From patchwork Tue Jul 26 02:38:11 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seiichi Ikarashi X-Patchwork-Id: 9247525 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 55B3D607FD for ; Tue, 26 Jul 2016 02:41:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 498FD212BE for ; Tue, 26 Jul 2016 02:41:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3E4CD27813; Tue, 26 Jul 2016 02:41:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DA639212BE for ; Tue, 26 Jul 2016 02:41:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751199AbcGZClm (ORCPT ); Mon, 25 Jul 2016 22:41:42 -0400 Received: from mgwkm02.jp.fujitsu.com ([202.219.69.169]:54772 "EHLO mgwkm02.jp.fujitsu.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750922AbcGZClm (ORCPT ); Mon, 25 Jul 2016 22:41:42 -0400 Received: from kw-mxq.gw.nic.fujitsu.com (unknown [192.168.231.130]) by mgwkm02.jp.fujitsu.com with smtp id 661f_12c5_768cc13f_87a3_4e3a_a94e_f6f0f15a0727; Tue, 26 Jul 2016 11:41:37 +0900 Received: from g01jpfmpwyt03.exch.g01.fujitsu.local (g01jpfmpwyt03.exch.g01.fujitsu.local [10.128.193.57]) by kw-mxq.gw.nic.fujitsu.com (Postfix) with ESMTP id 313ABAC00A4 for ; Tue, 26 Jul 2016 11:41:37 +0900 (JST) Received: from g01jpexchyt33.g01.fujitsu.local (unknown [10.128.193.4]) by g01jpfmpwyt03.exch.g01.fujitsu.local (Postfix) with ESMTP id 3895B46E7E4; Tue, 26 Jul 2016 11:38:12 +0900 (JST) Received: from dune.lsoft.css.fujitsu.com (10.124.101.31) by g01jpexchyt33.g01.fujitsu.local (10.128.193.36) with Microsoft SMTP Server id 14.3.266.1; Tue, 26 Jul 2016 11:38:10 +0900 To: , CC: From: Seiichi Ikarashi Subject: [PATCH v2] Prevent rqstp->rq_pages[RPCSVC_MAXPAGES] overrun Organization: Fujitsu Limited Message-ID: <28fb2e47-48ce-1af7-3135-15ca9b4e1726@jp.fujitsu.com> Date: Tue, 26 Jul 2016 11:38:11 +0900 User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2 MIME-Version: 1.0 X-SecurityPolicyCheck-GC: OK by FENCE-Mail X-TM-AS-MML: disable Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP If over-"RPCSVC_MAXPAGES" pages are sent from file system through pipe_buffer, nfsd_splice_actor() corrupts struct svc_rqst and results in kernel panic. It actually occurred with a parallel distributed file system. It needs boundary checking. v2: Fix semicolon-missing bug. Signed-off-by: Seiichi Ikarashi --- fs/nfsd/vfs.c | 8 ++++++++ 1 file changed, 8 insertions(+) -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c index 6fbd81e..43393f3 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@ -811,12 +811,20 @@ nfsd_splice_actor(struct pipe_inode_info *pipe, struct pipe_buffer *buf, size = sd->len; if (rqstp->rq_res.page_len == 0) { + if (rqstp->rq_next_page > &rqstp->rq_pages[RPCSVC_MAXPAGES-1]) { + WARN_ON(1); + return -ENOMEM; + } get_page(page); put_page(*rqstp->rq_next_page); *(rqstp->rq_next_page++) = page; rqstp->rq_res.page_base = buf->offset; rqstp->rq_res.page_len = size; } else if (page != pp[-1]) { + if (rqstp->rq_next_page > &rqstp->rq_pages[RPCSVC_MAXPAGES-1]) { + WARN_ON(1); + return -ENOMEM; + } get_page(page); if (*rqstp->rq_next_page) put_page(*rqstp->rq_next_page);