SUNRPC: Fix integer overflow in decode_rc_list()

Message ID	a13af2ba-5f33-4e9c-905c-0e0369daea6c@suswa.mountain (mailing list archive)
State	New
Headers	show Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com [209.85.167.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6280C1922D6 for <linux-nfs@vger.kernel.org>; Thu, 19 Sep 2024 08:50:39 +0000 (UTC) Date: Thu, 19 Sep 2024 11:50:33 +0300 From: Dan Carpenter <dan.carpenter@linaro.org> To: Trond Myklebust <trondmy@kernel.org> Cc: Anna Schumaker <anna@kernel.org>, Benny Halevy <bhalevy@panasas.com>, linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] SUNRPC: Fix integer overflow in decode_rc_list() Message-ID: <a13af2ba-5f33-4e9c-905c-0e0369daea6c@suswa.mountain> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline
Series	SUNRPC: Fix integer overflow in decode_rc_list() \| expand SUNRPC: Fix integer overflow in decode_rc_list()

Message ID

a13af2ba-5f33-4e9c-905c-0e0369daea6c@suswa.mountain (mailing list archive)

State

New

Headers

Date: Thu, 19 Sep 2024 11:50:33 +0300
From: Dan Carpenter <dan.carpenter@linaro.org>
To: Trond Myklebust <trondmy@kernel.org>
Cc: Anna Schumaker <anna@kernel.org>, Benny Halevy <bhalevy@panasas.com>,
	linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org,
	kernel-janitors@vger.kernel.org
Subject: [PATCH] SUNRPC: Fix integer overflow in decode_rc_list()
Message-ID: <a13af2ba-5f33-4e9c-905c-0e0369daea6c@suswa.mountain>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Series

SUNRPC: Fix integer overflow in decode_rc_list() | expand

Commit Message

Dan Carpenter Sept. 19, 2024, 8:50 a.m. UTC

The math in "rc_list->rcl_nrefcalls * 2 * sizeof(uint32_t)" could have an
integer overflow.  Add bounds checking on rc_list->rcl_nrefcalls to fix
that.

Fixes: 4aece6a19cf7 ("nfs41: cb_sequence xdr implementation")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
From static analysis.

 fs/nfs/callback_xdr.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c
index 6df77f008d3f..fdeb0b34a3d3 100644
--- a/fs/nfs/callback_xdr.c
+++ b/fs/nfs/callback_xdr.c
@@ -375,6 +375,8 @@  static __be32 decode_rc_list(struct xdr_stream *xdr,
 
 	rc_list->rcl_nrefcalls = ntohl(*p++);
 	if (rc_list->rcl_nrefcalls) {
+		if (unlikely(rc_list->rcl_nrefcalls > xdr->buf->len))
+			goto out;
 		p = xdr_inline_decode(xdr,
 			     rc_list->rcl_nrefcalls * 2 * sizeof(uint32_t));
 		if (unlikely(p == NULL))

SUNRPC: Fix integer overflow in decode_rc_list()

Commit Message

Patch