From patchwork Tue Sep 17 16:15:23 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chuck Lever <cel@kernel.org>
X-Patchwork-Id: 13806315
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4045717DFF3
	for <linux-nfs@vger.kernel.org>; Tue, 17 Sep 2024 16:15:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1726589725; cv=none;
 b=FZBS7xzmSLQTsXEGLurVcpeosYDn/9d8W5dDgPmZJ1ib7B95XP5avXtvBCmrQP2LSn986miKtZKnOLE/ROl19fPDH+csWchShZP4RXX1dXyYCH7XNm2MzXRKJwRDY+p1FbmLYRlkbJnZEpLMWN3qXot2qFdurj15mDvJzcgzGZU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1726589725; c=relaxed/simple;
	bh=RCBJeCfu8TUY3qa0vitq8eMplZ8sXuNIQbJ3eBBRoKs=;
	h=Subject:From:To:Cc:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=AxDYWVdvur6rL2TKrUuaX5ACgceiyi7Fgl7/pCtbZMJZRECl2BJRRfvKi2I/JXuW6d4FjU+vIzL7jdj0YJO41hDpWGrwi804hZT1827GqCWqQnup944bKyDksXnTCbxM4I0H69nYv7YBTIaK7NPrqfrMkiDS0SLwyf+O4kVykZk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=V7sM2E/7; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="V7sM2E/7"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 59D2EC4CEC5;
	Tue, 17 Sep 2024 16:15:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1726589724;
	bh=RCBJeCfu8TUY3qa0vitq8eMplZ8sXuNIQbJ3eBBRoKs=;
	h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
	b=V7sM2E/7NM99uZnLTt8ZuTBK1tK4ln0Z+4rj+sUDPLCHy3M7hXJ3tOY3yQtARIhGr
	 tW89mqWH4FHD3jWWuEesjGSSswKjSLjo6yOY3f/ro15ZekPA2B3miQ3+oF/o0WN6UQ
	 627RVqGH4YtJ/7lS4Xf6eM/f+pG/1muyZnPsGPSZYS9NS1vnNaKdRsOFPeYf89KO+J
	 tqzoaCLlV1JwIPyde59xX/tlhpFnjdowg45SizZisIjmZlOUp1X7umX7UhJshmNFMA
	 cMqjesrWGsmhGZdNRfmoS1CHnRRn/K8B7qSR7UROOH2KTMaFipwvzqBdZ3mayLkoTe
	 hXOZ35p7O16TA==
Subject: [PATCH 1/2] NFSD: Prevent a potential integer overflow
From: Chuck Lever <cel@kernel.org>
To: linux-nfs@vger.kernel.org
Cc: dan.carpenter@linaro.org
Date: Tue, 17 Sep 2024 12:15:23 -0400
Message-ID: 
 <172658972371.2454.15715383792386404543.stgit@oracle-102.chuck.lever.oracle.com.nfsv4.dev>
In-Reply-To: 
 <172658941960.2454.16533800561565430909.stgit@oracle-102.chuck.lever.oracle.com.nfsv4.dev>
References: 
 <172658941960.2454.16533800561565430909.stgit@oracle-102.chuck.lever.oracle.com.nfsv4.dev>
User-Agent: StGit/1.5
Precedence: bulk
X-Mailing-List: linux-nfs@vger.kernel.org
List-Id: <linux-nfs.vger.kernel.org>
List-Subscribe: <mailto:linux-nfs+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-nfs+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Chuck Lever <chuck.lever@oracle.com>

If the tag length is >= U32_MAX - 3 then the "length + 4" addition
can result in an integer overflow. Address this by splitting the
decoding into several steps so that decode_cb_compound4res() does
not have to perform arithmetic on the unsafe length value.

Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 fs/nfsd/nfs4callback.c |   14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
index 43b8320c8255..dffb8fea3a31 100644
--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c
@@ -311,17 +311,17 @@ static int decode_cb_compound4res(struct xdr_stream *xdr,
 	u32 length;
 	__be32 *p;
 
-	p = xdr_inline_decode(xdr, 4 + 4);
+	p = xdr_inline_decode(xdr, XDR_UNIT);
 	if (unlikely(p == NULL))
 		goto out_overflow;
-	hdr->status = be32_to_cpup(p++);
+	hdr->status = be32_to_cpup(p);
 	/* Ignore the tag */
-	length = be32_to_cpup(p++);
-	p = xdr_inline_decode(xdr, length + 4);
-	if (unlikely(p == NULL))
+	if (xdr_stream_decode_u32(xdr, &length) < 0)
+		goto out_overflow;
+	if (xdr_inline_decode(xdr, length) == NULL)
+		goto out_overflow;
+	if (xdr_stream_decode_u32(xdr, &hdr->nops) < 0)
 		goto out_overflow;
-	p += XDR_QUADLEN(length);
-	hdr->nops = be32_to_cpup(p);
 	return 0;
 out_overflow:
 	return -EIO;

From patchwork Tue Sep 17 16:15:29 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chuck Lever <cel@kernel.org>
X-Patchwork-Id: 13806316
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A255A17839C
	for <linux-nfs@vger.kernel.org>; Tue, 17 Sep 2024 16:15:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1726589731; cv=none;
 b=Vc2iXFScAXYTDz6iXYLyDK/tCE9eVVVh/LMGcgzxcJdVerclYFeAA+pZTxZp+E159/1cXLyv68gfPJ2HvYEVaUgtJo96Rgx0MG0lI0SGD9izA+/XjRdYqo4oQ8OxVdwYMapu4LsUiDX/A1oNrBMumKeKLIiLWmru6M+NH4i9O+c=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1726589731; c=relaxed/simple;
	bh=wEHddu2w4/1Sq3ne8+XDN7KJUqNCQB7tF0sOsXQNCiI=;
	h=Subject:From:To:Cc:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=ddLgOtjs8Rp/Xasiir8U0u0pcuIg7p7AoNhaPYxnlFZCzu7b1Ye6Dg/nZsq7vPJj4ffhAa+iYa5ENn5TWI96XLKKEcwnv8lzT7RGR3azKfzIWf2n21EKFw1/p9apgVZgrrE71OUFcRvCTnNuzInOEl+Ml7XbBtFG5fRlY4NmogE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=mJV5ldJB; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="mJV5ldJB"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 278AFC4CEC5;
	Tue, 17 Sep 2024 16:15:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1726589730;
	bh=wEHddu2w4/1Sq3ne8+XDN7KJUqNCQB7tF0sOsXQNCiI=;
	h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
	b=mJV5ldJBi9OXYiTIYD1O70sIj/64pe7unr+5qfZ/AaZaKlF2tx3qPSuQjgJcET+bj
	 jPZMb/fBTC/vfz6QcMx9gj+Mxu9hjrfZgG3yOSumjEn+FahVALx7yt+9RJhM1I68Zc
	 nhQcqNEvdaMwET0c9jcHj6WtbGEzyHIojoYzRjlbodQvKDF/Z+n2QATk5dxAwZq8h8
	 Kq5iLBeyg1tdLKBx70trCMKQ733F3rDNAGGcpJDRLAOzQjPsva9FY7+sYo+mRisHHG
	 R7Ak+ZpnbK7BkNRKofzYFFjse7ialn+poyWyEANI4ALMckOsmxSCC+hGaYVju2CyqK
	 joUd0t9MuLxtg==
Subject: [PATCH 2/2] svcrdma: Address an integer overflow
From: Chuck Lever <cel@kernel.org>
To: linux-nfs@vger.kernel.org
Cc: dan.carpenter@linaro.org
Date: Tue, 17 Sep 2024 12:15:29 -0400
Message-ID: 
 <172658972948.2454.1618005255141213668.stgit@oracle-102.chuck.lever.oracle.com.nfsv4.dev>
In-Reply-To: 
 <172658941960.2454.16533800561565430909.stgit@oracle-102.chuck.lever.oracle.com.nfsv4.dev>
References: 
 <172658941960.2454.16533800561565430909.stgit@oracle-102.chuck.lever.oracle.com.nfsv4.dev>
User-Agent: StGit/1.5
Precedence: bulk
X-Mailing-List: linux-nfs@vger.kernel.org
List-Id: <linux-nfs.vger.kernel.org>
List-Subscribe: <mailto:linux-nfs+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-nfs+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Chuck Lever <chuck.lever@oracle.com>

Dan Carpenter reports:
> Commit 78147ca8b4a9 ("svcrdma: Add a "parsed chunk list" data
> structure") from Jun 22, 2020 (linux-next), leads to the following
> Smatch static checker warning:
>
> 	net/sunrpc/xprtrdma/svc_rdma_recvfrom.c:498 xdr_check_write_chunk()
> 	warn: potential user controlled sizeof overflow 'segcount * 4 * 4'
>
> net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
>    488 static bool xdr_check_write_chunk(struct svc_rdma_recv_ctxt *rctxt)
>    489 {
>    490         u32 segcount;
>    491         __be32 *p;
>    492
>    493         if (xdr_stream_decode_u32(&rctxt->rc_stream, &segcount))
>                                                              ^^^^^^^^
>
>    494                 return false;
>    495
>    496         /* A bogus segcount causes this buffer overflow check to fail. */
>    497         p = xdr_inline_decode(&rctxt->rc_stream,
> --> 498                               segcount * rpcrdma_segment_maxsz * sizeof(*p));
>
>
> segcount is an untrusted u32.  On 32bit systems anything >= SIZE_MAX / 16 will
> have an integer overflow and some those values will be accepted by
> xdr_inline_decode().

Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Fixes: 78147ca8b4a9 ("svcrdma: Add a "parsed chunk list" data structure")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
index d72953f29258..037c037fab88 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
@@ -493,7 +493,13 @@ static bool xdr_check_write_chunk(struct svc_rdma_recv_ctxt *rctxt)
 	if (xdr_stream_decode_u32(&rctxt->rc_stream, &segcount))
 		return false;
 
-	/* A bogus segcount causes this buffer overflow check to fail. */
+	/* Before trusting the segcount value enough to perform
+	 * computation with it, perform a simple range check. This
+	 * is an arbitrary but sensible limit (ie, not architectural).
+	 */
+	if (unlikely(segcount > RPCSVC_MAXPAGES))
+		return false;
+
 	p = xdr_inline_decode(&rctxt->rc_stream,
 			      segcount * rpcrdma_segment_maxsz * sizeof(*p));
 	return p != NULL;