nfsd: stricter decoding of write-like NFSv2/v3 ops (CVE-2017-7895)
This commit is contained in:
Salvatore Bonaccorso
parent
7961205000
commit
7ba1afb386
|
|
@ -375,6 +375,7 @@ linux (4.9.25-1) UNRELEASED; urgency=medium
|
|||
* macsec: dynamically allocate space for sglist
|
||||
* nfsd: check for oversized NFSv2/v3 arguments (CVE-2017-7645)
|
||||
* nfsd4: minor NFSv2/v3 write decoding cleanup
|
||||
* nfsd: stricter decoding of write-like NFSv2/v3 ops (CVE-2017-7895)
|
||||
|
||||
[ Aurelien Jarno ]
|
||||
* [mips*/octeon] Drop obsolete patch adding support for the UBNT E200
|
||||
|
|
|
|||
63
debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
vendored
Normal file
63
debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
vendored
Normal file
|
|
@ -0,0 +1,63 @@
|
|||
From: "J. Bruce Fields" <bfields@redhat.com>
|
||||
Date: Fri, 21 Apr 2017 15:26:30 -0400
|
||||
Subject: nfsd: stricter decoding of write-like NFSv2/v3 ops
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Origin: https://git.kernel.org/linus/13bf9fbff0e5e099e2b6f003a0ab8ae145436309
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7895
|
||||
|
||||
The NFSv2/v3 code does not systematically check whether we decode past
|
||||
the end of the buffer. This generally appears to be harmless, but there
|
||||
are a few places where we do arithmetic on the pointers involved and
|
||||
don't account for the possibility that a length could be negative. Add
|
||||
checks to catch these.
|
||||
|
||||
Reported-by: Tuomas Haanpää <thaan@synopsys.com>
|
||||
Reported-by: Ari Kauppi <ari@synopsys.com>
|
||||
Reviewed-by: NeilBrown <neilb@suse.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
|
||||
---
|
||||
fs/nfsd/nfs3xdr.c | 4 ++++
|
||||
fs/nfsd/nfsxdr.c | 2 ++
|
||||
2 files changed, 6 insertions(+)
|
||||
|
||||
diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
|
||||
index d18cfdd..4523346 100644
|
||||
--- a/fs/nfsd/nfs3xdr.c
|
||||
+++ b/fs/nfsd/nfs3xdr.c
|
||||
@@ -369,6 +369,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
args->count = ntohl(*p++);
|
||||
args->stable = ntohl(*p++);
|
||||
len = args->len = ntohl(*p++);
|
||||
+ if ((void *)p > head->iov_base + head->iov_len)
|
||||
+ return 0;
|
||||
/*
|
||||
* The count must equal the amount of data passed.
|
||||
*/
|
||||
@@ -472,6 +474,8 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
/* first copy and check from the first page */
|
||||
old = (char*)p;
|
||||
vec = &rqstp->rq_arg.head[0];
|
||||
+ if ((void *)old > vec->iov_base + vec->iov_len)
|
||||
+ return 0;
|
||||
avail = vec->iov_len - (old - (char*)vec->iov_base);
|
||||
while (len && avail && *old) {
|
||||
*new++ = *old++;
|
||||
diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c
|
||||
index 59bd88a..de07ff6 100644
|
||||
--- a/fs/nfsd/nfsxdr.c
|
||||
+++ b/fs/nfsd/nfsxdr.c
|
||||
@@ -302,6 +302,8 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
* bytes.
|
||||
*/
|
||||
hdr = (void*)p - head->iov_base;
|
||||
+ if (hdr > head->iov_len)
|
||||
+ return 0;
|
||||
dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
|
||||
|
||||
/*
|
||||
--
|
||||
2.1.4
|
||||
|
||||
|
|
@ -112,6 +112,7 @@ bugfix/all/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch
|
|||
bugfix/all/macsec-dynamically-allocate-space-for-sglist.patch
|
||||
bugfix/all/nfsd-check-for-oversized-NFSv2-v3-arguments.patch
|
||||
bugfix/all/nfsd4-minor-NFSv2-v3-write-decoding-cleanup.patch
|
||||
bugfix/all/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue