[PATCH 0/2] NFSD: prevent integer overflows

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH 0/2] NFSD: prevent integer overflows
@ 2024-05-09 10:47 Dan Carpenter
  2024-05-09 10:48 ` [PATCH 1/2] SUNRPC: prevent integer overflow in XDR_QUADLEN() Dan Carpenter
  2024-05-09 10:48 ` [PATCH 2/2] NFSD: harden svcxdr_dupstr() and svcxdr_tmpalloc() against integer overflows Dan Carpenter
  0 siblings, 2 replies; 7+ messages in thread
From: Dan Carpenter @ 2024-05-09 10:47 UTC (permalink / raw)
  To: Trond Myklebust
  Cc: Chuck Lever, Jeff Layton, Neil Brown, Olga Kornievskaia, Dai Ngo,
	Tom Talpey, Trond Myklebust, Anna Schumaker, linux-nfs,
	linux-kernel, kernel-janitors

There is a potential for integer overflows in svcxdr_dupstr()
and svcxdr_tmpalloc() and XDR_QUADLEN().  I believe the fixing the
overflow in XDR_QUADLEN() would fix the bug, but it's safer to be
more thourough.

Dan Carpenter (2):
  SUNRPC: prevent integer overflow in XDR_QUADLEN()
  NFSD: harden svcxdr_dupstr() and svcxdr_tmpalloc() against integer
    overflows

 fs/nfsd/nfs4xdr.c          | 12 ++++++------
 include/linux/sunrpc/xdr.h |  3 ++-
 2 files changed, 8 insertions(+), 7 deletions(-)

-- 
2.43.0

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 1/2] SUNRPC: prevent integer overflow in XDR_QUADLEN()
  2024-05-09 10:47 [PATCH 0/2] NFSD: prevent integer overflows Dan Carpenter
@ 2024-05-09 10:48 ` Dan Carpenter
  2024-05-09 20:22   ` kernel test robot
  2024-05-09 21:34   ` kernel test robot
  2024-05-09 10:48 ` [PATCH 2/2] NFSD: harden svcxdr_dupstr() and svcxdr_tmpalloc() against integer overflows Dan Carpenter
  1 sibling, 2 replies; 7+ messages in thread
From: Dan Carpenter @ 2024-05-09 10:48 UTC (permalink / raw)
  To: Trond Myklebust
  Cc: Chuck Lever, Jeff Layton, Neil Brown, Olga Kornievskaia, Dai Ngo,
	Tom Talpey, Trond Myklebust, Anna Schumaker, linux-nfs,
	linux-kernel, kernel-janitors

The "l + 3" addition can have integer overflow on 32 bit systems
when it is used in __xdr_inline_decode().  The overflowed value
would be zero and the check "nwords > xdr->nwords" would not work
as intended.

Fixes: ba8e452a4fe6 ("SUNRPC: Add a helper function xdr_inline_peek")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 include/linux/sunrpc/xdr.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h
index 2f8dc47f1eb0..585059f2afca 100644
--- a/include/linux/sunrpc/xdr.h
+++ b/include/linux/sunrpc/xdr.h
@@ -14,6 +14,7 @@
 #include <linux/uio.h>
 #include <asm/byteorder.h>
 #include <asm/unaligned.h>
+#include <linux/overflow.h>
 #include <linux/scatterlist.h>
 
 struct bio_vec;
@@ -29,7 +30,7 @@ struct rpc_rqst;
 /*
  * Buffer adjustment
  */
-#define XDR_QUADLEN(l)		(((l) + 3) >> 2)
+#define XDR_QUADLEN(l)		(size_add(l, 3) >> 2)
 
 /*
  * Generic opaque `network object.'
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH 1/2] SUNRPC: prevent integer overflow in XDR_QUADLEN()
  2024-05-09 10:48 ` [PATCH 1/2] SUNRPC: prevent integer overflow in XDR_QUADLEN() Dan Carpenter
@ 2024-05-09 20:22   ` kernel test robot
  2024-05-09 21:34   ` kernel test robot
  1 sibling, 0 replies; 7+ messages in thread
From: kernel test robot @ 2024-05-09 20:22 UTC (permalink / raw)
  To: Dan Carpenter, Trond Myklebust
  Cc: oe-kbuild-all, Chuck Lever, Jeff Layton, Neil Brown,
	Olga Kornievskaia, Dai Ngo, Tom Talpey, Anna Schumaker, linux-nfs,
	linux-kernel, kernel-janitors

Hi Dan,

kernel test robot noticed the following build errors:

[auto build test ERROR on trondmy-nfs/linux-next]
[also build test ERROR on linus/master v6.9-rc7 next-20240509]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Dan-Carpenter/SUNRPC-prevent-integer-overflow-in-XDR_QUADLEN/20240509-185141
base:   git://git.linux-nfs.org/projects/trondmy/linux-nfs.git linux-next
patch link:    https://lore.kernel.org/r/bbf929d6-18d2-4b7e-a660-a19460af0a3c%40moroto.mountain
patch subject: [PATCH 1/2] SUNRPC: prevent integer overflow in XDR_QUADLEN()
config: alpha-defconfig (https://download.01.org/0day-ci/archive/20240510/202405100445.DwegLXyZ-lkp@intel.com/config)
compiler: alpha-linux-gcc (GCC) 13.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240510/202405100445.DwegLXyZ-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202405100445.DwegLXyZ-lkp@intel.com/

All errors (new ones prefixed by >>):

   In file included from include/linux/sunrpc/clnt.h:22,
                    from net/sunrpc/auth_unix.c:15:
>> include/linux/sunrpc/auth.h:33:25: error: initializer element is not constant
      33 | #define UNX_CALLSLACK   (21 + XDR_QUADLEN(UNX_MAXNODENAME))
         |                         ^
   net/sunrpc/auth_unix.c:225:27: note: in expansion of macro 'UNX_CALLSLACK'
     225 |         .au_cslack      = UNX_CALLSLACK,
         |                           ^~~~~~~~~~~~~
   include/linux/sunrpc/auth.h:33:25: note: (near initialization for 'unix_auth.au_cslack')
      33 | #define UNX_CALLSLACK   (21 + XDR_QUADLEN(UNX_MAXNODENAME))
         |                         ^
   net/sunrpc/auth_unix.c:225:27: note: in expansion of macro 'UNX_CALLSLACK'
     225 |         .au_cslack      = UNX_CALLSLACK,
         |                           ^~~~~~~~~~~~~
--
>> net/sunrpc/rpcb_clnt.c:100:33: error: initializer element is not constant
     100 | #define RPCB_getaddrargs_sz     (RPCB_program_sz + RPCB_version_sz + \
         |                                 ^
   net/sunrpc/rpcb_clnt.c:996:35: note: in expansion of macro 'RPCB_getaddrargs_sz'
     996 |                 .p_arglen       = RPCB_getaddrargs_sz,
         |                                   ^~~~~~~~~~~~~~~~~~~
   net/sunrpc/rpcb_clnt.c:100:33: note: (near initialization for 'rpcb_procedures3[1].p_arglen')
     100 | #define RPCB_getaddrargs_sz     (RPCB_program_sz + RPCB_version_sz + \
         |                                 ^
   net/sunrpc/rpcb_clnt.c:996:35: note: in expansion of macro 'RPCB_getaddrargs_sz'
     996 |                 .p_arglen       = RPCB_getaddrargs_sz,
         |                                   ^~~~~~~~~~~~~~~~~~~
>> net/sunrpc/rpcb_clnt.c:100:33: error: initializer element is not constant
     100 | #define RPCB_getaddrargs_sz     (RPCB_program_sz + RPCB_version_sz + \
         |                                 ^
   net/sunrpc/rpcb_clnt.c:1006:35: note: in expansion of macro 'RPCB_getaddrargs_sz'
    1006 |                 .p_arglen       = RPCB_getaddrargs_sz,
         |                                   ^~~~~~~~~~~~~~~~~~~
   net/sunrpc/rpcb_clnt.c:100:33: note: (near initialization for 'rpcb_procedures3[2].p_arglen')
     100 | #define RPCB_getaddrargs_sz     (RPCB_program_sz + RPCB_version_sz + \
         |                                 ^
   net/sunrpc/rpcb_clnt.c:1006:35: note: in expansion of macro 'RPCB_getaddrargs_sz'
    1006 |                 .p_arglen       = RPCB_getaddrargs_sz,
         |                                   ^~~~~~~~~~~~~~~~~~~
>> net/sunrpc/rpcb_clnt.c:100:33: error: initializer element is not constant
     100 | #define RPCB_getaddrargs_sz     (RPCB_program_sz + RPCB_version_sz + \
         |                                 ^
   net/sunrpc/rpcb_clnt.c:1016:35: note: in expansion of macro 'RPCB_getaddrargs_sz'
    1016 |                 .p_arglen       = RPCB_getaddrargs_sz,
         |                                   ^~~~~~~~~~~~~~~~~~~
   net/sunrpc/rpcb_clnt.c:100:33: note: (near initialization for 'rpcb_procedures3[3].p_arglen')
     100 | #define RPCB_getaddrargs_sz     (RPCB_program_sz + RPCB_version_sz + \
         |                                 ^
   net/sunrpc/rpcb_clnt.c:1016:35: note: in expansion of macro 'RPCB_getaddrargs_sz'
    1016 |                 .p_arglen       = RPCB_getaddrargs_sz,
         |                                   ^~~~~~~~~~~~~~~~~~~
   net/sunrpc/rpcb_clnt.c:92:33: error: initializer element is not constant
      92 | #define RPCB_addr_sz            (1 + XDR_QUADLEN(RPCBIND_MAXUADDRLEN))
         |                                 ^
   net/sunrpc/rpcb_clnt.c:111:33: note: in expansion of macro 'RPCB_addr_sz'
     111 | #define RPCB_getaddrres_sz      RPCB_addr_sz
         |                                 ^~~~~~~~~~~~
   net/sunrpc/rpcb_clnt.c:1017:35: note: in expansion of macro 'RPCB_getaddrres_sz'
    1017 |                 .p_replen       = RPCB_getaddrres_sz,
         |                                   ^~~~~~~~~~~~~~~~~~
   net/sunrpc/rpcb_clnt.c:92:33: note: (near initialization for 'rpcb_procedures3[3].p_replen')
      92 | #define RPCB_addr_sz            (1 + XDR_QUADLEN(RPCBIND_MAXUADDRLEN))
         |                                 ^
   net/sunrpc/rpcb_clnt.c:111:33: note: in expansion of macro 'RPCB_addr_sz'
     111 | #define RPCB_getaddrres_sz      RPCB_addr_sz
         |                                 ^~~~~~~~~~~~
   net/sunrpc/rpcb_clnt.c:1017:35: note: in expansion of macro 'RPCB_getaddrres_sz'
    1017 |                 .p_replen       = RPCB_getaddrres_sz,
         |                                   ^~~~~~~~~~~~~~~~~~
>> net/sunrpc/rpcb_clnt.c:100:33: error: initializer element is not constant
     100 | #define RPCB_getaddrargs_sz     (RPCB_program_sz + RPCB_version_sz + \
         |                                 ^
   net/sunrpc/rpcb_clnt.c:1029:35: note: in expansion of macro 'RPCB_getaddrargs_sz'
    1029 |                 .p_arglen       = RPCB_getaddrargs_sz,
         |                                   ^~~~~~~~~~~~~~~~~~~
   net/sunrpc/rpcb_clnt.c:100:33: note: (near initialization for 'rpcb_procedures4[1].p_arglen')
     100 | #define RPCB_getaddrargs_sz     (RPCB_program_sz + RPCB_version_sz + \
         |                                 ^
   net/sunrpc/rpcb_clnt.c:1029:35: note: in expansion of macro 'RPCB_getaddrargs_sz'
    1029 |                 .p_arglen       = RPCB_getaddrargs_sz,
         |                                   ^~~~~~~~~~~~~~~~~~~
>> net/sunrpc/rpcb_clnt.c:100:33: error: initializer element is not constant
     100 | #define RPCB_getaddrargs_sz     (RPCB_program_sz + RPCB_version_sz + \
         |                                 ^
   net/sunrpc/rpcb_clnt.c:1039:35: note: in expansion of macro 'RPCB_getaddrargs_sz'
    1039 |                 .p_arglen       = RPCB_getaddrargs_sz,
         |                                   ^~~~~~~~~~~~~~~~~~~
   net/sunrpc/rpcb_clnt.c:100:33: note: (near initialization for 'rpcb_procedures4[2].p_arglen')
     100 | #define RPCB_getaddrargs_sz     (RPCB_program_sz + RPCB_version_sz + \
         |                                 ^
   net/sunrpc/rpcb_clnt.c:1039:35: note: in expansion of macro 'RPCB_getaddrargs_sz'
    1039 |                 .p_arglen       = RPCB_getaddrargs_sz,
         |                                   ^~~~~~~~~~~~~~~~~~~
>> net/sunrpc/rpcb_clnt.c:100:33: error: initializer element is not constant
     100 | #define RPCB_getaddrargs_sz     (RPCB_program_sz + RPCB_version_sz + \
         |                                 ^
   net/sunrpc/rpcb_clnt.c:1049:35: note: in expansion of macro 'RPCB_getaddrargs_sz'
    1049 |                 .p_arglen       = RPCB_getaddrargs_sz,
         |                                   ^~~~~~~~~~~~~~~~~~~
   net/sunrpc/rpcb_clnt.c:100:33: note: (near initialization for 'rpcb_procedures4[3].p_arglen')
     100 | #define RPCB_getaddrargs_sz     (RPCB_program_sz + RPCB_version_sz + \
         |                                 ^
   net/sunrpc/rpcb_clnt.c:1049:35: note: in expansion of macro 'RPCB_getaddrargs_sz'
    1049 |                 .p_arglen       = RPCB_getaddrargs_sz,
         |                                   ^~~~~~~~~~~~~~~~~~~
   net/sunrpc/rpcb_clnt.c:92:33: error: initializer element is not constant
      92 | #define RPCB_addr_sz            (1 + XDR_QUADLEN(RPCBIND_MAXUADDRLEN))
         |                                 ^
   net/sunrpc/rpcb_clnt.c:111:33: note: in expansion of macro 'RPCB_addr_sz'
     111 | #define RPCB_getaddrres_sz      RPCB_addr_sz
         |                                 ^~~~~~~~~~~~
   net/sunrpc/rpcb_clnt.c:1050:35: note: in expansion of macro 'RPCB_getaddrres_sz'
    1050 |                 .p_replen       = RPCB_getaddrres_sz,
         |                                   ^~~~~~~~~~~~~~~~~~
   net/sunrpc/rpcb_clnt.c:92:33: note: (near initialization for 'rpcb_procedures4[3].p_replen')
      92 | #define RPCB_addr_sz            (1 + XDR_QUADLEN(RPCBIND_MAXUADDRLEN))
         |                                 ^
   net/sunrpc/rpcb_clnt.c:111:33: note: in expansion of macro 'RPCB_addr_sz'
     111 | #define RPCB_getaddrres_sz      RPCB_addr_sz
         |                                 ^~~~~~~~~~~~
   net/sunrpc/rpcb_clnt.c:1050:35: note: in expansion of macro 'RPCB_getaddrres_sz'
    1050 |                 .p_replen       = RPCB_getaddrres_sz,
         |                                   ^~~~~~~~~~~~~~~~~~
--
>> fs/lockd/svcproc.c:548:17: error: initializer element is not constant
     548 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svcproc.c:571:34: note: in expansion of macro 'Ck'
     571 |                 .pc_xdrressize = Ck+St+2+No+Rg,
         |                                  ^~
   fs/lockd/svcproc.c:548:17: note: (near initialization for 'nlmsvc_procedures[1].pc_xdrressize')
     548 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svcproc.c:571:34: note: in expansion of macro 'Ck'
     571 |                 .pc_xdrressize = Ck+St+2+No+Rg,
         |                                  ^~
>> fs/lockd/svcproc.c:548:17: error: initializer element is not constant
     548 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svcproc.c:581:34: note: in expansion of macro 'Ck'
     581 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
   fs/lockd/svcproc.c:548:17: note: (near initialization for 'nlmsvc_procedures[2].pc_xdrressize')
     548 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svcproc.c:581:34: note: in expansion of macro 'Ck'
     581 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
>> fs/lockd/svcproc.c:548:17: error: initializer element is not constant
     548 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svcproc.c:591:34: note: in expansion of macro 'Ck'
     591 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
   fs/lockd/svcproc.c:548:17: note: (near initialization for 'nlmsvc_procedures[3].pc_xdrressize')
     548 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svcproc.c:591:34: note: in expansion of macro 'Ck'
     591 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
>> fs/lockd/svcproc.c:548:17: error: initializer element is not constant
     548 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svcproc.c:601:34: note: in expansion of macro 'Ck'
     601 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
   fs/lockd/svcproc.c:548:17: note: (near initialization for 'nlmsvc_procedures[4].pc_xdrressize')
     548 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svcproc.c:601:34: note: in expansion of macro 'Ck'
     601 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
>> fs/lockd/svcproc.c:548:17: error: initializer element is not constant
     548 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svcproc.c:611:34: note: in expansion of macro 'Ck'
     611 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
   fs/lockd/svcproc.c:548:17: note: (near initialization for 'nlmsvc_procedures[5].pc_xdrressize')
     548 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svcproc.c:611:34: note: in expansion of macro 'Ck'
     611 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
>> fs/lockd/svcproc.c:548:17: error: initializer element is not constant
     548 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svcproc.c:761:34: note: in expansion of macro 'Ck'
     761 |                 .pc_xdrressize = Ck+St+1,
         |                                  ^~
   fs/lockd/svcproc.c:548:17: note: (near initialization for 'nlmsvc_procedures[20].pc_xdrressize')
     548 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svcproc.c:761:34: note: in expansion of macro 'Ck'
     761 |                 .pc_xdrressize = Ck+St+1,
         |                                  ^~
>> fs/lockd/svcproc.c:548:17: error: initializer element is not constant
     548 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svcproc.c:771:34: note: in expansion of macro 'Ck'
     771 |                 .pc_xdrressize = Ck+St+1,
         |                                  ^~
   fs/lockd/svcproc.c:548:17: note: (near initialization for 'nlmsvc_procedures[21].pc_xdrressize')
     548 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svcproc.c:771:34: note: in expansion of macro 'Ck'
     771 |                 .pc_xdrressize = Ck+St+1,
         |                                  ^~
>> fs/lockd/svcproc.c:548:17: error: initializer element is not constant
     548 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svcproc.c:781:34: note: in expansion of macro 'Ck'
     781 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
   fs/lockd/svcproc.c:548:17: note: (near initialization for 'nlmsvc_procedures[22].pc_xdrressize')
     548 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svcproc.c:781:34: note: in expansion of macro 'Ck'
     781 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
--
>> fs/lockd/mon.c:536:25: error: initializer element is not constant
     536 | #define SM_mon_sz       (SM_mon_id_sz+SM_priv_sz)
         |                         ^
   fs/lockd/mon.c:545:35: note: in expansion of macro 'SM_mon_sz'
     545 |                 .p_arglen       = SM_mon_sz,
         |                                   ^~~~~~~~~
   fs/lockd/mon.c:536:25: note: (near initialization for 'nsm_procedures[2].p_arglen')
     536 | #define SM_mon_sz       (SM_mon_id_sz+SM_priv_sz)
         |                         ^
   fs/lockd/mon.c:545:35: note: in expansion of macro 'SM_mon_sz'
     545 |                 .p_arglen       = SM_mon_sz,
         |                                   ^~~~~~~~~
   fs/lockd/mon.c:534:25: error: initializer element is not constant
     534 | #define SM_mon_id_sz    (SM_mon_name_sz+SM_my_id_sz)
         |                         ^
   fs/lockd/mon.c:554:35: note: in expansion of macro 'SM_mon_id_sz'
     554 |                 .p_arglen       = SM_mon_id_sz,
         |                                   ^~~~~~~~~~~~
   fs/lockd/mon.c:534:25: note: (near initialization for 'nsm_procedures[3].p_arglen')
     534 | #define SM_mon_id_sz    (SM_mon_name_sz+SM_my_id_sz)
         |                         ^
   fs/lockd/mon.c:554:35: note: in expansion of macro 'SM_mon_id_sz'
     554 |                 .p_arglen       = SM_mon_id_sz,
         |                                   ^~~~~~~~~~~~
--
>> fs/lockd/svc4proc.c:514:17: error: initializer element is not constant
     514 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svc4proc.c:537:34: note: in expansion of macro 'Ck'
     537 |                 .pc_xdrressize = Ck+St+2+No+Rg,
         |                                  ^~
   fs/lockd/svc4proc.c:514:17: note: (near initialization for 'nlmsvc_procedures4[1].pc_xdrressize')
     514 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svc4proc.c:537:34: note: in expansion of macro 'Ck'
     537 |                 .pc_xdrressize = Ck+St+2+No+Rg,
         |                                  ^~
>> fs/lockd/svc4proc.c:514:17: error: initializer element is not constant
     514 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svc4proc.c:547:34: note: in expansion of macro 'Ck'
     547 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
   fs/lockd/svc4proc.c:514:17: note: (near initialization for 'nlmsvc_procedures4[2].pc_xdrressize')
     514 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svc4proc.c:547:34: note: in expansion of macro 'Ck'
     547 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
>> fs/lockd/svc4proc.c:514:17: error: initializer element is not constant
     514 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svc4proc.c:557:34: note: in expansion of macro 'Ck'
     557 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
   fs/lockd/svc4proc.c:514:17: note: (near initialization for 'nlmsvc_procedures4[3].pc_xdrressize')
     514 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svc4proc.c:557:34: note: in expansion of macro 'Ck'
     557 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
>> fs/lockd/svc4proc.c:514:17: error: initializer element is not constant
     514 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svc4proc.c:567:34: note: in expansion of macro 'Ck'
     567 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
   fs/lockd/svc4proc.c:514:17: note: (near initialization for 'nlmsvc_procedures4[4].pc_xdrressize')
     514 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svc4proc.c:567:34: note: in expansion of macro 'Ck'
     567 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
>> fs/lockd/svc4proc.c:514:17: error: initializer element is not constant
     514 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svc4proc.c:577:34: note: in expansion of macro 'Ck'
     577 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
   fs/lockd/svc4proc.c:514:17: note: (near initialization for 'nlmsvc_procedures4[5].pc_xdrressize')
     514 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svc4proc.c:577:34: note: in expansion of macro 'Ck'
     577 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
>> fs/lockd/svc4proc.c:514:17: error: initializer element is not constant
     514 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svc4proc.c:727:34: note: in expansion of macro 'Ck'
     727 |                 .pc_xdrressize = Ck+St+1,
         |                                  ^~
   fs/lockd/svc4proc.c:514:17: note: (near initialization for 'nlmsvc_procedures4[20].pc_xdrressize')
     514 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svc4proc.c:727:34: note: in expansion of macro 'Ck'
     727 |                 .pc_xdrressize = Ck+St+1,
         |                                  ^~
>> fs/lockd/svc4proc.c:514:17: error: initializer element is not constant
     514 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svc4proc.c:737:34: note: in expansion of macro 'Ck'
     737 |                 .pc_xdrressize = Ck+St+1,
         |                                  ^~
   fs/lockd/svc4proc.c:514:17: note: (near initialization for 'nlmsvc_procedures4[21].pc_xdrressize')
     514 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svc4proc.c:737:34: note: in expansion of macro 'Ck'
     737 |                 .pc_xdrressize = Ck+St+1,
         |                                  ^~
>> fs/lockd/svc4proc.c:514:17: error: initializer element is not constant
     514 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svc4proc.c:747:34: note: in expansion of macro 'Ck'
     747 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
   fs/lockd/svc4proc.c:514:17: note: (near initialization for 'nlmsvc_procedures4[22].pc_xdrressize')
     514 | #define Ck      (1+XDR_QUADLEN(NLM_MAXCOOKIELEN))       /* cookie */
         |                 ^
   fs/lockd/svc4proc.c:747:34: note: in expansion of macro 'Ck'
     747 |                 .pc_xdrressize = Ck+St,
         |                                  ^~
..


