Revision - e6838a2 - nfsd: check for oversized NFSv2/v3 arguments

Revision e6838a29ecb484c97e4efef9429643b9851fba6e authored by J. Bruce Fields on 21 April 2017, 20:10:18 UTC, committed by J. Bruce Fields on 25 April 2017, 20:34:37 UTC

nfsd: check for oversized NFSv2/v3 arguments

A client can append random data to the end of an NFSv2 or NFSv3 RPC call
without our complaining; we'll just stop parsing at the end of the
expected data and ignore the rest.

Encoded arguments and replies are stored together in an array of pages,
and if a call is too large it could leave inadequate space for the
reply.  This is normally OK because NFS RPC's typically have either
short arguments and long replies (like READ) or long arguments and short
replies (like WRITE).  But a client that sends an incorrectly long reply
can violate those assumptions.  This was observed to cause crashes.

Also, several operations increment rq_next_page in the decode routine
before checking the argument size, which can leave rq_next_page pointing
well past the end of the page array, causing trouble later in
svc_free_pages.

So, following a suggestion from Neil Brown, add a central check to
enforce our expectation that no NFSv2/v3 call has both a large call and
a large reply.

As followup we may also want to rewrite the encoding routines to check
more carefully that they aren't running off the end of the page array.

We may also consider rejecting calls that have any extra garbage
appended.  That would be safer, and within our rights by spec, but given
the age of our server and the NFS protocol, and the fact that we've
never enforced this before, we may need to balance that against the
possibility of breaking some oddball client.

Reported-by: Tuomas Haanpää <thaan@synopsys.com>
Reported-by: Ari Kauppi <ari@synopsys.com>
Cc: stable@vger.kernel.org
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>

1 parent 5a7ad11

Files
Changes

Permalinks

Kconfig

menuconfig SOUND
	tristate "Sound card support"
	depends on HAS_IOMEM
	help
	  If you have a sound card in your computer, i.e. if it can say more
	  than an occasional beep, say Y.  Be sure to have all the information
	  about your sound card and its configuration down (I/O port,
	  interrupt and DMA channel), because you will be asked for it.

	  You want to read the Sound-HOWTO, available from
	  <http://www.tldp.org/docs.html#howto>. General information about
	  the modular sound system is contained in the files
	  <file:Documentation/sound/oss/Introduction>.  The file
	  <file:Documentation/sound/oss/README.OSS> contains some slightly
	  outdated but still useful information as well.  Newer sound
	  driver documentation is found in <file:Documentation/sound/alsa/*>.

	  If you have a PnP sound card and you want to configure it at boot
	  time using the ISA PnP tools (read
	  <http://www.roestock.demon.co.uk/isapnptools/>), then you need to
	  compile the sound card support as a module and load that module
	  after the PnP configuration is finished.  To do this, choose M here
	  and read <file:Documentation/sound/oss/README.modules>; the module
	  will be called soundcore.

if SOUND

config SOUND_OSS_CORE
	bool
	default n

config SOUND_OSS_CORE_PRECLAIM
	bool "Preclaim OSS device numbers"
	depends on SOUND_OSS_CORE
	default y
	help
	  With this option enabled, the kernel will claim all OSS device
	  numbers if any OSS support (native or emulation) is enabled
	  whether the respective module is loaded or not and try to load the
	  appropriate module using sound-slot/service-* and char-major-*
	  module aliases when one of the device numbers is opened.  With
	  this option disabled, kernel will only claim actually in-use
	  device numbers and opening a missing device will generate only the
	  standard char-major-* aliases.

	  The only visible difference is use of additional module aliases
	  and whether OSS sound devices appear multiple times in
	  /proc/devices.  sound-slot/service-* module aliases are scheduled
	  to be removed (ie. PRECLAIM won't be available) and this option is
	  to make the transition easier.  This option can be overridden
	  during boot using the kernel parameter soundcore.preclaim_oss.

	  Disabling this allows alternative OSS implementations.

	  If unsure, say Y.

source "sound/oss/dmasound/Kconfig"

if !M68K && !UML

menuconfig SND
	tristate "Advanced Linux Sound Architecture"
	help
	  Say 'Y' or 'M' to enable ALSA (Advanced Linux Sound Architecture),
	  the new base sound system.

	  For more information, see <http://www.alsa-project.org/>

if SND

source "sound/core/Kconfig"

source "sound/drivers/Kconfig"

source "sound/isa/Kconfig"

source "sound/pci/Kconfig"

source "sound/hda/Kconfig"

source "sound/ppc/Kconfig"

source "sound/aoa/Kconfig"

source "sound/arm/Kconfig"

source "sound/atmel/Kconfig"

source "sound/spi/Kconfig"

source "sound/mips/Kconfig"

source "sound/sh/Kconfig"

# the following will depend on the order of config.
# here assuming USB is defined before ALSA
source "sound/usb/Kconfig"

source "sound/firewire/Kconfig"

# the following will depend on the order of config.
# here assuming PCMCIA is defined before ALSA
source "sound/pcmcia/Kconfig"

source "sound/sparc/Kconfig"

source "sound/parisc/Kconfig"

source "sound/soc/Kconfig"

source "sound/x86/Kconfig"

endif # SND

menuconfig SOUND_PRIME
	tristate "Open Sound System (DEPRECATED)"
	select SOUND_OSS_CORE
	help
	  Say 'Y' or 'M' to enable Open Sound System drivers.

if SOUND_PRIME

source "sound/oss/Kconfig"

endif # SOUND_PRIME

endif # !M68K

endif # SOUND

# AC97_BUS is used from both sound and ucb1400
config AC97_BUS
	tristate
	help
	  This is used to avoid config and link hard dependencies between the
	  sound subsystem and other function drivers completely unrelated to
	  sound although they're sharing the AC97 bus. Concerned drivers
	  should "select" this.

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...