From 2d37685605e523c8fc477390af24132625e8a0a7 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Thu, 16 Aug 2018 17:16:05 +0100 Subject: Tidy up patches that aren't being applied --- CVE-2017-7645.patch | 180 ---------------------------------------------------- 1 file changed, 180 deletions(-) delete mode 100644 CVE-2017-7645.patch (limited to 'CVE-2017-7645.patch') diff --git a/CVE-2017-7645.patch b/CVE-2017-7645.patch deleted file mode 100644 index 0be019cc3..000000000 --- a/CVE-2017-7645.patch +++ /dev/null @@ -1,180 +0,0 @@ -From: "J. Bruce Fields" -Date: 2017-04-14 15:04:40 -Subject: [PATCH] nfsd: check for oversized NFSv2/v3 arguments - -A client can append random data to the end of an NFSv2 or NFSv3 RPC call -without our complaining; we'll just stop parsing at the end of the -expected data and ignore the rest. - -Encoded arguments and replies are stored together in an array of pages, -and if a call is too large it could leave inadequate space for the -reply. This is normally OK because NFS RPC's typically have either -short arguments and long replies (like READ) or long arguments and short -replies (like WRITE). But a client that sends an incorrectly long reply -can violate those assumptions. This was observed to cause crashes. - -So, insist that the argument not be any longer than we expect. - -Also, several operations increment rq_next_page in the decode routine -before checking the argument size, which can leave rq_next_page pointing -well past the end of the page array, causing trouble later in -svc_free_pages. - -As followup we may also want to rewrite the encoding routines to check -more carefully that they aren't running off the end of the page array. - -Reported-by: Tuomas Haanpää -Reported-by: Ari Kauppi -Cc: stable@vger.kernel.org -Signed-off-by: J. Bruce Fields ---- - fs/nfsd/nfs3xdr.c | 23 +++++++++++++++++------ - fs/nfsd/nfsxdr.c | 13 ++++++++++--- - include/linux/sunrpc/svc.h | 3 +-- - 3 files changed, 28 insertions(+), 11 deletions(-) - -diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c -index dba2ff8eaa68..be66bcadfaea 100644 ---- a/fs/nfsd/nfs3xdr.c -+++ b/fs/nfsd/nfs3xdr.c -@@ -334,8 +334,11 @@ nfs3svc_decode_readargs(struct svc_rqst *rqstp, __be32 *p, - if (!p) - return 0; - p = xdr_decode_hyper(p, &args->offset); -- - args->count = ntohl(*p++); -+ -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; -+ - len = min(args->count, max_blocksize); - - /* set up the kvec */ -@@ -349,7 +352,7 @@ nfs3svc_decode_readargs(struct svc_rqst *rqstp, __be32 *p, - v++; - } - args->vlen = v; -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -@@ -536,9 +539,11 @@ nfs3svc_decode_readlinkargs(struct svc_rqst *rqstp, __be32 *p, - p = decode_fh(p, &args->fh); - if (!p) - return 0; -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; - args->buffer = page_address(*(rqstp->rq_next_page++)); - -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -@@ -564,10 +569,14 @@ nfs3svc_decode_readdirargs(struct svc_rqst *rqstp, __be32 *p, - args->verf = p; p += 2; - args->dircount = ~0; - args->count = ntohl(*p++); -+ -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; -+ - args->count = min_t(u32, args->count, PAGE_SIZE); - args->buffer = page_address(*(rqstp->rq_next_page++)); - -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -@@ -585,6 +594,9 @@ nfs3svc_decode_readdirplusargs(struct svc_rqst *rqstp, __be32 *p, - args->dircount = ntohl(*p++); - args->count = ntohl(*p++); - -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; -+ - len = args->count = min(args->count, max_blocksize); - while (len > 0) { - struct page *p = *(rqstp->rq_next_page++); -@@ -592,8 +604,7 @@ nfs3svc_decode_readdirplusargs(struct svc_rqst *rqstp, __be32 *p, - args->buffer = page_address(p); - len -= PAGE_SIZE; - } -- -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c -index 41b468a6a90f..79268369f7b3 100644 ---- a/fs/nfsd/nfsxdr.c -+++ b/fs/nfsd/nfsxdr.c -@@ -257,6 +257,9 @@ nfssvc_decode_readargs(struct svc_rqst *rqstp, __be32 *p, - len = args->count = ntohl(*p++); - p++; /* totalcount - unused */ - -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; -+ - len = min_t(unsigned int, len, NFSSVC_MAXBLKSIZE_V2); - - /* set up somewhere to store response. -@@ -272,7 +275,7 @@ nfssvc_decode_readargs(struct svc_rqst *rqstp, __be32 *p, - v++; - } - args->vlen = v; -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -@@ -360,9 +363,11 @@ nfssvc_decode_readlinkargs(struct svc_rqst *rqstp, __be32 *p, struct nfsd_readli - p = decode_fh(p, &args->fh); - if (!p) - return 0; -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; - args->buffer = page_address(*(rqstp->rq_next_page++)); - -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -@@ -400,9 +405,11 @@ nfssvc_decode_readdirargs(struct svc_rqst *rqstp, __be32 *p, - args->cookie = ntohl(*p++); - args->count = ntohl(*p++); - args->count = min_t(u32, args->count, PAGE_SIZE); -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; - args->buffer = page_address(*(rqstp->rq_next_page++)); - -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - /* -diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h -index e770abeed32d..6ef19cf658b4 100644 ---- a/include/linux/sunrpc/svc.h -+++ b/include/linux/sunrpc/svc.h -@@ -336,8 +336,7 @@ xdr_argsize_check(struct svc_rqst *rqstp, __be32 *p) - { - char *cp = (char *)p; - struct kvec *vec = &rqstp->rq_arg.head[0]; -- return cp >= (char*)vec->iov_base -- && cp <= (char*)vec->iov_base + vec->iov_len; -+ return cp == (char *)vec->iov_base + vec->iov_len; - } - - static inline int --- -2.9.3 - --- -To unsubscribe from this list: send the line "unsubscribe linux-nfs" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -- cgit