lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 29 Jan 2024 11:43:15 -0500
From: Jeff Layton <jlayton@...nel.org>
To: Chuck Lever <chuck.lever@...cle.com>, Neil Brown <neilb@...e.de>, 
 Olga Kornievskaia <kolga@...app.com>, Dai Ngo <Dai.Ngo@...cle.com>, 
 Tom Talpey <tom@...pey.com>, 
 Trond Myklebust <trond.myklebust@...merspace.com>, 
 Anna Schumaker <anna@...nel.org>, "David S. Miller" <davem@...emloft.net>, 
 Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, 
 Paolo Abeni <pabeni@...hat.com>, Benjamin Coddington <bcodding@...hat.com>
Cc: Anna Schumaker <Anna.Schumaker@...app.com>, linux-nfs@...r.kernel.org, 
 netdev@...r.kernel.org, linux-kernel@...r.kernel.org, 
 Alexander Aring <aahringo@...hat.com>, Jeff Layton <jlayton@...nel.org>
Subject: [PATCH] sunrpc: fix assignment of to_retries in svc_process_bc

Alex reported seeing this:

    [   18.238266] ------------[ cut here ]------------
    [   18.239286] UBSAN: shift-out-of-bounds in net/sunrpc/xprt.c:660:14
    [   18.240699] shift exponent 60000 is too large for 64-bit type 'long unsigned int'
    [   18.242277] CPU: 1 PID: 290 Comm: NFSv4 callback Not tainted 6.8.0-rc1devtest5+ #5814
    [   18.243846] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-4.module+el8.9.0+19570+14a90618 04/01/2014
    [   18.245460] Call Trace:
    [   18.245855]  <TASK>
    [   18.246200]  dump_stack_lvl+0x93/0xb0
    [   18.246785]  dump_stack+0x10/0x20
    [   18.247308]  ubsan_epilogue+0x9/0x40
    [   18.247875]  __ubsan_handle_shift_out_of_bounds+0x110/0x170
    [   18.248727]  ? ktime_get+0x130/0x2a0
    [   18.249317]  xprt_calc_majortimeo.isra.13.cold.45+0x12/0x23
    [   18.250184]  xprt_init_majortimeo.isra.27+0x9c/0x150
    [   18.251062]  xprt_init_bc_request+0xc1/0xd0
    [   18.251728]  rpc_run_bc_task+0xd3/0x1b0
    [   18.252328]  ? __pfx_rpc_run_bc_task+0x10/0x10
    [   18.253045]  ? __this_cpu_preempt_check+0x13/0x20
    [   18.253780]  ? xdr_inline_decode+0x5b/0x260
    [   18.254447]  svc_process_bc+0x3b2/0x4d0
    [   18.255069]  ? __pfx_svc_process_bc+0x10/0x10
    [   18.255755]  ? __lwq_dequeue+0x5c/0xe0
    [   18.256350]  ? __kasan_check_read+0x11/0x20
    [   18.257002]  ? svc_thread_should_sleep+0x15d/0x190
    [   18.257754]  ? svc_recv+0x918/0x13b0
    [   18.258321]  svc_recv+0xa7e/0x13b0
    [   18.258892]  nfs4_callback_svc+0x53/0xb0
    [   18.259508]  ? __pfx_nfs4_callback_svc+0x10/0x10
    [   18.260227]  kthread+0x1c2/0x210
    [   18.260744]  ? kthread+0x103/0x210
    [   18.261278]  ? __pfx_kthread+0x10/0x10
    [   18.261872]  ret_from_fork+0x3a/0x50
    [   18.262433]  ? __pfx_kthread+0x10/0x10
    [   18.263024]  ret_from_fork_asm+0x1b/0x30
    [   18.263684]  </TASK>
    [   18.264348] ---[ end trace ]---

to_initval can be very large and cause a shift overflow later. Ensure we
copy the correct value into to_retries.

Cc: Benjamin Coddington <bcodding@...hat.com>
Reported-by: Alexander Aring <aahringo@...hat.com>
Fixes: 57331a59ac0d NFSv4.1: Use the nfs_client's rpc timeouts for backchannel
Signed-off-by: Jeff Layton <jlayton@...nel.org>
---
 net/sunrpc/svc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index f60c93e5a25d..d86bf5b051fa 100644
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -1598,7 +1598,7 @@ void svc_process_bc(struct rpc_rqst *req, struct svc_rqst *rqstp)
 	/* Finally, send the reply synchronously */
 	if (rqstp->bc_to_initval > 0) {
 		timeout.to_initval = rqstp->bc_to_initval;
-		timeout.to_retries = rqstp->bc_to_initval;
+		timeout.to_retries = rqstp->bc_to_retries;
 	} else {
 		timeout.to_initval = req->rq_xprt->timeout->to_initval;
 		timeout.to_initval = req->rq_xprt->timeout->to_retries;

---
base-commit: 41bccc98fb7931d63d03f326a746ac4d429c1dd3
change-id: 20240129-nfsd-fixes-0d95718a0bca

Best regards,
-- 
Jeff Layton <jlayton@...nel.org>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