lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1677F534-541E-480D-8C4B-7BF6126358B0@oracle.com>
Date:   Mon, 3 Oct 2022 14:12:38 +0000
From:   Chuck Lever III <chuck.lever@...cle.com>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
CC:     Linux NFS Mailing List <linux-nfs@...r.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Jeff Layton <jlayton@...nel.org>
Subject: [GIT PULL] NFSD changes for 6.1

Hi Linus-

We are still working on an infrequent UAF that happens during
an NFSv4 DELEGRETURN request, as documented here:

  https://bugzilla.linux-nfs.org/show_bug.cgi?id=394

This appears to have been an issue for the past several
releases (maybe since v5.14 or v5.15?). I expect Jeff and I
will have this addressed in the next couple of weeks.

However, the other v6.1 changes for NFSD are ready for you now.


---- Pull request follows ----

The following changes since commit 521a547ced6477c54b4b0cc206000406c221b4d6:

  Linux 6.0-rc6 (2022-09-18 13:44:14 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git tags/nfsd-6.1

for you to fetch changes up to 895ddf5ed4c54ea9e3533606d7a8b4e4f27f95ef:

  nfsd: extra checks when freeing delegation stateids (2022-09-26 14:50:58 -0400)

----------------------------------------------------------------
NFSD 6.1 Release Notes

This release is mostly bug fixes, clean-ups, and optimizations.

One notable set of fixes addresses a subtle buffer overflow issue
that occurs if a small RPC Call message arrives in an oversized
RPC record. This is only possible on a framed RPC transport such
as TCP.

Because NFSD shares the receive and send buffers in one set of
pages, an oversized RPC record steals pages from the send buffer
that will be used to construct the RPC Reply message. NFSD must
not assume that a full-sized buffer is always available to it;
otherwise, it will walk off the end of the send buffer while
constructing its reply.

In this release, we also introduce the ability for the server to
wait a moment for clients to return delegations before it responds
with NFS4ERR_DELAY. This saves a retransmit and a network round-
trip when a delegation recall is needed. This work will be built
upon in future releases.

The NFS server adds another shrinker to its collection. Because
courtesy clients can linger for quite some time, they might be
freeable when the server host comes under memory pressure. A new
shrinker has been added that releases courtesy client resources
during low memory scenarios.

Lastly, of note: the maximum number of operations per NFSv4
COMPOUND that NFSD can handle is increased from 16 to 50. There
are NFSv4 client implementations that need more than 16 to
successfully perform a mount operation that uses a pathname
with many components.

----------------------------------------------------------------
Anna Schumaker (1):
      NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data

ChenXiaoSong (5):
      nfsd: use DEFINE_PROC_SHOW_ATTRIBUTE to define nfsd_proc_ops
      nfsd: use DEFINE_SHOW_ATTRIBUTE to define export_features_fops and supported_enctypes_fops
      nfsd: use DEFINE_SHOW_ATTRIBUTE to define client_info_fops
      nfsd: use DEFINE_SHOW_ATTRIBUTE to define nfsd_reply_cache_stats_fops
      nfsd: use DEFINE_SHOW_ATTRIBUTE to define nfsd_file_cache_stats_fops

Christophe JAILLET (3):
      nfsd: Fix a memory leak in an error handling path
      nfsd: Avoid some useless tests
      nfsd: Propagate some error code returned by memdup_user()

Chuck Lever (30):
      NFSD: Increase NFSD_MAX_OPS_PER_COMPOUND
      SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation
      SUNRPC: Fix svcxdr_init_encode's buflen calculation
      NFSD: Protect against send buffer overflow in NFSv2 READDIR
      NFSD: Protect against send buffer overflow in NFSv3 READDIR
      NFSD: Protect against send buffer overflow in NFSv2 READ
      NFSD: Protect against send buffer overflow in NFSv3 READ
      NFSD: Fix handling of oversized NFSv4 COMPOUND requests
      NFSD: Replace dprintk() call site in fh_verify()
      NFSD: Trace NFSv4 COMPOUND tags
      NFSD: Add tracepoints to report NFSv4 callback completions
      NFSD: Add a mechanism to wait for a DELEGRETURN
      NFSD: Refactor nfsd_setattr()
      NFSD: Make nfsd4_setattr() wait before returning NFS4ERR_DELAY
      NFSD: Make nfsd4_rename() wait before returning NFS4ERR_DELAY
      NFSD: Make nfsd4_remove() wait before returning NFS4ERR_DELAY
      SUNRPC: Optimize svc_process()
      SUNRPC: Parametrize how much of argsize should be zeroed
      NFSD: Reduce amount of struct nfsd4_compoundargs that needs clearing
      SUNRPC: Clarify comment that documents svc_max_payload()
      NFSD: Refactor common code out of dirlist helpers
      NFSD: Use xdr_inline_decode() to decode NFSv3 symlinks
      NFSD: Clean up WRITE arg decoders
      SUNRPC: Fix typo in xdr_buf_subsegment's kdoc comment
      NFSD: Clean up nfs4svc_encode_compoundres()
      NFSD: Remove "inline" directives on op_rsize_bop helpers
      NFSD: Remove unused nfsd4_compoundargs::cachetype field
      NFSD: Pack struct nfsd4_compoundres
      NFSD: Rename the fields in copy_stateid_t
      NFSD: Cap rsize_bop result based on send buffer size

Dai Ngo (3):
      NFSD: keep track of the number of courtesy clients in the system
      NFSD: add shrinker to reap courtesy clients on low memory condition
      NFSD: fix use-after-free on source server when doing inter-server copy

Gaosheng Cui (1):
      nfsd: remove nfsd4_prepare_cb_recall() declaration

Jeff Layton (5):
      nfsd: clean up mounted_on_fileid handling
      nfsd: only fill out return pointer on success in nfsd4_lookup_stateid
      nfsd: fix comments about spinlock handling with delegations
      nfsd: make nfsd4_run_cb a bool return function
      nfsd: extra checks when freeing delegation stateids

Jinpeng Cui (1):
      NFSD: remove redundant variable status

NeilBrown (1):
      NFSD: drop fname and flen args from nfsd_create_locked()

Olga Kornievskaia (1):
      NFSD enforce filehandle check for source file in COPY

Wolfram Sang (2):
      NFSD: move from strlcpy with unused retval to strscpy
      lockd: move from strlcpy with unused retval to strscpy

 fs/lockd/host.c            |   2 +-
 fs/lockd/svc4proc.c        |  24 ++++++++++++
 fs/lockd/svcproc.c         |  24 ++++++++++++
 fs/nfs/callback_xdr.c      |   1 +
 fs/nfsd/cache.h            |   2 +-
 fs/nfsd/filecache.c        |   7 +---
 fs/nfsd/filecache.h        |   2 +-
 fs/nfsd/netns.h            |   4 ++
 fs/nfsd/nfs2acl.c          |   5 +++
 fs/nfsd/nfs3acl.c          |   3 ++
 fs/nfsd/nfs3proc.c         |  43 ++++++++++++++-------
 fs/nfsd/nfs3xdr.c          |  18 ++-------
 fs/nfsd/nfs4callback.c     |  14 ++++++-
 fs/nfsd/nfs4idmap.c        |   8 ++--
 fs/nfsd/nfs4layouts.c      |   2 +-
 fs/nfsd/nfs4proc.c         | 226 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------------------------------------------
 fs/nfsd/nfs4recover.c      |  14 ++++---
 fs/nfsd/nfs4state.c        | 218 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------------
 fs/nfsd/nfs4xdr.c          | 102 ++++++++++++++++++++++++++++++++-----------------
 fs/nfsd/nfscache.c         |  13 ++-----
 fs/nfsd/nfsctl.c           |  54 +++++++-------------------
 fs/nfsd/nfsd.h             |  13 ++++++-
 fs/nfsd/nfsfh.c            |   8 +---
 fs/nfsd/nfsproc.c          |  39 +++++++++++--------
 fs/nfsd/nfssvc.c           |   2 +-
 fs/nfsd/nfsxdr.c           |   4 +-
 fs/nfsd/state.h            |  11 +++---
 fs/nfsd/stats.c            |  14 +------
 fs/nfsd/trace.h            | 131 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
 fs/nfsd/vfs.c              | 128 ++++++++++++++++++++++++++++++++++++++++----------------------
 fs/nfsd/vfs.h              |   4 +-
 fs/nfsd/xdr4.h             |   9 +++--
 include/linux/sunrpc/svc.h |  20 ++++++++--
 include/linux/sunrpc/xdr.h |   2 +
 net/sunrpc/svc.c           |  34 +++++++++--------
 net/sunrpc/xdr.c           |  24 +++++++++++-
 36 files changed, 829 insertions(+), 400 deletions(-)

--
Chuck Lever



Powered by blists - more mailing lists