git.maquefel.me Git - linux.git/commit

author	Jeff Layton <jlayton@kernel.org>
	Mon, 1 Aug 2022 19:57:26 +0000 (15:57 -0400)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 17 Aug 2022 12:22:47 +0000 (14:22 +0200)
commit	e9ba81ee1cbd4eb54c7b5a7b49ee272bf9bb62cb
tree	1b3b013ba26692987e9aedae68bf3d6644ea64dd	tree \| snapshot
parent	b437275e894b98a87d6f3fd8b58eefc9036b8eb6	commit \| diff

lockd: detect and reject lock arguments that overflow

commit 6930bcbfb6ceda63e298c6af6d733ecdf6bd4cde upstream.

lockd doesn't currently vet the start and length in nlm4 requests like
it should, and can end up generating lock requests with arguments that
overflow when passed to the filesystem.

The NLM4 protocol uses unsigned 64-bit arguments for both start and
length, whereas struct file_lock tracks the start and end as loff_t
values. By the time we get around to calling nlm4svc_retrieve_args,
we've lost the information that would allow us to determine if there was
an overflow.

Start tracking the actual start and len for NLM4 requests in the
nlm_lock. In nlm4svc_retrieve_args, vet these values to ensure they
won't cause an overflow, and return NLM4_FBIG if they do.

Link: https://bugzilla.linux-nfs.org/show_bug.cgi?id=392
Reported-by: Jan Kasiak <j.kasiak@gmail.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Cc: <stable@vger.kernel.org> # 5.14+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

fs/lockd/svc4proc.c		diff \| blob \| history
fs/lockd/xdr4.c		diff \| blob \| history
include/linux/lockd/xdr.h		diff \| blob \| history