From: Benjamin Coddington <bcodding@redhat.com>
To: Trond Myklebust <trondmy@hammerspace.com>
Cc: anna@kernel.org, zichenxie0106@gmail.com, zzjas98@gmail.com,
linux-nfs@vger.kernel.org, stable@vger.kernel.org,
chenyuan0y@gmail.com
Subject: Re: [PATCH] NFS: Fix potential buffer overflowin nfs_sysfs_link_rpc_client()
Date: Wed, 18 Dec 2024 09:28:21 -0500 [thread overview]
Message-ID: <90DF7D11-B6A9-4715-823C-CE1E33DBB9FC@redhat.com> (raw)
In-Reply-To: <299a43ab3a10317475fcd53f5d130fe3610ca07a.camel@hammerspace.com>
On 17 Dec 2024, at 12:07, Trond Myklebust wrote:
> On Tue, 2024-12-17 at 16:51 +0000, Trond Myklebust wrote:
>> On Wed, 2024-12-18 at 00:13 +0800, Gax-c wrote:
>>> From: Zichen Xie <zichenxie0106@gmail.com>
>>>
>>> name is char[64] where the size of clnt->cl_program->name remains
>>> unknown. Invoking strcat() directly will also lead to potential
>>> buffer
>>> overflow. Change them to strscpy() and strncat() to fix potential
>>> issues.
>>
>> What makes you think that clnt->cl_program->name is unknown?
>>
>> All calls to nfs_sysfs_link_rpc_client() use well known RPC clients
>> for
>> which the cl_program is pointing to one of nlm_program, nfs_program
>> or
>> nfsacl_program. So we know very well the sizes of clnt->cl_program-
>>> name.
>
> Just to clarify: I'm not strongly against the patch itself. However it
> would seem premature to consider this a bug, let alone a stable fix
> candidate.
>
> Has anyone ever seen a buffer overflow here? If so, under which
> circumstances?
No, there's no way in the current kernel, but I suppose both
nfs_sysfs_link_rpc_client() as well as rpc_create() are exported, so we
could end up having some other part of the kernel send a long "uniq" or
create a client with a long cl_program->name. That change might escape our
review.
Probably not a bad idea to send it back to stable IMO, since a change like
that could get back there too.
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Ben
prev parent reply other threads:[~2024-12-18 14:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-17 16:13 [PATCH] NFS: Fix potential buffer overflowin nfs_sysfs_link_rpc_client() Gax-c
2024-12-17 16:51 ` Trond Myklebust
2024-12-17 17:07 ` Trond Myklebust
2024-12-18 14:28 ` Benjamin Coddington [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=90DF7D11-B6A9-4715-823C-CE1E33DBB9FC@redhat.com \
--to=bcodding@redhat.com \
--cc=anna@kernel.org \
--cc=chenyuan0y@gmail.com \
--cc=linux-nfs@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=trondmy@hammerspace.com \
--cc=zichenxie0106@gmail.com \
--cc=zzjas98@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox