lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <lsq.1496331655.909285981@decadent.org.uk>
Date:   Thu, 01 Jun 2017 16:40:55 +0100
From:   Ben Hutchings <ben@...adent.org.uk>
To:     linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC:     akpm@...ux-foundation.org, "J. Bruce Fields" <bfields@...hat.com>,
        "Tuomas Haanpää" <thaan@...opsys.com>,
        "Ari Kauppi" <ari@...opsys.com>, "NeilBrown" <neilb@...e.com>
Subject: [PATCH 3.2 093/101] nfsd: stricter decoding of write-like
 NFSv2/v3 ops

3.2.89-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "J. Bruce Fields" <bfields@...hat.com>

commit 13bf9fbff0e5e099e2b6f003a0ab8ae145436309 upstream.

The NFSv2/v3 code does not systematically check whether we decode past
the end of the buffer.  This generally appears to be harmless, but there
are a few places where we do arithmetic on the pointers involved and
don't account for the possibility that a length could be negative.  Add
checks to catch these.

Reported-by: Tuomas Haanpää <thaan@...opsys.com>
Reported-by: Ari Kauppi <ari@...opsys.com>
Reviewed-by: NeilBrown <neilb@...e.com>
Signed-off-by: J. Bruce Fields <bfields@...hat.com>
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
 fs/nfsd/nfs3xdr.c | 4 ++++
 fs/nfsd/nfsxdr.c  | 2 ++
 2 files changed, 6 insertions(+)

--- a/fs/nfsd/nfs3xdr.c
+++ b/fs/nfsd/nfs3xdr.c
@@ -363,6 +363,8 @@ nfs3svc_decode_writeargs(struct svc_rqst
 	args->count = ntohl(*p++);
 	args->stable = ntohl(*p++);
 	len = args->len = ntohl(*p++);
+	if ((void *)p > head->iov_base + head->iov_len)
+		return 0;
 	/*
 	 * The count must equal the amount of data passed.
 	 */
@@ -467,6 +469,8 @@ nfs3svc_decode_symlinkargs(struct svc_rq
 	/* first copy and check from the first page */
 	old = (char*)p;
 	vec = &rqstp->rq_arg.head[0];
+	if ((void *)old > vec->iov_base + vec->iov_len)
+		return 0;
 	avail = vec->iov_len - (old - (char*)vec->iov_base);
 	while (len && avail && *old) {
 		*new++ = *old++;
--- a/fs/nfsd/nfsxdr.c
+++ b/fs/nfsd/nfsxdr.c
@@ -298,6 +298,8 @@ nfssvc_decode_writeargs(struct svc_rqst
 	 * bytes.
 	 */
 	hdr = (void*)p - head->iov_base;
+	if (hdr > head->iov_len)
+		return 0;
 	dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
 
 	/*

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