[CVE-2017-7895][T][PATCH 2/4] svcrdma: Do not add XDR padding to xdr_buf page vector
Po-Hsu Lin
po-hsu.lin at canonical.com
Tue Jun 27 12:16:34 UTC 2017
From: Chuck Lever <chuck.lever at oracle.com>
CVE-2017-7895
An xdr_buf has a head, a vector of pages, and a tail. Each
RPC request is presented to the NFS server contained in an
xdr_buf.
The RDMA transport would like to supply the NFS server with only
the NFS WRITE payload bytes in the page vector. In some common
cases, that would allow the NFS server to swap those pages right
into the target file's page cache.
Have the transport's RDMA Read logic put XDR pad bytes in the tail
iovec, and not in the pages that hold the data payload.
The NFSv3 WRITE XDR decoder is finicky about the lengths involved,
so make sure it is looking in the correct places when computing
the total length of the incoming NFS WRITE request.
Signed-off-by: Chuck Lever <chuck.lever at oracle.com>
Signed-off-by: J. Bruce Fields <bfields at redhat.com>
(backported from commit 6625d0913771df5f12b9531c8cb8414e55f1c21d)
Just pick the change for nfs3xdr.c
Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
---
fs/nfsd/nfs3xdr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
index ea0a07a..e848abd 100644
--- a/fs/nfsd/nfs3xdr.c
+++ b/fs/nfsd/nfs3xdr.c
@@ -384,7 +384,7 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
*/
hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
- - hdr;
+ + rqstp->rq_arg.tail[0].iov_len - hdr;
/*
* Round the length of the data which was specified up to
* the next multiple of XDR units and then compare that
--
1.7.9.5
More information about the kernel-team
mailing list