vim +33 include/linux/sunrpc/auth.h

4500632f60fa0d Chuck Lever    2016-03-01  27  
24a9a9610ce3ba Jeff Layton    2015-08-03  28  /*
24a9a9610ce3ba Jeff Layton    2015-08-03  29   * Size of the nodename buffer. RFC1831 specifies a hard limit of 255 bytes,
24a9a9610ce3ba Jeff Layton    2015-08-03  30   * but Linux hostnames are actually limited to __NEW_UTS_LEN bytes.
24a9a9610ce3ba Jeff Layton    2015-08-03  31   */
24a9a9610ce3ba Jeff Layton    2015-08-03  32  #define UNX_MAXNODENAME	__NEW_UTS_LEN
4500632f60fa0d Chuck Lever    2016-03-01 @33  #define UNX_CALLSLACK	(21 + XDR_QUADLEN(UNX_MAXNODENAME))
5786461bd8ea81 Kinglong Mee   2017-02-07  34  #define UNX_NGROUPS	16
^1da177e4c3f41 Linus Torvalds 2005-04-16  35  

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 1/2] SUNRPC: prevent integer overflow in XDR_QUADLEN()
  2024-05-09 10:48 ` [PATCH 1/2] SUNRPC: prevent integer overflow in XDR_QUADLEN() Dan Carpenter
  2024-05-09 20:22   ` kernel test robot
@ 2024-05-09 21:34   ` kernel test robot
  1 sibling, 0 replies; 7+ messages in thread
From: kernel test robot @ 2024-05-09 21:34 UTC (permalink / raw)
  To: Dan Carpenter, Trond Myklebust
  Cc: llvm, oe-kbuild-all, Chuck Lever, Jeff Layton, Neil Brown,
	Olga Kornievskaia, Dai Ngo, Tom Talpey, Anna Schumaker, linux-nfs,
	linux-kernel, kernel-janitors

Hi Dan,

kernel test robot noticed the following build errors:

[auto build test ERROR on trondmy-nfs/linux-next]
[also build test ERROR on linus/master v6.9-rc7 next-20240509]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Dan-Carpenter/SUNRPC-prevent-integer-overflow-in-XDR_QUADLEN/20240509-185141
base:   git://git.linux-nfs.org/projects/trondmy/linux-nfs.git linux-next
patch link:    https://lore.kernel.org/r/bbf929d6-18d2-4b7e-a660-a19460af0a3c%40moroto.mountain
patch subject: [PATCH 1/2] SUNRPC: prevent integer overflow in XDR_QUADLEN()
config: s390-defconfig (https://download.01.org/0day-ci/archive/20240510/202405100514.9QcoLUdp-lkp@intel.com/config)
compiler: clang version 19.0.0git (https://github.com/llvm/llvm-project b910bebc300dafb30569cecc3017b446ea8eafa0)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240510/202405100514.9QcoLUdp-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202405100514.9QcoLUdp-lkp@intel.com/

All errors (new ones prefixed by >>):

   In file included from include/linux/highmem.h:10:
   In file included from include/linux/mm.h:2188:
   include/linux/vmstat.h:508:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion]
     508 |         return vmstat_text[NR_VM_ZONE_STAT_ITEMS +
         |                            ~~~~~~~~~~~~~~~~~~~~~ ^
     509 |                            item];
         |                            ~~~~
   include/linux/vmstat.h:515:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion]
     515 |         return vmstat_text[NR_VM_ZONE_STAT_ITEMS +
         |                            ~~~~~~~~~~~~~~~~~~~~~ ^
     516 |                            NR_VM_NUMA_EVENT_ITEMS +
         |                            ~~~~~~~~~~~~~~~~~~~~~~
   include/linux/vmstat.h:522:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
     522 |         return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
         |                               ~~~~~~~~~~~ ^ ~~~
   include/linux/vmstat.h:527:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion]
     527 |         return vmstat_text[NR_VM_ZONE_STAT_ITEMS +
         |                            ~~~~~~~~~~~~~~~~~~~~~ ^
     528 |                            NR_VM_NUMA_EVENT_ITEMS +
         |                            ~~~~~~~~~~~~~~~~~~~~~~
   include/linux/vmstat.h:536:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion]
     536 |         return vmstat_text[NR_VM_ZONE_STAT_ITEMS +
         |                            ~~~~~~~~~~~~~~~~~~~~~ ^
     537 |                            NR_VM_NUMA_EVENT_ITEMS +
         |                            ~~~~~~~~~~~~~~~~~~~~~~
   In file included from fs/nfsd/nfs4callback.c:34:
   In file included from include/linux/nfs4.h:19:
   In file included from include/linux/sunrpc/msg_prot.h:205:
   In file included from include/linux/inet.h:42:
   In file included from include/net/net_namespace.h:43:
   In file included from include/linux/skbuff.h:28:
   In file included from include/linux/dma-mapping.h:11:
   In file included from include/linux/scatterlist.h:9:
   In file included from arch/s390/include/asm/io.h:78:
   include/asm-generic/io.h:547:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
     547 |         val = __raw_readb(PCI_IOBASE + addr);
         |                           ~~~~~~~~~~ ^
   include/asm-generic/io.h:560:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
     560 |         val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr));
         |                                                         ~~~~~~~~~~ ^
   include/uapi/linux/byteorder/big_endian.h:37:59: note: expanded from macro '__le16_to_cpu'
      37 | #define __le16_to_cpu(x) __swab16((__force __u16)(__le16)(x))
         |                                                           ^
   include/uapi/linux/swab.h:102:54: note: expanded from macro '__swab16'
     102 | #define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
         |                                                      ^
   In file included from fs/nfsd/nfs4callback.c:34:
   In file included from include/linux/nfs4.h:19:
   In file included from include/linux/sunrpc/msg_prot.h:205:
   In file included from include/linux/inet.h:42:
   In file included from include/net/net_namespace.h:43:
   In file included from include/linux/skbuff.h:28:
   In file included from include/linux/dma-mapping.h:11:
   In file included from include/linux/scatterlist.h:9:
   In file included from arch/s390/include/asm/io.h:78:
   include/asm-generic/io.h:573:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
     573 |         val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr));
         |                                                         ~~~~~~~~~~ ^
   include/uapi/linux/byteorder/big_endian.h:35:59: note: expanded from macro '__le32_to_cpu'
      35 | #define __le32_to_cpu(x) __swab32((__force __u32)(__le32)(x))
         |                                                           ^
   include/uapi/linux/swab.h:115:54: note: expanded from macro '__swab32'
     115 | #define __swab32(x) (__u32)__builtin_bswap32((__u32)(x))
         |                                                      ^
   In file included from fs/nfsd/nfs4callback.c:34:
   In file included from include/linux/nfs4.h:19:
   In file included from include/linux/sunrpc/msg_prot.h:205:
   In file included from include/linux/inet.h:42:
   In file included from include/net/net_namespace.h:43:
   In file included from include/linux/skbuff.h:28:
   In file included from include/linux/dma-mapping.h:11:
   In file included from include/linux/scatterlist.h:9:
   In file included from arch/s390/include/asm/io.h:78:
   include/asm-generic/io.h:584:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
     584 |         __raw_writeb(value, PCI_IOBASE + addr);
         |                             ~~~~~~~~~~ ^
   include/asm-generic/io.h:594:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
     594 |         __raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr);
         |                                                       ~~~~~~~~~~ ^
   include/asm-generic/io.h:604:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
     604 |         __raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr);
         |                                                       ~~~~~~~~~~ ^
   include/asm-generic/io.h:692:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
     692 |         readsb(PCI_IOBASE + addr, buffer, count);
         |                ~~~~~~~~~~ ^
   include/asm-generic/io.h:700:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
     700 |         readsw(PCI_IOBASE + addr, buffer, count);
         |                ~~~~~~~~~~ ^
   include/asm-generic/io.h:708:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
     708 |         readsl(PCI_IOBASE + addr, buffer, count);
         |                ~~~~~~~~~~ ^
   include/asm-generic/io.h:717:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
     717 |         writesb(PCI_IOBASE + addr, buffer, count);
         |                 ~~~~~~~~~~ ^
   include/asm-generic/io.h:726:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
     726 |         writesw(PCI_IOBASE + addr, buffer, count);
         |                 ~~~~~~~~~~ ^
   include/asm-generic/io.h:735:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
     735 |         writesl(PCI_IOBASE + addr, buffer, count);
         |                 ~~~~~~~~~~ ^
>> fs/nfsd/nfs4callback.c:832:2: error: initializer element is not a compile-time constant
     832 |         PROC(CB_OFFLOAD,        COMPOUND,       cb_offload,     cb_offload),
         |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   fs/nfsd/nfs4callback.c:819:15: note: expanded from macro 'PROC'
     819 |         .p_arglen  = NFS4_enc_##argtype##_sz,                           \
         |                      ^~~~~~~~~~~~~~~~~~~~~~~
   <scratch space>:133:1: note: expanded from here
     133 | NFS4_enc_cb_offload_sz
         | ^~~~~~~~~~~~~~~~~~~~~~
   fs/nfsd/xdr4cb.h:43:33: note: expanded from macro 'NFS4_enc_cb_offload_sz'
      43 | #define NFS4_enc_cb_offload_sz          (cb_compound_enc_hdr_sz +       \
         |                                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      44 |                                         cb_sequence_enc_sz +            \
         |                                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      45 |                                         enc_nfs4_fh_sz +                \
         |                                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      46 |                                         enc_stateid_sz +                \
         |                                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      47 |                                         enc_cb_offload_info_sz)
         |                                         ~~~~~~~~~~~~~~~~~~~~~~~
   17 warnings and 1 error generated.


vim +832 fs/nfsd/nfs4callback.c

^1da177e4c3f415 Linus Torvalds    2005-04-16  824  
499b4988109e91b Christoph Hellwig 2017-05-12  825  static const struct rpc_procinfo nfs4_cb_procedures[] = {
7d93bd71cb3e262 Chuck Lever       2010-12-14  826  	PROC(CB_NULL,	NULL,		cb_null,	cb_null),
7d93bd71cb3e262 Chuck Lever       2010-12-14  827  	PROC(CB_RECALL,	COMPOUND,	cb_recall,	cb_recall),
c5c707f96fc9a6e Christoph Hellwig 2014-09-23  828  #ifdef CONFIG_NFSD_PNFS
c5c707f96fc9a6e Christoph Hellwig 2014-09-23  829  	PROC(CB_LAYOUT,	COMPOUND,	cb_layout,	cb_layout),
c5c707f96fc9a6e Christoph Hellwig 2014-09-23  830  #endif
a188620ebd294b1 Jeff Layton       2016-09-16  831  	PROC(CB_NOTIFY_LOCK,	COMPOUND,	cb_notify_lock,	cb_notify_lock),
9eb190fca8f9056 Olga Kornievskaia 2018-07-20 @832  	PROC(CB_OFFLOAD,	COMPOUND,	cb_offload,	cb_offload),
3959066b697b5df Dai Ngo           2022-11-16  833  	PROC(CB_RECALL_ANY,	COMPOUND,	cb_recall_any,	cb_recall_any),
^1da177e4c3f415 Linus Torvalds    2005-04-16  834  };
^1da177e4c3f415 Linus Torvalds    2005-04-16  835  

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 2/2] NFSD: harden svcxdr_dupstr() and svcxdr_tmpalloc() against integer overflows
  2024-05-09 10:47 [PATCH 0/2] NFSD: prevent integer overflows Dan Carpenter
  2024-05-09 10:48 ` [PATCH 1/2] SUNRPC: prevent integer overflow in XDR_QUADLEN() Dan Carpenter
@ 2024-05-09 10:48 ` Dan Carpenter
  2024-05-09 13:19   ` Chuck Lever
  1 sibling, 1 reply; 7+ messages in thread
From: Dan Carpenter @ 2024-05-09 10:48 UTC (permalink / raw)
  To: Chuck Lever
  Cc: Jeff Layton, Neil Brown, Olga Kornievskaia, Dai Ngo, Tom Talpey,
	linux-nfs, linux-kernel, kernel-janitors

These lengths come from xdr_stream_decode_u32() and so we should be a
bit careful with them.  Use size_add() and struct_size() to avoid
integer overflows.  Saving size_add()/struct_size() results to a u32 is
unsafe because it truncates away the high bits.

Also generally storing sizes in longs is safer.  Most systems these days
use 64 bit CPUs.  It's harder for an addition to overflow 64 bits than
it is to overflow 32 bits.  Also functions like vmalloc() can
successfully allocate UINT_MAX bytes, but nothing can allocate ULONG_MAX
bytes.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
I think my patch 1 fixes any real issues.  It's hard to assign a Fixes
tag to this.

 fs/nfsd/nfs4xdr.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index c7bfd2180e3f..42b41d55d4ed 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -118,11 +118,11 @@ static int zero_clientid(clientid_t *clid)
  * operation described in @argp finishes.
  */
 static void *
-svcxdr_tmpalloc(struct nfsd4_compoundargs *argp, u32 len)
+svcxdr_tmpalloc(struct nfsd4_compoundargs *argp, size_t len)
 {
 	struct svcxdr_tmpbuf *tb;
 
-	tb = kmalloc(sizeof(*tb) + len, GFP_KERNEL);
+	tb = kmalloc(struct_size(tb, buf, len), GFP_KERNEL);
 	if (!tb)
 		return NULL;
 	tb->next = argp->to_free;
@@ -138,9 +138,9 @@ svcxdr_tmpalloc(struct nfsd4_compoundargs *argp, u32 len)
  * buffer might end on a page boundary.
  */
 static char *
-svcxdr_dupstr(struct nfsd4_compoundargs *argp, void *buf, u32 len)
+svcxdr_dupstr(struct nfsd4_compoundargs *argp, void *buf, size_t len)
 {
-	char *p = svcxdr_tmpalloc(argp, len + 1);
+	char *p = svcxdr_tmpalloc(argp, size_add(len, 1));
 
 	if (!p)
 		return NULL;
@@ -150,7 +150,7 @@ svcxdr_dupstr(struct nfsd4_compoundargs *argp, void *buf, u32 len)
 }
 
 static void *
-svcxdr_savemem(struct nfsd4_compoundargs *argp, __be32 *p, u32 len)
+svcxdr_savemem(struct nfsd4_compoundargs *argp, __be32 *p, size_t len)
 {
 	__be32 *tmp;
 
@@ -2146,7 +2146,7 @@ nfsd4_decode_clone(struct nfsd4_compoundargs *argp, union nfsd4_op_u *u)
  */
 static __be32
 nfsd4_vbuf_from_vector(struct nfsd4_compoundargs *argp, struct xdr_buf *xdr,
-		       char **bufp, u32 buflen)
+		       char **bufp, size_t buflen)
 {
 	struct page **pages = xdr->pages;
 	struct kvec *head = xdr->head;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH 2/2] NFSD: harden svcxdr_dupstr() and svcxdr_tmpalloc() against integer overflows
  2024-05-09 10:48 ` [PATCH 2/2] NFSD: harden svcxdr_dupstr() and svcxdr_tmpalloc() against integer overflows Dan Carpenter
@ 2024-05-09 13:19   ` Chuck Lever
  2024-05-09 13:26     ` Dan Carpenter
  0 siblings, 1 reply; 7+ messages in thread
From: Chuck Lever @ 2024-05-09 13:19 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Jeff Layton, Neil Brown, Olga Kornievskaia, Dai Ngo, Tom Talpey,
	linux-nfs, linux-kernel, kernel-janitors

On Thu, May 09, 2024 at 01:48:28PM +0300, Dan Carpenter wrote:
> These lengths come from xdr_stream_decode_u32() and so we should be a
> bit careful with them.  Use size_add() and struct_size() to avoid
> integer overflows.  Saving size_add()/struct_size() results to a u32 is
> unsafe because it truncates away the high bits.
> 
> Also generally storing sizes in longs is safer.  Most systems these days
> use 64 bit CPUs.  It's harder for an addition to overflow 64 bits than
> it is to overflow 32 bits.  Also functions like vmalloc() can
> successfully allocate UINT_MAX bytes, but nothing can allocate ULONG_MAX
> bytes.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
> I think my patch 1 fixes any real issues.  It's hard to assign a Fixes
> tag to this.

I agree that this is a defensive change only. As it is late in the
cycle and this doesn't seem urgent, I would prefer to queue this
change for v6.11.


>  fs/nfsd/nfs4xdr.c | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
> index c7bfd2180e3f..42b41d55d4ed 100644
> --- a/fs/nfsd/nfs4xdr.c
> +++ b/fs/nfsd/nfs4xdr.c
> @@ -118,11 +118,11 @@ static int zero_clientid(clientid_t *clid)
>   * operation described in @argp finishes.
>   */
>  static void *
> -svcxdr_tmpalloc(struct nfsd4_compoundargs *argp, u32 len)
> +svcxdr_tmpalloc(struct nfsd4_compoundargs *argp, size_t len)
>  {
>  	struct svcxdr_tmpbuf *tb;
>  
> -	tb = kmalloc(sizeof(*tb) + len, GFP_KERNEL);
> +	tb = kmalloc(struct_size(tb, buf, len), GFP_KERNEL);
>  	if (!tb)
>  		return NULL;
>  	tb->next = argp->to_free;
> @@ -138,9 +138,9 @@ svcxdr_tmpalloc(struct nfsd4_compoundargs *argp, u32 len)
>   * buffer might end on a page boundary.
>   */
>  static char *
> -svcxdr_dupstr(struct nfsd4_compoundargs *argp, void *buf, u32 len)
> +svcxdr_dupstr(struct nfsd4_compoundargs *argp, void *buf, size_t len)
>  {
> -	char *p = svcxdr_tmpalloc(argp, len + 1);
> +	char *p = svcxdr_tmpalloc(argp, size_add(len, 1));
>  
>  	if (!p)
>  		return NULL;
> @@ -150,7 +150,7 @@ svcxdr_dupstr(struct nfsd4_compoundargs *argp, void *buf, u32 len)
>  }
>  
>  static void *
> -svcxdr_savemem(struct nfsd4_compoundargs *argp, __be32 *p, u32 len)
> +svcxdr_savemem(struct nfsd4_compoundargs *argp, __be32 *p, size_t len)
>  {
>  	__be32 *tmp;
>  
> @@ -2146,7 +2146,7 @@ nfsd4_decode_clone(struct nfsd4_compoundargs *argp, union nfsd4_op_u *u)
>   */
>  static __be32
>  nfsd4_vbuf_from_vector(struct nfsd4_compoundargs *argp, struct xdr_buf *xdr,
> -		       char **bufp, u32 buflen)
> +		       char **bufp, size_t buflen)
>  {
>  	struct page **pages = xdr->pages;
>  	struct kvec *head = xdr->head;
> -- 
> 2.43.0
> 

-- 
Chuck Lever

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 2/2] NFSD: harden svcxdr_dupstr() and svcxdr_tmpalloc() against integer overflows
  2024-05-09 13:19   ` Chuck Lever
@ 2024-05-09 13:26     ` Dan Carpenter
  0 siblings, 0 replies; 7+ messages in thread
From: Dan Carpenter @ 2024-05-09 13:26 UTC (permalink / raw)
  To: Chuck Lever
  Cc: Jeff Layton, Neil Brown, Olga Kornievskaia, Dai Ngo, Tom Talpey,
	linux-nfs, linux-kernel, kernel-janitors

On Thu, May 09, 2024 at 09:19:48AM -0400, Chuck Lever wrote:
> On Thu, May 09, 2024 at 01:48:28PM +0300, Dan Carpenter wrote:
> > These lengths come from xdr_stream_decode_u32() and so we should be a
> > bit careful with them.  Use size_add() and struct_size() to avoid
> > integer overflows.  Saving size_add()/struct_size() results to a u32 is
> > unsafe because it truncates away the high bits.
> > 
> > Also generally storing sizes in longs is safer.  Most systems these days
> > use 64 bit CPUs.  It's harder for an addition to overflow 64 bits than
> > it is to overflow 32 bits.  Also functions like vmalloc() can
> > successfully allocate UINT_MAX bytes, but nothing can allocate ULONG_MAX
> > bytes.
> > 
> > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> > ---
> > I think my patch 1 fixes any real issues.  It's hard to assign a Fixes
> > tag to this.
> 
> I agree that this is a defensive change only. As it is late in the
> cycle and this doesn't seem urgent, I would prefer to queue this
> change for v6.11.
> 

Sounds good.  I would imagine that eventually it will make its way back
to the stable kernels but it's not a rush.

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2024-05-09 21:35 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-09 10:47 [PATCH 0/2] NFSD: prevent integer overflows Dan Carpenter
2024-05-09 10:48 ` [PATCH 1/2] SUNRPC: prevent integer overflow in XDR_QUADLEN() Dan Carpenter
2024-05-09 20:22   ` kernel test robot
2024-05-09 21:34   ` kernel test robot
2024-05-09 10:48 ` [PATCH 2/2] NFSD: harden svcxdr_dupstr() and svcxdr_tmpalloc() against integer overflows Dan Carpenter
2024-05-09 13:19   ` Chuck Lever
2024-05-09 13:26     ` Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox