From: Sachin Prabhu <sprabhu@redhat.com>
To: "Myklebust, Trond" <Trond.Myklebust@netapp.com>
Cc: Linux NFS mailing list <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] Avoid array overflow in __nfs4_get_acl_uncached
Date: Tue, 28 Aug 2012 15:09:26 +0100 [thread overview]
Message-ID: <1346162966.2554.3.camel@localhost> (raw)
In-Reply-To: <4FA345DA4F4AE44899BD2B03EEEC2FA908F69340@SACEXCMBX04-PRD.hq.netapp.com>
> OK. How about this patch, which applies on top of the one I sent you?
> 8<-----------------------------------------------------------------
> From 22c9e2475560edda925f971a2a02bac58536414b Mon Sep 17 00:00:00 2001
> From: Trond Myklebust <Trond.Myklebust@netapp.com>
> Date: Sun, 26 Aug 2012 11:44:43 -0700
> Subject: [PATCH] NFSv4: Add buffer overflow checking to nfs4_write_cached_acl
>
> Currently, the buffer overflow checking is done incorrectly by the
> caller. Move the overflow checking into nfs4_write_cached_acl itself
> for robustness, and fix the overflow calculation to take into account
> the 'pgbase' argument to _copy_from_pages.
>
> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
> ---
> fs/nfs/nfs4proc.c | 12 +++++-------
> 1 file changed, 5 insertions(+), 7 deletions(-)
>
> diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
> index 654dc38..af4ebc3 100644
> --- a/fs/nfs/nfs4proc.c
> +++ b/fs/nfs/nfs4proc.c
> @@ -3734,12 +3734,13 @@ out:
> return ret;
> }
>
> -static void nfs4_write_cached_acl(struct inode *inode, struct page **pages, size_t pgbase, size_t acl_len)
> +static void nfs4_write_cached_acl(struct inode *inode, struct page **pages,
> + size_t srclen, size_t pgbase, size_t acl_len)
> {
> struct nfs4_cached_acl *acl;
> size_t buflen = sizeof(*acl) + acl_len;
>
> - if (pages && buflen <= PAGE_SIZE) {
> + if (buflen <= PAGE_SIZE && srclen <= pgbase + acl_len) {
> acl = kmalloc(buflen, GFP_KERNEL);
> if (acl == NULL)
> goto out;
> @@ -3820,11 +3821,8 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
> goto out_free;
>
> acl_len = res.acl_len;
> - if (acl_len > args.acl_len)
> - nfs4_write_cached_acl(inode, NULL, 0, acl_len);
> - else
> - nfs4_write_cached_acl(inode, pages, res.acl_data_offset,
> - acl_len);
> + nfs4_write_cached_acl(inode, pages, args.acl_len,
> + res.acl_data_offset, res.acl_len);
> if (buf) {
> ret = -ERANGE;
> if (acl_len > buflen)
> --
> 1.7.11.4
I encountered 2 problems.
1) The if condition should be srclen >= pgbase + acl_len
2) There is a second _copy_from_pages which copies to the the acl to the
passed buffer in __nfs4_get_acl_uncached().
I've attached a patch below.
-----
>From ec84527625b3847a0623410d532253dd919e119a Mon Sep 17 00:00:00 2001
From: Sachin Prabhu <sprabhu@redhat.com>
Date: Tue, 28 Aug 2012 15:01:13 +0100
Subject: [PATCH] NFSv4: Check for buffer overflow in __nfs4_get_acl_uncached
Check for buffer overflow in __nfs4_get_acl_uncached when using
_copy_from_pages to copy to the buffer passed in the argument.
Also fix if condition in nfs4_write_cached_acl() from the previous post.
Signed-off-by: Sachin Prabhu
---
fs/nfs/nfs4proc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 580b0b1..cb8748d 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -3740,7 +3740,7 @@ static void nfs4_write_cached_acl(struct inode *inode, struct page **pages,
struct nfs4_cached_acl *acl;
size_t buflen = sizeof(*acl) + acl_len;
- if (buflen <= PAGE_SIZE && srclen <= pgbase + acl_len) {
+ if (buflen <= PAGE_SIZE && srclen >= pgbase + acl_len) {
acl = kmalloc(buflen, GFP_KERNEL);
if (acl == NULL)
goto out;
@@ -3825,7 +3825,7 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
res.acl_data_offset, res.acl_len);
if (buf) {
ret = -ERANGE;
- if (acl_len > buflen)
+ if (acl_len > buflen || args.acl_len < res.acl_data_offset + res.acl_len)
goto out_free;
_copy_from_pages(buf, pages, res.acl_data_offset,
acl_len);
--
1.7.11.4
next prev parent reply other threads:[~2012-08-28 14:09 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-24 14:16 [PATCH] Avoid array overflow in __nfs4_get_acl_uncached Sachin Prabhu
2012-08-24 15:07 ` Myklebust, Trond
2012-08-24 21:31 ` Sachin Prabhu
2012-08-24 21:38 ` Myklebust, Trond
2012-08-24 21:51 ` Sachin Prabhu
2012-08-24 22:02 ` Myklebust, Trond
2012-08-25 23:31 ` Sachin Prabhu
2012-08-26 18:57 ` Myklebust, Trond
2012-08-28 14:09 ` Sachin Prabhu [this message]
2012-09-03 19:11 ` Myklebust, Trond
2012-09-06 14:46 ` Sachin Prabhu
2012-09-06 14:53 ` Myklebust, Trond
2012-09-06 15:05 ` Sachin Prabhu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1346162966.2554.3.camel@localhost \
--to=sprabhu@redhat.com \
--cc=Trond.Myklebust@netapp.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.