From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9AE904E379D; Thu, 2 Jul 2026 16:29:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783009774; cv=none; b=WoBRd7uhco2gbhfKhz5yt9lZlZKaWvbINPSNtAqnkIBEYmymIoJz0/UloTLPubWcKFQHihPeGXGOFyV89PBtQ8SjXw3NjNlDYxrK0iY8smIr41Dwt8bzE5Dk9Jo5VKI38S3jvyFLy4UzHCBpVXnJm51QezLgTn2ZL+GCXXm5DKI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783009774; c=relaxed/simple; bh=6W3/z0Ilfbtcw3fXWUDc0rvdYBGWxHYQkdKrpLeUy9k=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GERxIODu06g4h+8FXfcpD7AgyMrnr8EmSeAhurXsfD1daOsXH/DGkaA8I8d7SctcaBhWyr4XYoB/Stn6fkVhQ17niSWQya00xHvL+TvOW2lDhkbRHj5fOyNoY2RWBgBtqEeRjmOWABZb/aVyP4e2tqjCZrHc7hxaGmivjKlUQho= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=NE6cEjSY; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="NE6cEjSY" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A23FD1F00A3A; Thu, 2 Jul 2026 16:29:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1783009770; bh=Caq93JPVc4CCAaJ23xYKDN50rfZCf9n4DFICqyRXQOE=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=NE6cEjSYzkjHt+rQH0LH43ox7XeQT6zJaldTUmZgdGjrE+sRK84TZBpIp9BaExQ/a xmynnUqWp8cAxbR8kCKv4SHR8EhCyPVA9slhzzRMnDo/TCawKaf67p5MslDYADRPpg 9pKWeToRU4NdRg4TQyqsYu2qUxSm03+gABPpWS5k= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Michael Bommarito , Anna Schumaker Subject: [PATCH 5.15 80/95] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr Date: Thu, 2 Jul 2026 18:20:23 +0200 Message-ID: <20260702155110.892595874@linuxfoundation.org> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260702155109.196223802@linuxfoundation.org> References: <20260702155109.196223802@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Michael Bommarito commit 41fe0f7b84f0cb822ae10ab08592996a592b2a25 upstream. nfs4_decode_mp_ds_addr() decodes the r_netid and r_addr opaques of a netaddr4 from a GETDEVICEINFO multipath-DS body, then immediately calls strrchr(buf, '.') to locate the port separator. Both decodes use xdr_stream_decode_string_dup(), and the current code checks only "nlen < 0" / "rlen < 0" before dereferencing the returned string. When the on-wire opaque has length zero, xdr_stream_decode_opaque_inline() returns 0 and xdr_stream_decode_string_dup() falls through to its "*str = NULL; return ret" tail, leaving buf NULL with a return value of 0. The "< 0" check does not catch this, and the next line is strrchr(NULL, '.'), a kernel NULL pointer dereference reachable from any pNFS-flexfile client mounted against a malicious or compromised metadata server. Reject the zero-length cases explicitly so the decoder fails with -EBADMSG (treated as a malformed GETDEVICEINFO body) instead of panicking the client. Cc: stable@vger.kernel.org Fixes: 6b7f3cf96364 ("nfs41: pull decode_ds_addr from file layout to generic pnfs") Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman --- fs/nfs/pnfs_nfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/fs/nfs/pnfs_nfs.c +++ b/fs/nfs/pnfs_nfs.c @@ -1057,14 +1057,14 @@ nfs4_decode_mp_ds_addr(struct net *net, /* r_netid */ nlen = xdr_stream_decode_string_dup(xdr, &netid, XDR_MAX_NETOBJ, gfp_flags); - if (unlikely(nlen < 0)) + if (unlikely(nlen <= 0)) goto out_err; /* r_addr: ip/ip6addr with port in dec octets - see RFC 5665 */ /* port is ".ABC.DEF", 8 chars max */ rlen = xdr_stream_decode_string_dup(xdr, &buf, INET6_ADDRSTRLEN + IPV6_SCOPE_ID_LEN + 8, gfp_flags); - if (unlikely(rlen < 0)) + if (unlikely(rlen <= 0)) goto out_free_netid; /* replace port '.' with '-' */