFSPROC_WRITECACHE] = { |
| + .pc_func = nfsd_proc_writecache, |
| .pc_decode = nfssvc_decode_void, |
| .pc_encode = nfssvc_encode_void, |
| .pc_argsize = sizeof(struct nfsd_void), |