From fe077124469b84dcd884cef5d0cfec5414351b06 Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Wed, 17 Oct 2018 14:31:30 +0200 Subject: nfsd: CVE-2017-7895 nfsd: stricter decoding of write-like NFSv2/v3 ops References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=5afff19d82af4e4ed66ce0320cd2f17053b78b25 Change-Id: Ibb3edd844b678bcb4c3dd115af77e77b0aa4eda9 Signed-off-by: Andreas Wellving --- patches/cve/4.1.x.scc | 1 + ...icter-decoding-of-write-like-NFSv2-v3-ops.patch | 65 ++++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 patches/cve/CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index 5722514..4741fca 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc @@ -6,3 +6,4 @@ patch CVE-2016-8655-packet-fix-race-condition-in-packet_set_ring.patch #fixed in 4.1.40 patch CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch patch CVE-2017-7618-crypto-ahash-Fix-EINPROGRESS-notification-callback.patch +patch CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch diff --git a/patches/cve/CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch b/patches/cve/CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch new file mode 100644 index 0000000..2ecf279 --- /dev/null +++ b/patches/cve/CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch @@ -0,0 +1,65 @@ +Date: Wed, 17 Oct 2018 10:55:24 +0200 +Subject: [PATCH] nfsd: stricter decoding of write-like NFSv2/v3 ops +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 13bf9fbff0e5e099e2b6f003a0ab8ae145436309 ] + +The NFSv2/v3 code does not systematically check whether we decode past +the end of the buffer. This generally appears to be harmless, but there +are a few places where we do arithmetic on the pointers involved and +don't account for the possibility that a length could be negative. Add +checks to catch these. + +CVE: CVE-2017-7895 +Upstream-Status: Backport + +Reported-by: Tuomas Haanpää +Reported-by: Ari Kauppi +Reviewed-by: NeilBrown +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Andreas Wellving +--- + fs/nfsd/nfs3xdr.c | 4 ++++ + fs/nfsd/nfsxdr.c | 2 ++ + 2 file changed, 6 insertions(+) + +diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c +index 9cbcf53..ea21387 100644 +--- a/fs/nfsd/nfs3xdr.c ++++ b/fs/nfsd/nfs3xdr.c +@@ -368,6 +368,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, + args->count = ntohl(*p++); + args->stable = ntohl(*p++); + len = args->len = ntohl(*p++); ++ if ((void *)p > head->iov_base + head->iov_len) ++ return 0; + /* + * The count must equal the amount of data passed. + */ +@@ -471,6 +473,8 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, __be32 *p, + /* first copy and check from the first page */ + old = (char*)p; + vec = &rqstp->rq_arg.head[0]; ++ if ((void *)old > vec->iov_base + vec->iov_len) ++ return 0; + avail = vec->iov_len - (old - (char*)vec->iov_base); + while (len && avail && *old) { + *new++ = *old++; +diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c +index 79d964a..74d3e76 100644 +--- a/fs/nfsd/nfsxdr.c ++++ b/fs/nfsd/nfsxdr.c +@@ -301,6 +301,8 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, + * bytes. + */ + hdr = (void*)p - rqstp->rq_arg.head[0].iov_base; ++ if (hdr > rqstp->rq_arg.head[0].iov_len) ++ return 0; + dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len + - hdr; + +-- -- cgit v1.2.3-54-g00ecf