nfsd: CVE-2017-7895

nfsd: stricter decoding of write-like NFSv2/v3 ops References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=5afff19d82af4e4ed66ce0320cd2f17053b78b25 Change-Id: Ibb3edd844b678bcb4c3dd115af77e77b0aa4eda9 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-17 14:31:30 +0200
committer: Andreas Wellving <Andreas.Wellving@enea.com> 2018-10-17 17:05:58 +0200
commit: fe077124469b84dcd884cef5d0cfec5414351b06 (patch)
tree: ea65dd87d596d979846e46ee61ebb14c591c16eb
parent: 5004d0b1d0556e1da7a4adcafcaf3a583c83b1de (diff)
download: enea-kernel-cache-fe077124469b84dcd884cef5d0cfec5414351b06.tar.gz
2 files changed, 66 insertions, 0 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc
index 5722514..4741fca 100644
--- a/patches/cve/4.1.x.scc
+++ b/patches/cve/4.1.x.scc
@@ -6,3 +6,4 @@ patch CVE-2016-8655-packet-fix-race-condition-in-packet_set_ring.patch
 #fixed in 4.1.40
 patch CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch
 patch CVE-2017-7618-crypto-ahash-Fix-EINPROGRESS-notification-callback.patch
+patch CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
diff --git a/patches/cve/CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch b/patches/cve/CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
new file mode 100644
index 0000000..2ecf279
--- /dev/null
+++ b/patches/cve/CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
@@ -0,0 +1,65 @@
+Date: Wed, 17 Oct 2018 10:55:24 +0200
+Subject: [PATCH] nfsd: stricter decoding of write-like NFSv2/v3 ops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+[ Upstream commit 13bf9fbff0e5e099e2b6f003a0ab8ae145436309 ]
+The NFSv2/v3 code does not systematically check whether we decode past
+the end of the buffer.  This generally appears to be harmless, but there
+are a few places where we do arithmetic on the pointers involved and
+don't account for the possibility that a length could be negative.  Add
+checks to catch these.
+CVE: CVE-2017-7895
+Upstream-Status: Backport
+Reported-by: Tuomas Haanpää <thaan@synopsys.com>
+Reported-by: Ari Kauppi <ari@synopsys.com>
+Reviewed-by: NeilBrown <neilb@suse.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/nfsd/nfs3xdr.c | 4 ++++
+ fs/nfsd/nfsxdr.c | 2 ++
+ 2 file changed, 6 insertions(+)
+diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
+index 9cbcf53..ea21387 100644
+--- a/fs/nfsd/nfs3xdr.c
+++ b/fs/nfsd/nfs3xdr.c
+@@ -368,6 +368,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
+        args->count = ntohl(*p++);
+        args->stable = ntohl(*p++);
+        len = args->len = ntohl(*p++);
+       if ((void *)p > head->iov_base + head->iov_len)
+               return 0;
+        /*
+         * The count must equal the amount of data passed.
+         */
+@@ -471,6 +473,8 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, __be32 *p,
+        /* first copy and check from the first page */
+        old = (char*)p;
+        vec = &rqstp->rq_arg.head[0];
+       if ((void *)old > vec->iov_base + vec->iov_len)
+               return 0;
+        avail = vec->iov_len - (old - (char*)vec->iov_base);
+        while (len && avail && *old) {
+                *new++ = *old++;
+diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c
+index 79d964a..74d3e76 100644
+--- a/fs/nfsd/nfsxdr.c
+++ b/fs/nfsd/nfsxdr.c
+@@ -301,6 +301,8 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
+         * bytes.
+         */
+        hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
+       if (hdr > rqstp->rq_arg.head[0].iov_len)
+               return 0;
+        dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
+                - hdr;
+ 
+--
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-17 14:31:30 +0200
committer	Andreas Wellving <Andreas.Wellving@enea.com>	2018-10-17 17:05:58 +0200
commit	fe077124469b84dcd884cef5d0cfec5414351b06 (patch)
tree	ea65dd87d596d979846e46ee61ebb14c591c16eb
parent	5004d0b1d0556e1da7a4adcafcaf3a583c83b1de (diff)
download	enea-kernel-cache-fe077124469b84dcd884cef5d0cfec5414351b06.tar.gz

diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index 5722514..4741fca 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc
@@ -6,3 +6,4 @@ patch CVE-2016-8655-packet-fix-race-condition-in-packet_set_ring.patch
6	#fixed in 4.1.40	6	#fixed in 4.1.40
7	patch CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch	7	patch CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch
8	patch CVE-2017-7618-crypto-ahash-Fix-EINPROGRESS-notification-callback.patch	8	patch CVE-2017-7618-crypto-ahash-Fix-EINPROGRESS-notification-callback.patch
		9	patch CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch


diff --git a/patches/cve/CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch b/patches/cve/CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch new file mode 100644 index 0000000..2ecf279 --- /dev/null +++ b/patches/cve/CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
@@ -0,0 +1,65 @@
		1	Date: Wed, 17 Oct 2018 10:55:24 +0200
		2	Subject: [PATCH] nfsd: stricter decoding of write-like NFSv2/v3 ops
		3	MIME-Version: 1.0
		4	Content-Type: text/plain; charset=UTF-8
		5	Content-Transfer-Encoding: 8bit
		6
		7	[ Upstream commit 13bf9fbff0e5e099e2b6f003a0ab8ae145436309 ]
		8
		9	The NFSv2/v3 code does not systematically check whether we decode past
		10	the end of the buffer. This generally appears to be harmless, but there
		11	are a few places where we do arithmetic on the pointers involved and
		12	don't account for the possibility that a length could be negative. Add
		13	checks to catch these.
		14
		15	CVE: CVE-2017-7895
		16	Upstream-Status: Backport
		17
		18	Reported-by: Tuomas Haanpää <thaan@synopsys.com>
		19	Reported-by: Ari Kauppi <ari@synopsys.com>
		20	Reviewed-by: NeilBrown <neilb@suse.com>
		21	Cc: stable@vger.kernel.org
		22	Signed-off-by: J. Bruce Fields <bfields@redhat.com>
		23	Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
		24	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		25	---
		26	fs/nfsd/nfs3xdr.c \| 4 ++++
		27	fs/nfsd/nfsxdr.c \| 2 ++
		28	2 file changed, 6 insertions(+)
		29
		30	diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
		31	index 9cbcf53..ea21387 100644
		32	--- a/fs/nfsd/nfs3xdr.c
		33	+++ b/fs/nfsd/nfs3xdr.c
		34	@@ -368,6 +368,8 @@ nfs3svc_decode_writeargs(struct svc_rqst rqstp, __be32 p,
		35	args->count = ntohl(*p++);
		36	args->stable = ntohl(*p++);
		37	len = args->len = ntohl(*p++);
		38	+ if ((void *)p > head->iov_base + head->iov_len)
		39	+ return 0;
		40	/*
		41	* The count must equal the amount of data passed.
		42	*/
		43	@@ -471,6 +473,8 @@ nfs3svc_decode_symlinkargs(struct svc_rqst rqstp, __be32 p,
		44	/* first copy and check from the first page */
		45	old = (char*)p;
		46	vec = &rqstp->rq_arg.head[0];
		47	+ if ((void *)old > vec->iov_base + vec->iov_len)
		48	+ return 0;
		49	avail = vec->iov_len - (old - (char*)vec->iov_base);
		50	while (len && avail && *old) {
		51	new++ = old++;
		52	diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c
		53	index 79d964a..74d3e76 100644
		54	--- a/fs/nfsd/nfsxdr.c
		55	+++ b/fs/nfsd/nfsxdr.c
		56	@@ -301,6 +301,8 @@ nfssvc_decode_writeargs(struct svc_rqst rqstp, __be32 p,
		57	* bytes.
		58	*/
		59	hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
		60	+ if (hdr > rqstp->rq_arg.head[0].iov_len)
		61	+ return 0;
		62	dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
		63	- hdr;
		64
		65	--