[PATCH] NFS: -EIO from decode_bitmap if too many bitmaps

[PATCH] NFS: -EIO from decode_bitmap if too many bitmaps

[Weston Andros Adamson]

decode_bitmap will only decode up to three bitmaps.  If the xdr buffer
has more than three bitmaps, return -EIO here instead of bailing out in
a later xdr decode.

Signed-off-by: Weston Andros Adamson <dros@netapp.com>
---

This is related to my "NFSv4: fix getacl ERANGE for some ACL buffer sizes"
patch - I noticed that even though we'll only ever parse 3 bitmaps, we don't
error out correctly if more are sent.

This condition is probably never hit, but if it ever is, it'd be nice to
have the code error out where the problem actually occurred.

 fs/nfs/nfs4xdr.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index 5be2868..3866a69 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -3146,6 +3146,9 @@ static int decode_attr_bitmap(struct xdr_stream *xdr, uint32_t *bitmap)
 		goto out_overflow;
 	bmlen = be32_to_cpup(p);
 
+	if (unlikely(bmlen > 3))
+		goto out_overflow;
+
 	bitmap[0] = bitmap[1] = bitmap[2] = 0;
 	p = xdr_inline_decode(xdr, (bmlen << 2));
 	if (unlikely(!p))
-- 
1.8.3.1 (Apple Git-46)

Re: [PATCH] NFS: -EIO from decode_bitmap if too many bitmaps

[Chuck Lever]

On Nov 15, 2013, at 11:38 AM, Weston Andros Adamson <dros@netapp.com> wrote:

> decode_bitmap will only decode up to three bitmaps.  If the xdr buffer
> has more than three bitmaps, return -EIO here instead of bailing out in
> a later xdr decode.
> 
> Signed-off-by: Weston Andros Adamson <dros@netapp.com>
> ---
> 
> This is related to my "NFSv4: fix getacl ERANGE for some ACL buffer sizes"
> patch - I noticed that even though we'll only ever parse 3 bitmaps, we don't
> error out correctly if more are sent.
> 
> This condition is probably never hit, but if it ever is, it'd be nice to
> have the code error out where the problem actually occurred.
> 
> fs/nfs/nfs4xdr.c | 3 +++
> 1 file changed, 3 insertions(+)
> 
> diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
> index 5be2868..3866a69 100644
> --- a/fs/nfs/nfs4xdr.c
> +++ b/fs/nfs/nfs4xdr.c
> @@ -3146,6 +3146,9 @@ static int decode_attr_bitmap(struct xdr_stream *xdr, uint32_t *bitmap)
> 		goto out_overflow;
> 	bmlen = be32_to_cpup(p);
> 
> +	if (unlikely(bmlen > 3))
> +		goto out_overflow;
> +

Nit: Using a naked integer should be avoid, if we can.  Is there somewhere in the code that documents the "we only handle up t 3 bitmaps" constraint?


> 	bitmap[0] = bitmap[1] = bitmap[2] = 0;
> 	p = xdr_inline_decode(xdr, (bmlen << 2));
> 	if (unlikely(!p))
> -- 
> 1.8.3.1 (Apple Git-46)
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
Chuck Lever
chuck[dot]lever[at]oracle[dot]com

Re: [PATCH] NFS: -EIO from decode_bitmap if too many bitmaps

[Trond Myklebust]

On Fri, 2013-11-15 at 11:38 -0500, Weston Andros Adamson wrote:
> decode_bitmap will only decode up to three bitmaps.  If the xdr buffer
> has more than three bitmaps, return -EIO here instead of bailing out in
> a later xdr decode.
> 

No. decode_bitmap will only _save_ 3 words in the bitmap[] argment, but
it will decode arbitrary sized bitmaps:

	p = xdr_inline_decode(xdr, (bmlen << 2));

Cheers
  Trond

Re: [PATCH] NFS: -EIO from decode_bitmap if too many bitmaps

[Myklebust, Trond]

On Fri, 2013-11-15 at 12:00 -0500, Trond Myklebust wrote:
> On Fri, 2013-11-15 at 11:38 -0500, Weston Andros Adamson wrote:
> > decode_bitmap will only decode up to three bitmaps.  If the xdr buffer
> > has more than three bitmaps, return -EIO here instead of bailing out in
> > a later xdr decode.
> > 
> 
> No. decode_bitmap will only _save_ 3 words in the bitmap[] argment, but
> it will decode arbitrary sized bitmaps:
> 
> 	p = xdr_inline_decode(xdr, (bmlen << 2));
> 

That said, we should probably check that the server isn't setting those
bitmap words to any non-zero values. That would be a reason to return
EIO.


