[linux] 03/03: nfsd: stricter decoding of write-like NFSv2/v3 ops (CVE-2017-7895)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Apr 29 20:30:25 UTC 2017 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit 7ba1afb38679ac245d2f1a48847fb91899fb3fef
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Sat Apr 29 22:02:01 2017 +0200

    nfsd: stricter decoding of write-like NFSv2/v3 ops (CVE-2017-7895)
---
 debian/changelog                                   |  1 +
 ...icter-decoding-of-write-like-NFSv2-v3-ops.patch | 63 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 65 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 870de2c..810140e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -375,6 +375,7 @@ linux (4.9.25-1) UNRELEASED; urgency=medium
   * macsec: dynamically allocate space for sglist
   * nfsd: check for oversized NFSv2/v3 arguments (CVE-2017-7645)
   * nfsd4: minor NFSv2/v3 write decoding cleanup
+  * nfsd: stricter decoding of write-like NFSv2/v3 ops (CVE-2017-7895)
 
   [ Aurelien Jarno ]
   * [mips*/octeon] Drop obsolete patch adding support for the UBNT E200
diff --git a/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch b/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
new file mode 100644
index 0000000..33415b6
--- /dev/null
+++ b/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
@@ -0,0 +1,63 @@
+From: "J. Bruce Fields" <bfields at redhat.com>
+Date: Fri, 21 Apr 2017 15:26:30 -0400
+Subject: nfsd: stricter decoding of write-like NFSv2/v3 ops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/13bf9fbff0e5e099e2b6f003a0ab8ae145436309
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7895
+
+The NFSv2/v3 code does not systematically check whether we decode past
+the end of the buffer.  This generally appears to be harmless, but there
+are a few places where we do arithmetic on the pointers involved and
+don't account for the possibility that a length could be negative.  Add
+checks to catch these.
+
+Reported-by: Tuomas Haanpää <thaan at synopsys.com>
+Reported-by: Ari Kauppi <ari at synopsys.com>
+Reviewed-by: NeilBrown <neilb at suse.com>
+Cc: stable at vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields at redhat.com>
+---
+ fs/nfsd/nfs3xdr.c | 4 ++++
+ fs/nfsd/nfsxdr.c  | 2 ++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
+index d18cfdd..4523346 100644
+--- a/fs/nfsd/nfs3xdr.c
++++ b/fs/nfsd/nfs3xdr.c
+@@ -369,6 +369,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
+ 	args->count = ntohl(*p++);
+ 	args->stable = ntohl(*p++);
+ 	len = args->len = ntohl(*p++);
++	if ((void *)p > head->iov_base + head->iov_len)
++		return 0;
+ 	/*
+ 	 * The count must equal the amount of data passed.
+ 	 */
+@@ -472,6 +474,8 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, __be32 *p,
+ 	/* first copy and check from the first page */
+ 	old = (char*)p;
+ 	vec = &rqstp->rq_arg.head[0];
++	if ((void *)old > vec->iov_base + vec->iov_len)
++		return 0;
+ 	avail = vec->iov_len - (old - (char*)vec->iov_base);
+ 	while (len && avail && *old) {
+ 		*new++ = *old++;
+diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c
+index 59bd88a..de07ff6 100644
+--- a/fs/nfsd/nfsxdr.c
++++ b/fs/nfsd/nfsxdr.c
+@@ -302,6 +302,8 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
+ 	 * bytes.
+ 	 */
+ 	hdr = (void*)p - head->iov_base;
++	if (hdr > head->iov_len)
++		return 0;
+ 	dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
+ 
+ 	/*
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index ea8ea0c..a5922a9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -112,6 +112,7 @@ bugfix/all/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch
 bugfix/all/macsec-dynamically-allocate-space-for-sglist.patch
 bugfix/all/nfsd-check-for-oversized-NFSv2-v3-arguments.patch
 bugfix/all/nfsd4-minor-NFSv2-v3-write-decoding-cleanup.patch
+bugfix/all/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list