From: Jeff Layton <jlayton@kernel.org>
To: Chuck Lever <chuck.lever@oracle.com>, linux-nfs@vger.kernel.org
Subject: Re: [PATCH v2 3/7] NFSD: Protect against READDIR send buffer overflow
Date: Mon, 29 Aug 2022 09:43:56 -0400 [thread overview]
Message-ID: <52a93203dbd9daa02814cc920a61066d6df2749e.camel@kernel.org> (raw)
In-Reply-To: <166171263459.21449.18044553311121354704.stgit@manet.1015granger.net>
On Sun, 2022-08-28 at 14:50 -0400, Chuck Lever wrote:
> For many years, NFSD has conserved the number of pages held by
> each nfsd thread by combining the RPC receive and send buffers
> into a single array of pages. The dividing line between the
> receive and send buffer is pointed to by svc_rqst::rq_respages.
>
nit: Given that you don't look at rq_respages in the patch below, the
previous sentence is not particularly relevant. It might be better to
just explain that rq_res describes the part of the array that is the
response buffer, so we want to consult it for the max length.
> Thus the send buffer shrinks when the received RPC record
> containing the RPC Call is large.
>
> nfsd3_init_dirlist_pages() needs to account for the space in the
> svc_rqst::rq_pages array already consumed by the RPC receive buffer.
> Otherwise READDIR reply encoding can wander off the end of the page
> array.
>
> Thanks to Aleksi Illikainen and Kari Hulkko for discovering this
> issue.
>
> Reported-by: Ben Ronallo <Benjamin.Ronallo@synopsys.com>
> Fixes: f5dcccd647da ("NFSD: Update the NFSv2 READDIR entry encoder to use struct xdr_stream")
> Fixes: 7f87fc2d34d4 ("NFSD: Update NFSv3 READDIR entry encoders to use struct xdr_stream")
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
> fs/nfsd/nfs3proc.c | 5 ++---
> fs/nfsd/nfsproc.c | 5 ++---
> 2 files changed, 4 insertions(+), 6 deletions(-)
>
> diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c
> index a41cca619338..fab87e9e0b20 100644
> --- a/fs/nfsd/nfs3proc.c
> +++ b/fs/nfsd/nfs3proc.c
> @@ -564,12 +564,11 @@ static void nfsd3_init_dirlist_pages(struct svc_rqst *rqstp,
> struct xdr_buf *buf = &resp->dirlist;
> struct xdr_stream *xdr = &resp->xdr;
>
> - count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp));
> -
> memset(buf, 0, sizeof(*buf));
>
> /* Reserve room for the NULL ptr & eof flag (-2 words) */
> - buf->buflen = count - XDR_UNIT * 2;
> + buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), rqstp->rq_res.buflen);
> + buf->buflen -= XDR_UNIT * 2;
> buf->pages = rqstp->rq_next_page;
> rqstp->rq_next_page += (buf->buflen + PAGE_SIZE - 1) >> PAGE_SHIFT;
>
> diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c
> index 7381972f1677..23c273cb68a9 100644
> --- a/fs/nfsd/nfsproc.c
> +++ b/fs/nfsd/nfsproc.c
> @@ -567,12 +567,11 @@ static void nfsd_init_dirlist_pages(struct svc_rqst *rqstp,
> struct xdr_buf *buf = &resp->dirlist;
> struct xdr_stream *xdr = &resp->xdr;
>
> - count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp));
> -
> memset(buf, 0, sizeof(*buf));
>
> /* Reserve room for the NULL ptr & eof flag (-2 words) */
> - buf->buflen = count - XDR_UNIT * 2;
> + buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), rqstp->rq_res.buflen);
> + buf->buflen -= XDR_UNIT * 2;
> buf->pages = rqstp->rq_next_page;
> rqstp->rq_next_page++;
>
>
>
I wonder if a better fix would be to make svc_max_payload take the
already-consumed arg space into account? We'd need to fix up the other
callers of course.
In any case, the patch itself looks fine:
Reviewed-by: Jeff Layton <jlayton@kernel.org>
next prev parent reply other threads:[~2022-08-29 13:44 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-28 18:50 [PATCH v2 0/7] Fixes for server-side xdr_stream overhaul Chuck Lever
2022-08-28 18:50 ` [PATCH v2 1/7] SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation Chuck Lever
2022-08-29 12:48 ` Jeff Layton
2022-08-29 13:48 ` Chuck Lever III
2022-08-28 18:50 ` [PATCH v2 2/7] SUNRPC: Fix svcxdr_init_encode's buflen calculation Chuck Lever
2022-08-29 12:51 ` Jeff Layton
2022-08-28 18:50 ` [PATCH v2 3/7] NFSD: Protect against READDIR send buffer overflow Chuck Lever
2022-08-29 13:43 ` Jeff Layton [this message]
2022-08-29 13:59 ` Chuck Lever III
2022-08-28 18:50 ` [PATCH v2 4/7] NFSD: Use xdr_inline_decode() to decode NFSv3 symlinks Chuck Lever
2022-08-29 13:48 ` Jeff Layton
2022-08-28 18:50 ` [PATCH v2 5/7] NFSD: Clean up WRITE arg decoders Chuck Lever
2022-08-29 13:49 ` Jeff Layton
2022-08-28 18:50 ` [PATCH v2 6/7] SUNRPC: Fix typo in xdr_buf_subsegment's kdoc comment Chuck Lever
2022-08-29 13:49 ` Jeff Layton
2022-08-28 18:51 ` [PATCH v2 7/7] NFSD: Clean up nfs4svc_encode_compoundres() Chuck Lever
2022-08-29 13:50 ` Jeff Layton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52a93203dbd9daa02814cc920a61066d6df2749e.camel@kernel.org \
--to=jlayton@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox