[linux] 01/03: nfsd: check for oversized NFSv2/v3 arguments (CVE-2017-7645)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Apr 29 20:30:24 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch sid
in repository linux.
commit 0e77dea5fcd7992040bc37157b1f106b3007a516
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Sat Apr 29 21:51:31 2017 +0200
nfsd: check for oversized NFSv2/v3 arguments (CVE-2017-7645)
---
debian/changelog | 1 +
...sd-check-for-oversized-NFSv2-v3-arguments.patch | 104 +++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 106 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index dde1a0b..bd90487 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -373,6 +373,7 @@ linux (4.9.25-1) UNRELEASED; urgency=medium
* ping: implement proper locking (CVE-2017-2671)
* macsec: avoid heap overflow in skb_to_sgvec (CVE-2017-7477)
* macsec: dynamically allocate space for sglist
+ * nfsd: check for oversized NFSv2/v3 arguments (CVE-2017-7645)
[ Aurelien Jarno ]
* [mips*/octeon] Drop obsolete patch adding support for the UBNT E200
diff --git a/debian/patches/bugfix/all/nfsd-check-for-oversized-NFSv2-v3-arguments.patch b/debian/patches/bugfix/all/nfsd-check-for-oversized-NFSv2-v3-arguments.patch
new file mode 100644
index 0000000..1c12edf
--- /dev/null
+++ b/debian/patches/bugfix/all/nfsd-check-for-oversized-NFSv2-v3-arguments.patch
@@ -0,0 +1,104 @@
+From: "J. Bruce Fields" <bfields at redhat.com>
+Date: Fri, 21 Apr 2017 16:10:18 -0400
+Subject: nfsd: check for oversized NFSv2/v3 arguments
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/e6838a29ecb484c97e4efef9429643b9851fba6e
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7645
+
+A client can append random data to the end of an NFSv2 or NFSv3 RPC call
+without our complaining; we'll just stop parsing at the end of the
+expected data and ignore the rest.
+
+Encoded arguments and replies are stored together in an array of pages,
+and if a call is too large it could leave inadequate space for the
+reply. This is normally OK because NFS RPC's typically have either
+short arguments and long replies (like READ) or long arguments and short
+replies (like WRITE). But a client that sends an incorrectly long reply
+can violate those assumptions. This was observed to cause crashes.
+
+Also, several operations increment rq_next_page in the decode routine
+before checking the argument size, which can leave rq_next_page pointing
+well past the end of the page array, causing trouble later in
+svc_free_pages.
+
+So, following a suggestion from Neil Brown, add a central check to
+enforce our expectation that no NFSv2/v3 call has both a large call and
+a large reply.
+
+As followup we may also want to rewrite the encoding routines to check
+more carefully that they aren't running off the end of the page array.
+
+We may also consider rejecting calls that have any extra garbage
+appended. That would be safer, and within our rights by spec, but given
+the age of our server and the NFS protocol, and the fact that we've
+never enforced this before, we may need to balance that against the
+possibility of breaking some oddball client.
+
+Reported-by: Tuomas Haanpää <thaan at synopsys.com>
+Reported-by: Ari Kauppi <ari at synopsys.com>
+Cc: stable at vger.kernel.org
+Reviewed-by: NeilBrown <neilb at suse.com>
+Signed-off-by: J. Bruce Fields <bfields at redhat.com>
+---
+ fs/nfsd/nfssvc.c | 36 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
+
+diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
+index 31e1f95..59979f0 100644
+--- a/fs/nfsd/nfssvc.c
++++ b/fs/nfsd/nfssvc.c
+@@ -747,6 +747,37 @@ static __be32 map_new_errors(u32 vers, __be32 nfserr)
+ return nfserr;
+ }
+
++/*
++ * A write procedure can have a large argument, and a read procedure can
++ * have a large reply, but no NFSv2 or NFSv3 procedure has argument and
++ * reply that can both be larger than a page. The xdr code has taken
++ * advantage of this assumption to be a sloppy about bounds checking in
++ * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that
++ * problem, we enforce these assumptions here:
++ */
++static bool nfs_request_too_big(struct svc_rqst *rqstp,
++ struct svc_procedure *proc)
++{
++ /*
++ * The ACL code has more careful bounds-checking and is not
++ * susceptible to this problem:
++ */
++ if (rqstp->rq_prog != NFS_PROGRAM)
++ return false;
++ /*
++ * Ditto NFSv4 (which can in theory have argument and reply both
++ * more than a page):
++ */
++ if (rqstp->rq_vers >= 4)
++ return false;
++ /* The reply will be small, we're OK: */
++ if (proc->pc_xdrressize > 0 &&
++ proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE))
++ return false;
++
++ return rqstp->rq_arg.len > PAGE_SIZE;
++}
++
+ int
+ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
+ {
+@@ -759,6 +790,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
+ rqstp->rq_vers, rqstp->rq_proc);
+ proc = rqstp->rq_procinfo;
+
++ if (nfs_request_too_big(rqstp, proc)) {
++ dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers);
++ *statp = rpc_garbage_args;
++ return 1;
++ }
+ /*
+ * Give the xdr decoder a chance to change this if it wants
+ * (necessary in the NFSv4.0 compound case)
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 4ec0541..811525b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -110,6 +110,7 @@ bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
bugfix/all/ping-implement-proper-locking.patch
bugfix/all/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch
bugfix/all/macsec-dynamically-allocate-space-for-sglist.patch
+bugfix/all/nfsd-check-for-oversized-NFSv2-v3-arguments.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list