From: Jeff Layton <jlayton@kernel.org>
To: Chuck Lever <cel@kernel.org>, NeilBrown <neil@brown.name>,
Olga Kornievskaia <okorniev@redhat.com>,
Dai Ngo <Dai.Ngo@oracle.com>, Tom Talpey <tom@talpey.com>
Cc: Chris Mason <clm@meta.com>,
linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org,
Jeff Layton <jlayton@kernel.org>
Subject: [PATCH v2 15/21] nfsd: validate sockaddr length per family in listener_set
Date: Thu, 11 Jun 2026 16:00:58 -0400 [thread overview]
Message-ID: <20260611-nfsd-testing-v2-15-5b90e276f2d9@kernel.org> (raw)
In-Reply-To: <20260611-nfsd-testing-v2-0-5b90e276f2d9@kernel.org>
nfsd_sock_nl_policy declares NFSD_A_SOCK_ADDR as bare NLA_BINARY
with no minimum length. A CAP_NET_ADMIN caller can send a 16-byte
NFSD_A_SOCK_ADDR with sa_family=AF_INET6, causing a 12-byte OOB
read across three consumers (rpc_cmp_addr_port, svc_find_listener,
kernel_bind).
Tighten the policy to NLA_POLICY_MIN_LEN(16) and add per-family
length validation in both nlmsg_for_each_attr_type loops.
Fixes: 16a471177496 ("NFSD: add listener-{set,get} netlink command")
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Jeff Layton <jlayton@kernel.org>
---
Documentation/netlink/specs/nfsd.yaml | 4 ++++
fs/nfsd/netlink.c | 2 +-
fs/nfsd/nfsctl.c | 30 ++++++++++++++++++++++++++++++
3 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/Documentation/netlink/specs/nfsd.yaml b/Documentation/netlink/specs/nfsd.yaml
index 8f36fadd68f7..9677ba19ffcd 100644
--- a/Documentation/netlink/specs/nfsd.yaml
+++ b/Documentation/netlink/specs/nfsd.yaml
@@ -156,6 +156,10 @@ attribute-sets:
-
name: addr
type: binary
+ # 16 == sizeof(struct sockaddr_in); AF_INET6 callers
+ # validate the full sockaddr_in6 length in nfsctl.c.
+ checks:
+ min-len: 16
-
name: transport-name
type: string
diff --git a/fs/nfsd/netlink.c b/fs/nfsd/netlink.c
index fbee3676d253..6570960034f1 100644
--- a/fs/nfsd/netlink.c
+++ b/fs/nfsd/netlink.c
@@ -37,7 +37,7 @@ const struct nla_policy nfsd_fslocations_nl_policy[NFSD_A_FSLOCATIONS_LOCATION +
};
const struct nla_policy nfsd_sock_nl_policy[NFSD_A_SOCK_TRANSPORT_NAME + 1] = {
- [NFSD_A_SOCK_ADDR] = { .type = NLA_BINARY, },
+ [NFSD_A_SOCK_ADDR] = NLA_POLICY_MIN_LEN(16),
[NFSD_A_SOCK_TRANSPORT_NAME] = { .type = NLA_NUL_STRING, },
};
diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
index ab10692ee937..f3b3154b16c5 100644
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -2016,6 +2016,21 @@ int nfsd_nl_listener_set_doit(struct sk_buff *skb, struct genl_info *info)
xcl_name = nla_data(tb[NFSD_A_SOCK_TRANSPORT_NAME]);
sa = nla_data(tb[NFSD_A_SOCK_ADDR]);
+ switch (sa->sa_family) {
+ case AF_INET:
+ if (nla_len(tb[NFSD_A_SOCK_ADDR]) <
+ sizeof(struct sockaddr_in))
+ continue;
+ break;
+ case AF_INET6:
+ if (nla_len(tb[NFSD_A_SOCK_ADDR]) <
+ sizeof(struct sockaddr_in6))
+ continue;
+ break;
+ default:
+ continue;
+ }
+
/* Put back any matching sockets */
list_for_each_entry_safe(xprt, tmp, &permsocks, xpt_list) {
/* This shouldn't be possible */
@@ -2077,6 +2092,21 @@ int nfsd_nl_listener_set_doit(struct sk_buff *skb, struct genl_info *info)
xcl_name = nla_data(tb[NFSD_A_SOCK_TRANSPORT_NAME]);
sa = nla_data(tb[NFSD_A_SOCK_ADDR]);
+ switch (sa->sa_family) {
+ case AF_INET:
+ if (nla_len(tb[NFSD_A_SOCK_ADDR]) <
+ sizeof(struct sockaddr_in))
+ continue;
+ break;
+ case AF_INET6:
+ if (nla_len(tb[NFSD_A_SOCK_ADDR]) <
+ sizeof(struct sockaddr_in6))
+ continue;
+ break;
+ default:
+ continue;
+ }
+
xprt = svc_find_listener(serv, xcl_name, net, sa);
if (xprt) {
if (delete)
--
2.54.0
next prev parent reply other threads:[~2026-06-11 20:01 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 20:00 [PATCH v2 00/21] nfsd: more bugfixes Jeff Layton
2026-06-11 20:00 ` [PATCH v2 01/21] nfsd: clear opcnt on compound arg release to prevent OOB read Jeff Layton
2026-06-11 20:00 ` [PATCH v2 02/21] nfsd: add missing read barrier to rpc_status_get dumpit seqcount retry Jeff Layton
2026-06-11 20:00 ` [PATCH v2 03/21] nfsd: fix netlink dumpit error handling for rpc_status_get Jeff Layton
2026-06-11 20:00 ` [PATCH v2 04/21] sunrpc: defer rq_argp and rq_resp free until after RCU grace period Jeff Layton
2026-06-11 20:00 ` [PATCH v2 05/21] nfsd: check nfsd4_acl_to_attr() return value in nfsd4_create() Jeff Layton
2026-06-11 20:00 ` [PATCH v2 06/21] nfsd: add filehandle match check to nfsd4_delegreturn() Jeff Layton
2026-06-11 20:00 ` [PATCH v2 07/21] nfsd: validate nseconds in TIME_DELEG decode paths Jeff Layton
2026-06-11 20:00 ` [PATCH v2 08/21] nfsd: remove premature NFS4_OO_CONFIRMED in CLAIM_PREVIOUS path Jeff Layton
2026-06-12 13:36 ` Jeff Layton
2026-06-11 20:00 ` [PATCH v2 09/21] nfsd: fix version mismatch loops in nfsd_acl_init_request() Jeff Layton
2026-06-11 20:00 ` [PATCH v2 10/21] nfsd: fix FL_SLEEP being set unconditionally for all LOCK types Jeff Layton
2026-06-11 20:00 ` [PATCH v2 11/21] nfsd: add fh_want_write() for early-verified SETATTR in nfsd_proc_setattr() Jeff Layton
2026-06-11 20:00 ` [PATCH v2 12/21] nfsd: fix clock domain mismatch in clients_still_reclaiming() Jeff Layton
2026-06-11 20:00 ` [PATCH v2 13/21] nfsd: use test_and_clear_bit for somebody_reclaimed to prevent lost update Jeff Layton
2026-06-11 20:00 ` [PATCH v2 14/21] nfsd: reject reclaim LOCK after RECLAIM_COMPLETE Jeff Layton
2026-06-11 20:00 ` Jeff Layton [this message]
2026-06-12 13:37 ` [PATCH v2 15/21] nfsd: validate sockaddr length per family in listener_set Jeff Layton
2026-06-11 20:00 ` [PATCH v2 16/21] lockd, nfsd: RCU-protect nlmsvc_ops dispatch Jeff Layton
2026-06-11 20:01 ` [PATCH v2 17/21] nfsd: move nfsd_debugfs_init() after nfsd4_init_slabs() in init_nfsd() Jeff Layton
2026-06-11 20:01 ` [PATCH v2 18/21] nfsd: initialize DRC hash table before registering shrinker Jeff Layton
2026-06-11 20:01 ` [PATCH v2 19/21] nfsd: restore rq_status_counter to even on all nfsd_dispatch() exit paths Jeff Layton
2026-06-11 20:01 ` [PATCH v2 20/21] nfsd: reset thread skip index when advancing pools in rpc_status dumpit Jeff Layton
2026-06-11 20:01 ` [PATCH v2 21/21] nfsd: drop the stateid, not the stateowner, on seqid_op replay retry Jeff Layton
2026-06-13 20:30 ` [PATCH v2 00/21] nfsd: more bugfixes Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260611-nfsd-testing-v2-15-5b90e276f2d9@kernel.org \
--to=jlayton@kernel.org \
--cc=Dai.Ngo@oracle.com \
--cc=cel@kernel.org \
--cc=clm@meta.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=neil@brown.name \
--cc=okorniev@redhat.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox