[PATCH 0/2] Prevent out of bounds reads when dealing with ACLs

linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sachin Prabhu <sprabhu@redhat.com>
To: Trond Myklebust <trond.myklebust@netapp.com>,
	Andy Adamson <andros@netapp.com>
Cc: Linux NFS mailing list <linux-nfs@vger.kernel.org>
Subject: [PATCH 0/2] Prevent out of bounds reads when dealing with ACLs
Date: Tue, 17 Apr 2012 14:33:18 +0100	[thread overview]
Message-ID: <1334669598.5396.7.camel@localhost> (raw)

Commit
bf118a342f10dafe44b14451a1392c3254629a1f
allows variable size bitmaps to be passed in the response to GETACL
calls.

The patch fails in a specific condition where
bitmap array size + acl length attribute size + ACLs > PAGE_SIZE
the code will read past the allocated buffer in nfs4_write_cached_acl()
and in _copy_from_pages().

A simple example is if the ACL size is just less than a PAGE_SIZE but
large enough so that ACL + Bitmap crosses a PAGE_SIZE, it will fail.
Another example is if the server sends a large bitmap array along with
smaller ACL data causing the bitmap array + ACL to go past the allocated
page, it will fail again.

To test the code, we configured pynfs to append 1000 extra elements to
the bitmap array which results in BITMAP+ACL size to be little over a
PAGE_SIZE. This leads to a General Protection Fault in
_copy_from_pages() on un-patched systems.

Sachin Prabhu (2):
  Avoid reading past buffer when calling GETACL
  Avoid beyond bounds copy while caching ACL

 fs/nfs/nfs4proc.c |   28 +++++++++++++++-------------
 fs/nfs/nfs4xdr.c  |   18 +++++++++++-------
 2 files changed, 26 insertions(+), 20 deletions(-)

-- 
1.7.7.6

                 reply	other threads:[~2012-04-17 13:34 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1334669598.5396.7.camel@localhost \
    --to=sprabhu@redhat.com \
    --cc=andros@netapp.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=trond.myklebust@netapp.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).