releases/5.9.5/nfsd-add-missing-nfsv2-.pc_func-methods.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 6b3dccd48de8a4c650b01499a0b09d1e2279649e Mon Sep 17 00:00:00 2001
 From: Chuck Lever <chuck.lever@oracle.com>
 Date: Thu, 1 Oct 2020 18:58:56 -0400
 Subject: NFSD: Add missing NFSv2 .pc_func methods

 From: Chuck Lever <chuck.lever@oracle.com>

 commit 6b3dccd48de8a4c650b01499a0b09d1e2279649e upstream.

 There's no protection in nfsd_dispatch() against a NULL .pc_func
 helpers. A malicious NFS client can trigger a crash by invoking the
 unused/unsupported NFSv2 ROOT or WRITECACHE procedures.

 The current NFSD dispatcher does not support returning a void reply
 to a non-NULL procedure, so the reply to both of these is wrong, for
 the moment.

 Cc: <stable@vger.kernel.org>
 Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
 Signed-off-by: J. Bruce Fields <bfields@redhat.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  fs/nfsd/nfsproc.c |   16 ++++++++++++++++
  1 file changed, 16 insertions(+)

 --- a/fs/nfsd/nfsproc.c
 +++ b/fs/nfsd/nfsproc.c
 @@ -118,6 +118,13 @@ done:
  	return nfsd_return_attrs(nfserr, resp);
  }

 +/* Obsolete, replaced by MNTPROC_MNT. */
 +static __be32
 +nfsd_proc_root(struct svc_rqst *rqstp)
 +{
 +	return nfs_ok;
 +}
 +
  /*
   * Look up a path name component
   * Note: the dentry in the resp->fh may be negative if the file
 @@ -203,6 +210,13 @@ nfsd_proc_read(struct svc_rqst *rqstp)
  	return fh_getattr(&resp->fh, &resp->stat);
  }

 +/* Reserved */
 +static __be32
 +nfsd_proc_writecache(struct svc_rqst *rqstp)
 +{
 +	return nfs_ok;
 +}
 +
  /*
   * Write data to a file
   * N.B. After this call resp->fh needs an fh_put
 @@ -617,6 +631,7 @@ static const struct svc_procedure nfsd_p
  		.pc_xdrressize = ST+AT,
  	},
  	[NFSPROC_ROOT] = {
 +		.pc_func = nfsd_proc_root,
  		.pc_decode = nfssvc_decode_void,
  		.pc_encode = nfssvc_encode_void,
  		.pc_argsize = sizeof(struct nfsd_void),
 @@ -654,6 +669,7 @@ static const struct svc_procedure nfsd_p
  		.pc_xdrressize = ST+AT+1+NFSSVC_MAXBLKSIZE_V2/4,
  	},
  	[NFSPROC_WRITECACHE] = {
 +		.pc_func = nfsd_proc_writecache,
  		.pc_decode = nfssvc_decode_void,
  		.pc_encode = nfssvc_encode_void,
  		.pc_argsize = sizeof(struct nfsd_void),
	From 6b3dccd48de8a4c650b01499a0b09d1e2279649e Mon Sep 17 00:00:00 2001
	From: Chuck Lever <chuck.lever@oracle.com>
	Date: Thu, 1 Oct 2020 18:58:56 -0400
	Subject: NFSD: Add missing NFSv2 .pc_func methods

	From: Chuck Lever <chuck.lever@oracle.com>

	commit 6b3dccd48de8a4c650b01499a0b09d1e2279649e upstream.

	There's no protection in nfsd_dispatch() against a NULL .pc_func
	helpers. A malicious NFS client can trigger a crash by invoking the
	unused/unsupported NFSv2 ROOT or WRITECACHE procedures.

	The current NFSD dispatcher does not support returning a void reply
	to a non-NULL procedure, so the reply to both of these is wrong, for
	the moment.

	Cc: <stable@vger.kernel.org>
	Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
	Signed-off-by: J. Bruce Fields <bfields@redhat.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	fs/nfsd/nfsproc.c \| 16 ++++++++++++++++
	1 file changed, 16 insertions(+)

	--- a/fs/nfsd/nfsproc.c
	+++ b/fs/nfsd/nfsproc.c
	@@ -118,6 +118,13 @@ done:
	return nfsd_return_attrs(nfserr, resp);
	}

	+/* Obsolete, replaced by MNTPROC_MNT. */
	+static __be32
	+nfsd_proc_root(struct svc_rqst *rqstp)
	+{
	+ return nfs_ok;
	+}
	+
	/*
	* Look up a path name component
	* Note: the dentry in the resp->fh may be negative if the file
	@@ -203,6 +210,13 @@ nfsd_proc_read(struct svc_rqst *rqstp)
	return fh_getattr(&resp->fh, &resp->stat);
	}

	+/* Reserved */
	+static __be32
	+nfsd_proc_writecache(struct svc_rqst *rqstp)
	+{
	+ return nfs_ok;
	+}
	+
	/*
	* Write data to a file
	* N.B. After this call resp->fh needs an fh_put
	@@ -617,6 +631,7 @@ static const struct svc_procedure nfsd_p
	.pc_xdrressize = ST+AT,
	},
	[NFSPROC_ROOT] = {
	+ .pc_func = nfsd_proc_root,
	.pc_decode = nfssvc_decode_void,
	.pc_encode = nfssvc_encode_void,
	.pc_argsize = sizeof(struct nfsd_void),
	@@ -654,6 +669,7 @@ static const struct svc_procedure nfsd_p
	.pc_xdrressize = ST+AT+1+NFSSVC_MAXBLKSIZE_V2/4,
	},
	[NFSPROC_WRITECACHE] = {
	+ .pc_func = nfsd_proc_writecache,
	.pc_decode = nfssvc_decode_void,
	.pc_encode = nfssvc_encode_void,
	.pc_argsize = sizeof(struct nfsd_void),