From patchwork Sat Dec 8 14:30:18 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sven Wegener X-Patchwork-Id: 1852541 Return-Path: X-Original-To: patchwork-linux-nfs@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork1.kernel.org (Postfix) with ESMTP id 442403FC64 for ; Sat, 8 Dec 2012 14:36:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933190Ab2LHOgv (ORCPT ); Sat, 8 Dec 2012 09:36:51 -0500 Received: from smtp1.stealer.net ([88.198.224.204]:46644 "EHLO smtp1.stealer.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753068Ab2LHOgv (ORCPT ); Sat, 8 Dec 2012 09:36:51 -0500 X-Greylist: delayed 389 seconds by postgrey-1.27 at vger.kernel.org; Sat, 08 Dec 2012 09:36:50 EST Received: from titan.stealer.net ([88.198.224.206]:46763 helo=titan.int.lan.stealer.net) by smtp1.stealer.net with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) id 1ThLQ3-00059L-QT from sender sven.wegener@stealer.net; Sat, 08 Dec 2012 14:30:20 +0000 Received: from sven (helo=localhost) by titan.int.lan.stealer.net with local-esmtp (Exim 4.80.1) (envelope-from ) id 1ThLQ2-0002Ut-Jm; Sat, 08 Dec 2012 14:30:18 +0000 Date: Sat, 8 Dec 2012 15:30:18 +0100 (CET) From: Sven Wegener To: Trond Myklebust cc: linux-nfs@vger.kernel.org Subject: [PATCH] NFSv4: Check for buffer length in __nfs4_get_acl_uncached Message-ID: User-Agent: Alpine 2.02 (LNX 1266 2009-07-14) Organization: STEALER.net MIME-Version: 1.0 X-Spam-Score: -1.1 X-Spam-Bar: - X-Spam-Report: Scanned by SpamAssassin 3.3.2 2011-06-06 on smtp1.stealer.net at Sat, 08 Dec 2012 14:30:20 +0000 Bayes: 0.0051 Tokens: new, 196; hammy, 5; neutral, 2; spammy, 0. AutoLearn: no * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0051] * 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS X-Spam-Signature: 39520a0a12cf6bbc9c1c588e75f745ece39d132c X-DomainKey-Status: none Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org Commit 1f1ea6c "NFSv4: Fix buffer overflow checking in __nfs4_get_acl_uncached" accidently dropped the checking for too small result buffer length. If someone uses getxattr on "system.nfs4_acl" on an NFSv4 mount supporting ACLs, the ACL has not been cached and the buffer suplied is too short, we still copy the complete ACL, resulting in kernel and user space memory corruption. Signed-off-by: Sven Wegener Cc: stable@kernel.org --- fs/nfs/nfs4proc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 7bff871..f15be6b 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -3831,8 +3831,13 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu goto out_free; } nfs4_write_cached_acl(inode, pages, res.acl_data_offset, res.acl_len); - if (buf) + if (buf) { + if (res.acl_len > buflen) { + ret = -ERANGE; + goto out_free; + } _copy_from_pages(buf, pages, res.acl_data_offset, res.acl_len); + } out_ok: ret = res.acl_len; out_free: