Re: [PATCH v1 1/3] nfsd: Limit end of page list when decoding NFSv4 WRITE

linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "J. Bruce Fields" <bfields@fieldses.org>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH v1 1/3] nfsd: Limit end of page list when decoding NFSv4 WRITE
Date: Mon, 21 Aug 2017 17:21:40 -0400	[thread overview]
Message-ID: <20170821212140.GB14949@fieldses.org> (raw)
In-Reply-To: <BC15F5B8-7B61-4A0C-8F80-2513FB6C12EF@oracle.com>

On Mon, Aug 21, 2017 at 05:15:38PM -0400, Chuck Lever wrote:
> 
> > On Aug 21, 2017, at 5:13 PM, J. Bruce Fields <bfields@fieldses.org> wrote:
> > 
> > On Fri, Aug 18, 2017 at 11:12:19AM -0400, Chuck Lever wrote:
> >> When processing an NFSv4 WRITE operation, argp->end should never
> >> point past the end of the data in the final page of the page list.
> >> Otherwise, nfsd4_decode_compound can walk into uninitialized memory.
> >> 
> >> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> >> ---
> >> fs/nfsd/nfs4xdr.c |    6 ++----
> >> 1 file changed, 2 insertions(+), 4 deletions(-)
> >> 
> >> diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
> >> index 51e729a..7c48d68 100644
> >> --- a/fs/nfsd/nfs4xdr.c
> >> +++ b/fs/nfsd/nfs4xdr.c
> >> @@ -144,7 +144,7 @@ static void next_decode_page(struct nfsd4_compoundargs *argp)
> >> 	argp->p = page_address(argp->pagelist[0]);
> >> 	argp->pagelist++;
> >> 	if (argp->pagelen < PAGE_SIZE) {
> >> -		argp->end = argp->p + (argp->pagelen>>2);
> >> +		argp->end = argp->p + XDR_QUADLEN(argp->pagelen);
> >> 		argp->pagelen = 0;
> >> 	} else {
> >> 		argp->end = argp->p + (PAGE_SIZE>>2);
> >> @@ -1279,9 +1279,7 @@ static __be32 nfsd4_decode_opaque(struct nfsd4_compoundargs *argp, struct xdr_ne
> >> 		argp->pagelen -= pages * PAGE_SIZE;
> >> 		len -= pages * PAGE_SIZE;
> >> 
> >> -		argp->p = (__be32 *)page_address(argp->pagelist[0]);
> >> -		argp->pagelist++;
> >> -		argp->end = argp->p + XDR_QUADLEN(PAGE_SIZE);
> >> +		next_decode_page(argp);
> > 
> > I think there's no change in behavior here *except* for adding a new
> > argp->pagelen=0 (or argp->pagelen -= PAGE_SIZE).
> 
> The code around this change is currently working correctly,
> so there is no change in behavior AFAICT. This is a defensive
> change, but it also replaces duplicate code.

I don't understand.  I'm saying that by calling next_decode_page() there
you've added a new argp->pagelen assignment.  I don't understand how
that can't change behavior, unless there's another bug in our bounds
checking someplace.

Most likely it could cause subsequent op parsers to believe there's less
space in the argument buffer than there really is, so it might fail to
parse a compound with a write plus some other ops, if that puts the
total call close to the maximum size?

--b.

> 
> 
> > --b.
> > 
> >> 	}
> >> 	argp->p += XDR_QUADLEN(len);
> >> 
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> --
> Chuck Lever
> 
>

next prev parent reply	other threads:[~2017-08-21 21:21 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-18 15:12 [PATCH v1 0/3] Handle NFSv4 operations in xdr_buf tail Chuck Lever
2017-08-18 15:12 ` [PATCH v1 1/3] nfsd: Limit end of page list when decoding NFSv4 WRITE Chuck Lever
2017-08-21 21:13   ` J. Bruce Fields
2017-08-21 21:15     ` Chuck Lever
2017-08-21 21:21       ` J. Bruce Fields [this message]
2017-08-21 22:08         ` Chuck Lever
2017-08-22 21:45           ` J. Bruce Fields
2017-08-23 18:36             ` Chuck Lever
2017-08-24  1:18               ` J. Bruce Fields
2017-08-24  2:52                 ` Weston Andros Adamson
2017-08-18 15:12 ` [PATCH v1 2/3] nfsd: Incoming xdr_bufs may have content in tail buffer Chuck Lever
2017-08-25 17:46   ` J. Bruce Fields
2017-08-18 15:12 ` [PATCH v1 3/3] svcrdma: Populate tail iovec when receiving Chuck Lever

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170821212140.GB14949@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=chuck.lever@oracle.com \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).