Revision - e6838a2 - nfsd: check for oversized NFSv2/v3 arguments

Revision e6838a29ecb484c97e4efef9429643b9851fba6e authored by J. Bruce Fields on 21 April 2017, 20:10:18 UTC, committed by J. Bruce Fields on 25 April 2017, 20:34:37 UTC

nfsd: check for oversized NFSv2/v3 arguments

A client can append random data to the end of an NFSv2 or NFSv3 RPC call
without our complaining; we'll just stop parsing at the end of the
expected data and ignore the rest.

Encoded arguments and replies are stored together in an array of pages,
and if a call is too large it could leave inadequate space for the
reply.  This is normally OK because NFS RPC's typically have either
short arguments and long replies (like READ) or long arguments and short
replies (like WRITE).  But a client that sends an incorrectly long reply
can violate those assumptions.  This was observed to cause crashes.

Also, several operations increment rq_next_page in the decode routine
before checking the argument size, which can leave rq_next_page pointing
well past the end of the page array, causing trouble later in
svc_free_pages.

So, following a suggestion from Neil Brown, add a central check to
enforce our expectation that no NFSv2/v3 call has both a large call and
a large reply.

As followup we may also want to rewrite the encoding routines to check
more carefully that they aren't running off the end of the page array.

We may also consider rejecting calls that have any extra garbage
appended.  That would be safer, and within our rights by spec, but given
the age of our server and the NFS protocol, and the fact that we've
never enforced this before, we may need to balance that against the
possibility of breaking some oddball client.

Reported-by: Tuomas Haanpää <thaan@synopsys.com>
Reported-by: Ari Kauppi <ari@synopsys.com>
Cc: stable@vger.kernel.org
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>

1 parent 5a7ad11

Files
Changes

Permalinks

btmrvl.txt

=======================================================================
		README for btmrvl driver
=======================================================================


All commands are used via debugfs interface.

=====================
Set/get driver configurations:

Path:	/debug/btmrvl/config/

gpiogap=[n]
hscfgcmd
	These commands are used to configure the host sleep parameters.
	bit 8:0  -- Gap
	bit 16:8 -- GPIO

	where GPIO is the pin number of GPIO used to wake up the host.
	It could be any valid GPIO pin# (e.g. 0-7) or 0xff (SDIO interface
	wakeup will be used instead).

	where Gap is the gap in milli seconds between wakeup signal and
	wakeup event, or 0xff for special host sleep setting.

	Usage:
		# Use SDIO interface to wake up the host and set GAP to 0x80:
		echo 0xff80 > /debug/btmrvl/config/gpiogap
		echo 1 > /debug/btmrvl/config/hscfgcmd

		# Use GPIO pin #3 to wake up the host and set GAP to 0xff:
		echo 0x03ff >  /debug/btmrvl/config/gpiogap
		echo 1 > /debug/btmrvl/config/hscfgcmd

psmode=[n]
pscmd
	These commands are used to enable/disable auto sleep mode

	where the option is:
			1 	-- Enable auto sleep mode
			0 	-- Disable auto sleep mode

	Usage:
		# Enable auto sleep mode
		echo 1 > /debug/btmrvl/config/psmode
		echo 1 > /debug/btmrvl/config/pscmd

		# Disable auto sleep mode
		echo 0 > /debug/btmrvl/config/psmode
		echo 1 > /debug/btmrvl/config/pscmd


hsmode=[n]
hscmd
	These commands are used to enable host sleep or wake up firmware

	where the option is:
			1	-- Enable host sleep
			0	-- Wake up firmware

	Usage:
		# Enable host sleep
		echo 1 > /debug/btmrvl/config/hsmode
		echo 1 > /debug/btmrvl/config/hscmd

		# Wake up firmware
		echo 0 > /debug/btmrvl/config/hsmode
		echo 1 > /debug/btmrvl/config/hscmd


======================
Get driver status:

Path:	/debug/btmrvl/status/

Usage:
	cat /debug/btmrvl/status/<args>

where the args are:

curpsmode
	This command displays current auto sleep status.

psstate
	This command display the power save state.

hsstate
	This command display the host sleep state.

txdnldrdy
	This command displays the value of Tx download ready flag.


=====================

Use hcitool to issue raw hci command, refer to hcitool manual

	Usage: Hcitool cmd <ogf> <ocf> [Parameters]

	Interface Control Command
	hcitool cmd 0x3f 0x5b 0xf5 0x01 0x00    --Enable All interface
	hcitool cmd 0x3f 0x5b 0xf5 0x01 0x01    --Enable Wlan interface
	hcitool cmd 0x3f 0x5b 0xf5 0x01 0x02    --Enable BT interface
	hcitool cmd 0x3f 0x5b 0xf5 0x00 0x00    --Disable All interface
	hcitool cmd 0x3f 0x5b 0xf5 0x00 0x01    --Disable Wlan interface
	hcitool cmd 0x3f 0x5b 0xf5 0x00 0x02    --Disable BT interface

=======================================================================


SD8688 firmware:

/lib/firmware/sd8688_helper.bin
/lib/firmware/sd8688.bin


The images can be downloaded from:

git.infradead.org/users/dwmw2/linux-firmware.git/libertas/

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...