diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-17 14:31:30 +0200 |
---|---|---|
committer | Andreas Wellving <Andreas.Wellving@enea.com> | 2018-10-17 17:05:58 +0200 |
commit | fe077124469b84dcd884cef5d0cfec5414351b06 (patch) | |
tree | ea65dd87d596d979846e46ee61ebb14c591c16eb | |
parent | 5004d0b1d0556e1da7a4adcafcaf3a583c83b1de (diff) | |
download | enea-kernel-cache-fe077124469b84dcd884cef5d0cfec5414351b06.tar.gz |
nfsd: CVE-2017-7895
nfsd: stricter decoding of write-like NFSv2/v3 ops
References:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=5afff19d82af4e4ed66ce0320cd2f17053b78b25
Change-Id: Ibb3edd844b678bcb4c3dd115af77e77b0aa4eda9
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/4.1.x.scc | 1 | ||||
-rw-r--r-- | patches/cve/CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch | 65 |
2 files changed, 66 insertions, 0 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index 5722514..4741fca 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc | |||
@@ -6,3 +6,4 @@ patch CVE-2016-8655-packet-fix-race-condition-in-packet_set_ring.patch | |||
6 | #fixed in 4.1.40 | 6 | #fixed in 4.1.40 |
7 | patch CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch | 7 | patch CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch |
8 | patch CVE-2017-7618-crypto-ahash-Fix-EINPROGRESS-notification-callback.patch | 8 | patch CVE-2017-7618-crypto-ahash-Fix-EINPROGRESS-notification-callback.patch |
9 | patch CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch | ||
diff --git a/patches/cve/CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch b/patches/cve/CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch new file mode 100644 index 0000000..2ecf279 --- /dev/null +++ b/patches/cve/CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | Date: Wed, 17 Oct 2018 10:55:24 +0200 | ||
2 | Subject: [PATCH] nfsd: stricter decoding of write-like NFSv2/v3 ops | ||
3 | MIME-Version: 1.0 | ||
4 | Content-Type: text/plain; charset=UTF-8 | ||
5 | Content-Transfer-Encoding: 8bit | ||
6 | |||
7 | [ Upstream commit 13bf9fbff0e5e099e2b6f003a0ab8ae145436309 ] | ||
8 | |||
9 | The NFSv2/v3 code does not systematically check whether we decode past | ||
10 | the end of the buffer. This generally appears to be harmless, but there | ||
11 | are a few places where we do arithmetic on the pointers involved and | ||
12 | don't account for the possibility that a length could be negative. Add | ||
13 | checks to catch these. | ||
14 | |||
15 | CVE: CVE-2017-7895 | ||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Reported-by: Tuomas Haanpää <thaan@synopsys.com> | ||
19 | Reported-by: Ari Kauppi <ari@synopsys.com> | ||
20 | Reviewed-by: NeilBrown <neilb@suse.com> | ||
21 | Cc: stable@vger.kernel.org | ||
22 | Signed-off-by: J. Bruce Fields <bfields@redhat.com> | ||
23 | Signed-off-by: Sasha Levin <alexander.levin@verizon.com> | ||
24 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
25 | --- | ||
26 | fs/nfsd/nfs3xdr.c | 4 ++++ | ||
27 | fs/nfsd/nfsxdr.c | 2 ++ | ||
28 | 2 file changed, 6 insertions(+) | ||
29 | |||
30 | diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c | ||
31 | index 9cbcf53..ea21387 100644 | ||
32 | --- a/fs/nfsd/nfs3xdr.c | ||
33 | +++ b/fs/nfsd/nfs3xdr.c | ||
34 | @@ -368,6 +368,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, | ||
35 | args->count = ntohl(*p++); | ||
36 | args->stable = ntohl(*p++); | ||
37 | len = args->len = ntohl(*p++); | ||
38 | + if ((void *)p > head->iov_base + head->iov_len) | ||
39 | + return 0; | ||
40 | /* | ||
41 | * The count must equal the amount of data passed. | ||
42 | */ | ||
43 | @@ -471,6 +473,8 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, __be32 *p, | ||
44 | /* first copy and check from the first page */ | ||
45 | old = (char*)p; | ||
46 | vec = &rqstp->rq_arg.head[0]; | ||
47 | + if ((void *)old > vec->iov_base + vec->iov_len) | ||
48 | + return 0; | ||
49 | avail = vec->iov_len - (old - (char*)vec->iov_base); | ||
50 | while (len && avail && *old) { | ||
51 | *new++ = *old++; | ||
52 | diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c | ||
53 | index 79d964a..74d3e76 100644 | ||
54 | --- a/fs/nfsd/nfsxdr.c | ||
55 | +++ b/fs/nfsd/nfsxdr.c | ||
56 | @@ -301,6 +301,8 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, | ||
57 | * bytes. | ||
58 | */ | ||
59 | hdr = (void*)p - rqstp->rq_arg.head[0].iov_base; | ||
60 | + if (hdr > rqstp->rq_arg.head[0].iov_len) | ||
61 | + return 0; | ||
62 | dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len | ||
63 | - hdr; | ||
64 | |||
65 | -- | ||