MIRRORS/linux-imx
1
0
Fork 0
mirror of https://github.com/nxp-imx/linux-imx.git synced 2026-04-20 04:30:21 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
git.kernel.org/linux-stable/linux-3.12.y
linux-imx/fs
History
J. Bruce Fields 7a6875988a nfsd: check for oversized NFSv2/v3 arguments 
commit e6838a29ec upstream.

A client can append random data to the end of an NFSv2 or NFSv3 RPC call
without our complaining; we'll just stop parsing at the end of the
expected data and ignore the rest.

Encoded arguments and replies are stored together in an array of pages,
and if a call is too large it could leave inadequate space for the
reply.  This is normally OK because NFS RPC's typically have either
short arguments and long replies (like READ) or long arguments and short
replies (like WRITE).  But a client that sends an incorrectly long reply
can violate those assumptions.  This was observed to cause crashes.

Also, several operations increment rq_next_page in the decode routine
before checking the argument size, which can leave rq_next_page pointing
well past the end of the page array, causing trouble later in
svc_free_pages.

So, following a suggestion from Neil Brown, add a central check to
enforce our expectation that no NFSv2/v3 call has both a large call and
a large reply.

As followup we may also want to rewrite the encoding routines to check
more carefully that they aren't running off the end of the page array.

We may also consider rejecting calls that have any extra garbage
appended.  That would be safer, and within our rights by spec, but given
the age of our server and the NFS protocol, and the fact that we've
never enforced this before, we may need to balance that against the
possibility of breaking some oddball client.

Reported-by: Tuomas Haanpää <thaan@synopsys.com>
Reported-by: Ari Kauppi <ari@synopsys.com>
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
2017-05-09 08:19:55 +02:00
..
9p posix_acl: Clear SGID bit when setting file permissions 2017-01-27 11:15:59 +01:00
adfs truncate: drop 'oldsize' truncate_pagecache() parameter 2013-09-12 15:38:02 -07:00
affs move d_rcu from overlapping d_child to overlapping d_alias 2015-01-29 15:45:16 +01:00
afs afs: dget_parent() can't return a negative dentry 2013-09-29 22:02:24 -04:00
autofs4 autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation 2015-03-12 17:31:18 +01:00
befs [readdir] convert befs 2013-06-29 12:56:55 +04:00
bfs truncate: drop 'oldsize' truncate_pagecache() parameter 2013-09-12 15:38:02 -07:00
btrfs posix_acl: Clear SGID bit when setting file permissions 2017-01-27 11:15:59 +01:00
cachefiles CacheFiles: Don't try to dump the index key if the cookie has been cleared 2013-09-20 15:15:43 -07:00
ceph ceph: fix kick_requests() 2015-11-14 18:57:13 +01:00
cifs CIFS: remove bad_network_name flag 2017-05-09 08:19:34 +02:00
coda move d_rcu from overlapping d_child to overlapping d_alias 2015-01-29 15:45:16 +01:00
configfs configfs: fix race between dentry put and lookup 2013-11-29 11:28:12 -08:00
cramfs mm: remove read_cache_page_async() 2014-09-26 11:51:58 +02:00
debugfs debugfs: leave freeing a symlink body until inode eviction 2015-03-12 17:31:19 +01:00
devpts pty: make sure super_block is still valid in final /dev/tty close 2016-02-24 10:23:17 +01:00
dlm dlm: make posix locks interruptible 2016-01-09 11:18:16 +01:00
ecryptfs ecryptfs: don't allow mmap when the lower fs doesn't support it 2016-07-18 13:52:16 +02:00
efivarfs efi: Make efivarfs entries immutable by default 2016-03-14 23:10:35 +01:00
efs efs: iget_locked() doesn't return an ERR_PTR() 2013-08-24 12:10:22 -04:00
exofs ore: Fix wrong math in allocation of per device BIO 2014-02-13 13:50:14 -08:00
exportfs move d_rcu from overlapping d_child to overlapping d_alias 2015-01-29 15:45:16 +01:00
ext2 posix_acl: Clear SGID bit when setting file permissions 2017-01-27 11:15:59 +01:00
ext3 posix_acl: Clear SGID bit when setting file permissions 2017-01-27 11:15:59 +01:00
ext4 ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea() 2017-05-09 08:19:50 +02:00
f2fs posix_acl: Clear SGID bit when setting file permissions 2017-01-27 11:15:59 +01:00
fat fat: fix using uninitialized fields of fat_inode/fsinfo_inode 2017-03-13 21:40:51 +01:00
freevxfs [readdir] convert freevxfs 2013-06-29 12:56:53 +04:00
fscache FS-Cache: Don't override netfs's primary_index if registering failed 2016-02-24 09:45:13 +01:00
fuse fuse: add missing FR_FORCE 2017-03-13 21:40:33 +01:00
gfs2 gfs2: avoid uninitialized variable warning 2017-05-09 08:19:45 +02:00
hfs hfs,hfsplus: cache pages correctly between bnode_create and bnode_free 2015-09-30 13:47:37 +02:00
hfsplus posix_acl: Clear SGID bit when setting file permissions 2017-01-27 11:15:59 +01:00
hostfs hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common() 2016-10-06 08:21:59 +02:00
hpfs hpfs: update ctime and mtime on directory modification 2015-09-30 10:59:59 +02:00
hppfs clean up scary strncpy(dst, src, strlen(src)) uses 2013-07-03 16:07:41 -07:00
hugetlbfs hugetlb: ensure hugepage access is denied if hugepages are not supported 2014-09-26 11:51:50 +02:00
isofs isofs: Do not return EACCES for unknown filesystems 2016-11-08 16:38:19 +01:00
jbd jbd: use a single printk for jbd_debug() 2013-08-09 10:49:00 +02:00
jbd2 jbd2: don't leak modified metadata buffers on an aborted journal 2017-03-13 21:40:29 +01:00
jffs2 posix_acl: Clear SGID bit when setting file permissions 2017-01-27 11:15:59 +01:00
jfs posix_acl: Clear SGID bit when setting file permissions 2017-01-27 11:15:59 +01:00
lockd lockd: create NSM handles per net namespace 2016-03-03 12:45:55 +01:00
logfs Lots of bug fixes, cleanups and optimizations. In the bug fixes 2013-07-02 09:39:34 -07:00
minix minix zmap block counts calculation fix 2014-12-03 11:58:43 +01:00
ncpfs move d_rcu from overlapping d_child to overlapping d_alias 2015-01-29 15:45:16 +01:00
nfs NFSv4: fix getacl ERANGE for some ACL buffer sizes 2017-03-13 21:40:38 +01:00
nfs_common
nfsd nfsd: check for oversized NFSv2/v3 arguments 2017-05-09 08:19:55 +02:00
nilfs2 fs/nilfs2: fix potential underflow in call to crc32_le 2016-08-19 09:50:54 +02:00
nls
notify fsnotify: fix oops in fsnotify_clear_marks_by_group_flags() 2015-08-19 08:36:47 +02:00
ntfs fix O_SYNC|O_APPEND syncing the wrong range on write() 2014-12-03 11:58:41 +01:00
ocfs2 ocfs2: do not write error flag to user structure we cannot copy from/to 2017-03-03 11:31:12 +01:00
omfs fs, omfs: add NULL terminator in the end up the token list 2015-06-03 11:33:07 +02:00
openpromfs [readdir] convert openpromfs 2013-06-29 12:56:32 +04:00
proc sysctl: Drop reference added by grab_header in proc_sys_readdir 2017-01-26 17:40:44 +01:00
pstore pstore/ram: Use memcpy_fromio() to save old buffer 2016-10-28 20:15:52 +02:00
qnx4 [readdir] convert qnx4 2013-06-29 12:56:38 +04:00
qnx6 [readdir] convert qnx6 2013-06-29 12:56:39 +04:00
quota quota: Properly return errors from dquot_writeback_dquots() 2014-11-13 19:02:59 +01:00
ramfs initmpfs: move rootfs code from fs/ramfs/ to init/ 2013-09-11 15:59:37 -07:00
reiserfs posix_acl: Clear SGID bit when setting file permissions 2017-01-27 11:15:59 +01:00
romfs [readdir] convert romfs 2013-06-29 12:56:29 +04:00
squashfs Squashfs: add corruption check for type in squashfs_readdir() 2013-09-06 04:57:54 +01:00
sysfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-09-07 14:36:57 -07:00
sysv fix sysvfs symlinks 2016-02-15 17:07:51 +01:00
ubifs ubifs: Fix journal replay wrt. xattr nodes 2017-01-26 17:41:04 +01:00
udf udf: Check output buffer length when converting name to CS0 2016-02-24 10:29:52 +01:00
ufs truncate: drop 'oldsize' truncate_pagecache() parameter 2013-09-12 15:38:02 -07:00
xfs xfs: clear _XBF_PAGES from buffers when readahead page 2017-04-07 10:38:27 +02:00
aio.c AIO: properly check iovec sizes 2016-02-24 10:23:18 +01:00
anon_inodes.c take anon inode allocation to libfs.c 2013-12-08 07:29:16 -08:00
attr.c fs,userns: Change inode_capable to capable_wrt_inode_uidgid 2014-06-20 17:34:15 +02:00
bad_inode.c [readdir] ->readdir() is gone 2013-06-29 12:57:04 +04:00
binfmt_aout.c mm: remove free_area_cache 2013-07-10 18:11:34 -07:00
binfmt_elf_fdpic.c
binfmt_elf.c binfmt_elf: Don't clobber passed executable's file header 2016-02-24 09:45:14 +01:00
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
binfmt_som.c
bio-integrity.c bio-integrity: add "bip_max_vcnt" into struct bio_integrity_payload 2014-09-02 11:41:56 +02:00
bio.c bio: return EINTR if copying to user space got interrupted 2016-03-04 09:48:15 +01:00
block_dev.c block: protect iterate_bdevs() against concurrent close 2017-01-26 17:39:03 +01:00
buffer.c vfs: fix data corruption when blocksize < pagesize for mmaped data 2014-11-13 19:02:11 +01:00
char_dev.c
compat_binfmt_elf.c
compat_ioctl.c compat.c: LOOP_CLR_FD is taken care of in loop.c itself... 2013-06-29 12:46:44 +04:00
compat.c fs: namespace: suppress 'may be used uninitialized' warnings 2015-06-23 19:22:28 +02:00
coredump.c coredump: fix unfreezable coredumping task 2016-11-24 16:23:42 +01:00
coredump.h
dcache.c move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon) 2017-01-27 17:14:59 +01:00
dcookies.c fs/compat: fix lookup_dcookie() parameter handling 2014-02-13 13:50:14 -08:00
direct-io.c direct-io: Use return from cmpxchg to decide of assignment happened 2013-09-09 10:47:42 -07:00
drop_caches.c shrinker: add node awareness 2013-09-10 18:56:31 -04:00
eventfd.c
eventpoll.c eventpoll: fix uninitialized variable in epoll_ctl 2014-10-13 15:41:28 +02:00
exec.c fs: exec: apply CLOEXEC before changing dumpable task flags 2017-01-26 17:38:43 +01:00
fcntl.c vfs: add missing check for __O_TMPFILE in fcntl_init() 2013-08-05 18:25:32 +04:00
fhandle.c fs/coredump: prevent fsuid=0 dumps into user-controlled directories 2016-04-11 16:44:20 +02:00
file_table.c get rid of s_files and files_lock 2015-07-30 13:21:27 +02:00
file.c fs/file.c:fdtable: avoid triggering OOMs from alloc_fdmem 2014-02-22 13:32:24 -08:00
filesystems.c
fs_struct.c
fs-writeback.c writeback: fix a subtle race condition in I_DIRTY clearing 2015-01-26 14:38:59 +01:00
generic_acl.c tmpfs: clear S_ISGID when setting posix ACLs 2017-01-27 17:15:02 +01:00
inode.c fs: Fix S_NOSEC handling 2015-07-30 14:10:43 +02:00
internal.h get rid of s_files and files_lock 2015-07-30 13:21:27 +02:00
ioctl.c
ioprio.c block: fix use-after-free in sys_ioprio_get() 2017-01-27 17:14:56 +01:00
Kconfig
Kconfig.binfmt
libfs.c move d_rcu from overlapping d_child to overlapping d_alias 2015-01-29 15:45:16 +01:00
locks.c locks: fix unlock when fcntl_setlk races with a close 2016-03-03 13:19:34 +01:00
Makefile
mbcache.c fs: convert fs shrinkers to new scan/count API 2013-09-10 18:56:31 -04:00
mount.h vfs: Is mounted should be testing mnt_ns for NULL or error. 2014-02-06 11:22:19 -08:00
mpage.c
namei.c do_last(): don't let a bogus return value from ->open() et.al. to confuse us 2016-03-03 12:46:07 +01:00
namespace.c mnt: Move the clear of MNT_LOCKED from copy_tree to it's callers. 2016-04-23 09:24:42 +02:00
no-block.c
open.c fs/coredump: prevent fsuid=0 dumps into user-controlled directories 2016-04-11 16:44:20 +02:00
pipe.c fs/pipe.c: skip file_update_time on frozen fs 2016-04-23 09:24:41 +02:00
pnode.c mnt: Move the clear of MNT_LOCKED from copy_tree to it's callers. 2016-04-23 09:24:42 +02:00
pnode.h vfs: Don't copy mount bind mounts of /proc/<pid>/ns/mnt between namespaces 2013-08-26 18:42:15 -07:00
posix_acl.c posix_acl: Clear SGID bit when setting file permissions 2017-01-27 11:15:59 +01:00
proc_namespace.c
read_write.c fs/compat: fix parameter handling for compat readv/writev syscalls 2014-02-13 13:50:14 -08:00
readdir.c [readdir] constify ->actor 2013-06-29 12:57:05 +04:00
select.c Revert "select: use freezable blocking call" 2013-10-30 15:28:35 +01:00
seq_file.c fs/seq_file: fix out-of-bounds read 2016-09-21 13:40:10 +02:00
signalfd.c signalfd: fix information leak in signalfd_copyinfo 2015-08-25 16:57:02 +02:00
splice.c vfs: fix uninitialized flags in splice_to_pipe() 2017-03-01 10:38:13 +01:00
stack.c
stat.c vfs: split out vfs_getattr_nosec 2013-12-20 07:49:06 -08:00
statfs.c vfs: allow O_PATH file descriptors for fstatfs() 2013-10-12 13:12:31 -07:00
super.c fs/super.c: fix race between freeze_super() and thaw_super() 2016-11-08 16:38:13 +01:00
sync.c fix O_SYNC|O_APPEND syncing the wrong range on write() 2014-12-03 11:58:41 +01:00
timerfd.c
utimes.c
xattr_acl.c
xattr.c