From: Sachin Prabhu <sprabhu@redhat.com>
To: "Myklebust, Trond" <Trond.Myklebust@netapp.com>
Cc: Linux NFS mailing list <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] Avoid array overflow in __nfs4_get_acl_uncached
Date: Thu, 06 Sep 2012 16:05:40 +0100 [thread overview]
Message-ID: <1346943940.2562.9.camel@localhost> (raw)
In-Reply-To: <4FA345DA4F4AE44899BD2B03EEEC2FA908F8B010@SACEXCMBX04-PRD.hq.netapp.com>
On Thu, 2012-09-06 at 14:53 +0000, Myklebust, Trond wrote:
> On Thu, 2012-09-06 at 15:46 +0100, Sachin Prabhu wrote:
> > On Mon, 2012-09-03 at 19:11 +0000, Myklebust, Trond wrote:
> > > > I encountered 2 problems.
> > > > 1) The if condition should be srclen >= pgbase + acl_len
> > > > 2) There is a second _copy_from_pages which copies to the the acl to the
> > > > passed buffer in __nfs4_get_acl_uncached().
> > >
> > > The second copy from pages should already be covered by the checks in
> > > decode_getacl. Alright, since this is not obvious, then clearly we need
> > > to make it so. How about the following?
> >
> > I could reproduce the crash with the second _copy_from_pages using the
> > patch to PyNFS from
> > http://www.spinics.net/lists/linux-nfs/msg32359.html
> >
> > The patch below works fine for both cases apart from a small bug which
> > I've pointed to below.
> >
> > > 8<------------------------------------------------------------------
> > > From 5040240245a046bd58c383806b3f161ee8b5823b Mon Sep 17 00:00:00 2001
> > > From: Trond Myklebust <Trond.Myklebust@netapp.com>
> > > Date: Sun, 26 Aug 2012 11:44:43 -0700
> > > Subject: [PATCH] NFSv4: Fix buffer overflow checking in
> > > __nfs4_get_acl_uncached
>
> > > + /* Check for receive buffer overflow */
> > > + if (attrlen > (xdr->nwords << 2) ||
> > > + attrlen + pg_offset > xdr->buf->page_len) {
> >
> > Here we need to use res->acl_data_offset which points to the start of
> > the ACL data instead of pg_offset which points to the start of the pages
> > section of the xdr_buf.
> >
> > Once I changed this if condition, I was able to successfully test with
> > my reproducer.
>
> Oops... Yes, of course you are right. I'll make the modification and
> push out the changed patch.
>
> Thanks very much for testing! Do you want me to add a "Tested-by:" line?
>
Fine by me.
Sachin Prabhu
prev parent reply other threads:[~2012-09-06 15:05 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-24 14:16 [PATCH] Avoid array overflow in __nfs4_get_acl_uncached Sachin Prabhu
2012-08-24 15:07 ` Myklebust, Trond
2012-08-24 21:31 ` Sachin Prabhu
2012-08-24 21:38 ` Myklebust, Trond
2012-08-24 21:51 ` Sachin Prabhu
2012-08-24 22:02 ` Myklebust, Trond
2012-08-25 23:31 ` Sachin Prabhu
2012-08-26 18:57 ` Myklebust, Trond
2012-08-28 14:09 ` Sachin Prabhu
2012-09-03 19:11 ` Myklebust, Trond
2012-09-06 14:46 ` Sachin Prabhu
2012-09-06 14:53 ` Myklebust, Trond
2012-09-06 15:05 ` Sachin Prabhu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1346943940.2562.9.camel@localhost \
--to=sprabhu@redhat.com \
--cc=Trond.Myklebust@netapp.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.