From patchwork Tue May 9 13:31:21 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Colin King X-Patchwork-Id: 9717903 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2498860236 for ; Tue, 9 May 2017 13:31:29 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 114D928409 for ; Tue, 9 May 2017 13:31:29 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 04C4C28415; Tue, 9 May 2017 13:31:29 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 46BA628409 for ; Tue, 9 May 2017 13:31:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753030AbdEINb0 (ORCPT ); Tue, 9 May 2017 09:31:26 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:50517 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751100AbdEINb0 (ORCPT ); Tue, 9 May 2017 09:31:26 -0400 Received: from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1d85EY-0001Qi-4d; Tue, 09 May 2017 13:31:22 +0000 From: Colin King To: Ari Kauppi , "J . Bruce Fields" , Jeff Layton , linux-nfs@vger.kernel.org Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] nfsd: avoid out of bounds read on array nfsd4_layout_ops Date: Tue, 9 May 2017 14:31:21 +0100 Message-Id: <20170509133121.26529-1-colin.king@canonical.com> X-Mailer: git-send-email 2.11.0 MIME-Version: 1.0 Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Colin Ian King Array nfsd4_layout_ops has LAYOUT_TYPE_MAX elements (which is currently just 6), so check for this upper bound rather than the hard coded upper bound of 32 to avoid an out of bounds read on array nfsd4_layout_ops. Detected by CoverityScan, CID#1433518 ("Out-of-bounds read") Fixes: e79104c9bd2d26 ("nfsd: fix undefined behavior in nfsd4_layout_verify") Signed-off-by: Colin Ian King Reviewed-by: Christoph Hellwig --- fs/nfsd/nfs4proc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c index 1dbf62190bee..c453a1998e00 100644 --- a/fs/nfsd/nfs4proc.c +++ b/fs/nfsd/nfs4proc.c @@ -1259,7 +1259,8 @@ nfsd4_layout_verify(struct svc_export *exp, unsigned int layout_type) return NULL; } - if (layout_type >= 32 || !(exp->ex_layout_types & (1 << layout_type))) { + if (layout_type >= LAYOUT_TYPE_MAX || + !(exp->ex_layout_types & (1 << layout_type))) { dprintk("%s: layout type %d not supported\n", __func__, layout_type); return NULL;