From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C947347BA7; Thu, 2 Jul 2026 16:52:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783011127; cv=none; b=Vtoyrxv7YQbzIvT5wLRF0yyXGvWMdm0PjgCVhYo0xe+NukQzZya0iEs0RTaYOgsd3LaxCepOD1qW5v1+p43XJqd+58EOhQu6aEKuJZ4uIAqP26FgUtWQ/IHnUmOWHAxMuMp3RkFL8oOcjrgolZhSFUS89MvDjc8Evyvl0Xq+4tA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783011127; c=relaxed/simple; bh=PqrcA5dDTFCALOVcxa5SRnORbkBngYH6QoQOOiLvmuM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PsTCx1BEN67kl/Wqvw5CeLOlrxSZePxIu3/HYZcfDRRGYI77NXkqtbbVYneUgVWaIbd7m7QbnJdAv3wIulBhPlZlRwiCfTIPfgjXqDYukx2k4DjYHX1F8cjLfplaVHdaOIELXlUdk93wD6ESbdnD6TSTcIUHX+Rb0tsnI45LWmk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=f29FP6Wx; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="f29FP6Wx" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 795F61F000E9; Thu, 2 Jul 2026 16:52:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1783011126; bh=owzOczP7AyZTWnezjq6mGSdi4iFqyYrTnN80NO9b2ZU=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=f29FP6WxEMFiX4m5m8eUM+Tk9EbEaEBDXy/x7gOif2FxjqZGzrWgobIOimA0JjYH5 hHK0VMF2csUIuJb2++zKh1MTG9kbWptnpAH2pu5pEoXUUXDe+IjnXoe/3o6MHxoBYc MiHBa0cuF5JOTnvucSMFRl4/YLujYaLNy4jn338E= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Michael Bommarito , Anna Schumaker Subject: [PATCH 6.6 166/175] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr Date: Thu, 2 Jul 2026 18:21:07 +0200 Message-ID: <20260702155119.285304361@linuxfoundation.org> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260702155115.766838875@linuxfoundation.org> References: <20260702155115.766838875@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Michael Bommarito commit 41fe0f7b84f0cb822ae10ab08592996a592b2a25 upstream. nfs4_decode_mp_ds_addr() decodes the r_netid and r_addr opaques of a netaddr4 from a GETDEVICEINFO multipath-DS body, then immediately calls strrchr(buf, '.') to locate the port separator. Both decodes use xdr_stream_decode_string_dup(), and the current code checks only "nlen < 0" / "rlen < 0" before dereferencing the returned string. When the on-wire opaque has length zero, xdr_stream_decode_opaque_inline() returns 0 and xdr_stream_decode_string_dup() falls through to its "*str = NULL; return ret" tail, leaving buf NULL with a return value of 0. The "< 0" check does not catch this, and the next line is strrchr(NULL, '.'), a kernel NULL pointer dereference reachable from any pNFS-flexfile client mounted against a malicious or compromised metadata server. Reject the zero-length cases explicitly so the decoder fails with -EBADMSG (treated as a malformed GETDEVICEINFO body) instead of panicking the client. Cc: stable@vger.kernel.org Fixes: 6b7f3cf96364 ("nfs41: pull decode_ds_addr from file layout to generic pnfs") Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman --- fs/nfs/pnfs_nfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/fs/nfs/pnfs_nfs.c +++ b/fs/nfs/pnfs_nfs.c @@ -1102,14 +1102,14 @@ nfs4_decode_mp_ds_addr(struct net *net, /* r_netid */ nlen = xdr_stream_decode_string_dup(xdr, &netid, XDR_MAX_NETOBJ, gfp_flags); - if (unlikely(nlen < 0)) + if (unlikely(nlen <= 0)) goto out_err; /* r_addr: ip/ip6addr with port in dec octets - see RFC 5665 */ /* port is ".ABC.DEF", 8 chars max */ rlen = xdr_stream_decode_string_dup(xdr, &buf, INET6_ADDRSTRLEN + IPV6_SCOPE_ID_LEN + 8, gfp_flags); - if (unlikely(rlen < 0)) + if (unlikely(rlen <= 0)) goto out_free_netid; /* replace port '.' with '-' */