-- 
Trond Myklebust
Linux NFS client maintainer

NetApp
Trond.Myklebust@netapp.com
www.netapp.com

Re: [PATCH] NFS: -EIO from decode_bitmap if too many bitmaps

[Chuck Lever]

On Nov 15, 2013, at 12:05 PM, "Myklebust, Trond" <Trond.Myklebust@netapp.com> wrote:

> On Fri, 2013-11-15 at 12:00 -0500, Trond Myklebust wrote:
>> On Fri, 2013-11-15 at 11:38 -0500, Weston Andros Adamson wrote:
>>> decode_bitmap will only decode up to three bitmaps.  If the xdr buffer
>>> has more than three bitmaps, return -EIO here instead of bailing out in
>>> a later xdr decode.
>>> 
>> 
>> No. decode_bitmap will only _save_ 3 words in the bitmap[] argment, but
>> it will decode arbitrary sized bitmaps:
>> 
>> 	p = xdr_inline_decode(xdr, (bmlen << 2));
>> 
> 
> That said, we should probably check that the server isn't setting those
> bitmap words to any non-zero values. That would be a reason to return
> EIO.

Why wouldn't the client simply warn and ignore the extraneous data?

-- 
Chuck Lever
chuck[dot]lever[at]oracle[dot]com

Re: [PATCH] NFS: -EIO from decode_bitmap if too many bitmaps

[Myklebust, Trond]

On Fri, 2013-11-15 at 12:07 -0500, Chuck Lever wrote:
> On Nov 15, 2013, at 12:05 PM, "Myklebust, Trond" <Trond.Myklebust@netapp.com> wrote:
> 
> > On Fri, 2013-11-15 at 12:00 -0500, Trond Myklebust wrote:
> >> On Fri, 2013-11-15 at 11:38 -0500, Weston Andros Adamson wrote:
> >>> decode_bitmap will only decode up to three bitmaps.  If the xdr buffer
> >>> has more than three bitmaps, return -EIO here instead of bailing out in
> >>> a later xdr decode.
> >>> 
> >> 
> >> No. decode_bitmap will only _save_ 3 words in the bitmap[] argment, but
> >> it will decode arbitrary sized bitmaps:
> >> 
> >> 	p = xdr_inline_decode(xdr, (bmlen << 2));
> >> 
> > 
> > That said, we should probably check that the server isn't setting those
> > bitmap words to any non-zero values. That would be a reason to return
> > EIO.
> 
> Why wouldn't the client simply warn and ignore the extraneous data?
> 

...because unless the GETATTR is the very last operation, we'd end up
failing to decode things correctly. Anyway, a server that returns
attributes that we haven't requested must clearly be borken. It's
definitely violating the spec.

-- 
Trond Myklebust
Linux NFS client maintainer

NetApp
Trond.Myklebust@netapp.com
www.netapp.com

Re: [PATCH] NFS: -EIO from decode_bitmap if too many bitmaps

[Weston Andros Adamson]

On Nov 15, 2013, at 12:10 PM, Myklebust, Trond <Trond.Myklebust@netapp.com> wrote:

> On Fri, 2013-11-15 at 12:07 -0500, Chuck Lever wrote:
>> On Nov 15, 2013, at 12:05 PM, "Myklebust, Trond" <Trond.Myklebust@netapp.com> wrote:
>> 
>>> On Fri, 2013-11-15 at 12:00 -0500, Trond Myklebust wrote:
>>>> On Fri, 2013-11-15 at 11:38 -0500, Weston Andros Adamson wrote:
>>>>> decode_bitmap will only decode up to three bitmaps.  If the xdr buffer
>>>>> has more than three bitmaps, return -EIO here instead of bailing out in
>>>>> a later xdr decode.
>>>>> 
>>>> 
>>>> No. decode_bitmap will only _save_ 3 words in the bitmap[] argment, but
>>>> it will decode arbitrary sized bitmaps:
>>>> 
>>>> 	p = xdr_inline_decode(xdr, (bmlen << 2));
>>>> 

Oh, yeah.

>>> 
>>> That said, we should probably check that the server isn't setting those
>>> bitmap words to any non-zero values. That would be a reason to return
>>> EIO.

Ok, I’ll rework this.

-dros

>> 
>> Why wouldn't the client simply warn and ignore the extraneous data?
>> 
> 
> ...because unless the GETATTR is the very last operation, we'd end up
> failing to decode things correctly. Anyway, a server that returns
> attributes that we haven't requested must clearly be borken. It's
> definitely violating the spec.
> 
> -- 
> Trond Myklebust
> Linux NFS client maintainer
> 
> NetApp
> Trond.Myklebust@netapp.com
> www.netapp.com

Re: [PATCH] NFS: -EIO from decode_bitmap if too many bitmaps

[Chuck Lever]

On Nov 15, 2013, at 12:10 PM, "Myklebust, Trond" <Trond.Myklebust@netapp.com> wrote:

> On Fri, 2013-11-15 at 12:07 -0500, Chuck Lever wrote:
>> On Nov 15, 2013, at 12:05 PM, "Myklebust, Trond" <Trond.Myklebust@netapp.com> wrote:
>> 
>>> On Fri, 2013-11-15 at 12:00 -0500, Trond Myklebust wrote:
>>>> On Fri, 2013-11-15 at 11:38 -0500, Weston Andros Adamson wrote:
>>>>> decode_bitmap will only decode up to three bitmaps.  If the xdr buffer
>>>>> has more than three bitmaps, return -EIO here instead of bailing out in
>>>>> a later xdr decode.
>>>>> 
>>>> 
>>>> No. decode_bitmap will only _save_ 3 words in the bitmap[] argment, but
>>>> it will decode arbitrary sized bitmaps:
>>>> 
>>>> 	p = xdr_inline_decode(xdr, (bmlen << 2));
>>>> 
>>> 
>>> That said, we should probably check that the server isn't setting those
>>> bitmap words to any non-zero values. That would be a reason to return
>>> EIO.
>> 
>> Why wouldn't the client simply warn and ignore the extraneous data?
>> 
> 
> ...because unless the GETATTR is the very last operation, we'd end up
> failing to decode things correctly.

Surely that's only if the returned bitmap length doesn't match the number of bitmap words returned.  The server can return a properly encoded result without overwriting the next operation in the compound, can't it?

> Anyway, a server that returns
> attributes that we haven't requested must clearly be borken. It's
> definitely violating the spec.

Definitely, but "be lenient in what you accept."

The reason I bring this up is that we had exactly this problem with NFSv4.2, where the third bitmap word was added.

Anyway, just an observation.

-- 
Chuck Lever
chuck[dot]lever[at]oracle[dot]com

Re: [PATCH] NFS: -EIO from decode_bitmap if too many bitmaps

[Myklebust, Trond]

On Fri, 2013-11-15 at 12:23 -0500, Chuck Lever wrote:
> On Nov 15, 2013, at 12:10 PM, "Myklebust, Trond" <Trond.Myklebust@netapp.com> wrote:
> 
> > On Fri, 2013-11-15 at 12:07 -0500, Chuck Lever wrote:
> >> On Nov 15, 2013, at 12:05 PM, "Myklebust, Trond" <Trond.Myklebust@netapp.com> wrote:
> >> 
> >>> On Fri, 2013-11-15 at 12:00 -0500, Trond Myklebust wrote:
> >>>> On Fri, 2013-11-15 at 11:38 -0500, Weston Andros Adamson wrote:
> >>>>> decode_bitmap will only decode up to three bitmaps.  If the xdr buffer
> >>>>> has more than three bitmaps, return -EIO here instead of bailing out in
> >>>>> a later xdr decode.
> >>>>> 
> >>>> 
> >>>> No. decode_bitmap will only _save_ 3 words in the bitmap[] argment, but
> >>>> it will decode arbitrary sized bitmaps:
> >>>> 
> >>>> 	p = xdr_inline_decode(xdr, (bmlen << 2));
> >>>> 
> >>> 
> >>> That said, we should probably check that the server isn't setting those
> >>> bitmap words to any non-zero values. That would be a reason to return
> >>> EIO.
> >> 
> >> Why wouldn't the client simply warn and ignore the extraneous data?
> >> 
> > 
> > ...because unless the GETATTR is the very last operation, we'd end up
> > failing to decode things correctly.
> 
> Surely that's only if the returned bitmap length doesn't match the number of bitmap words returned.  The server can return a properly encoded result without overwriting the next operation in the compound, can't it?

How do we know? You're already talking about a broken server.

> > Anyway, a server that returns
> > attributes that we haven't requested must clearly be borken. It's
> > definitely violating the spec.
> 
> Definitely, but "be lenient in what you accept."
> 
> The reason I bring this up is that we had exactly this problem with NFSv4.2, where the third bitmap word was added.

We've never had servers returning attributes that are not requested
AFAIK. In the current code, they are free to add in as many zero fillers
in the bitmap as they want, and that's exactly what we should be
accepting.

-- 
Trond Myklebust
Linux NFS client maintainer

NetApp
Trond.Myklebust@netapp.com
www.netapp.com