| Message ID | 20221111134830.879929-1-cascardo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2022-43945 - NFSD buffer overflow | expand |
On 11.11.22 14:48, Thadeu Lima de Souza Cascardo wrote: > [Impact] > A malicious client can cause a buffer overflow on the nfsd server by sending > a crafted RPC message. > > [Backport] > For 5.14, 5.15, 5.17 and 5.19, these are all clean cherry-picks. Backports > for older kernel versions is in progress. > > [Potential regression] > NFSD servers might misbehave. > > Chuck Lever (8): > SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation > SUNRPC: Fix svcxdr_init_encode's buflen calculation > NFSD: Protect against send buffer overflow in NFSv2 READDIR > NFSD: Protect against send buffer overflow in NFSv3 READDIR > NFSD: Protect against send buffer overflow in NFSv2 READ > NFSD: Protect against send buffer overflow in NFSv3 READ > NFSD: Remove "inline" directives on op_rsize_bop helpers > NFSD: Cap rsize_bop result based on send buffer size > > fs/nfsd/nfs3proc.c | 11 +-- > fs/nfsd/nfs4proc.c | 169 ++++++++++++++++++++++--------------- > fs/nfsd/nfsproc.c | 6 +- > fs/nfsd/xdr4.h | 3 +- > include/linux/sunrpc/svc.h | 19 ++++- > 5 files changed, 125 insertions(+), 83 deletions(-) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 11/11/22 6:48 AM, Thadeu Lima de Souza Cascardo wrote: > [Impact] > A malicious client can cause a buffer overflow on the nfsd server by sending > a crafted RPC message. > > [Backport] > For 5.14, 5.15, 5.17 and 5.19, these are all clean cherry-picks. Backports > for older kernel versions is in progress. > > [Potential regression] > NFSD servers might misbehave. > > Chuck Lever (8): > SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation > SUNRPC: Fix svcxdr_init_encode's buflen calculation > NFSD: Protect against send buffer overflow in NFSv2 READDIR > NFSD: Protect against send buffer overflow in NFSv3 READDIR > NFSD: Protect against send buffer overflow in NFSv2 READ > NFSD: Protect against send buffer overflow in NFSv3 READ > NFSD: Remove "inline" directives on op_rsize_bop helpers > NFSD: Cap rsize_bop result based on send buffer size > > fs/nfsd/nfs3proc.c | 11 +-- > fs/nfsd/nfs4proc.c | 169 ++++++++++++++++++++++--------------- > fs/nfsd/nfsproc.c | 6 +- > fs/nfsd/xdr4.h | 3 +- > include/linux/sunrpc/svc.h | 19 ++++- > 5 files changed, 125 insertions(+), 83 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 11.11.22 14:48, Thadeu Lima de Souza Cascardo wrote: > [Impact] > A malicious client can cause a buffer overflow on the nfsd server by sending > a crafted RPC message. > > [Backport] > For 5.14, 5.15, 5.17 and 5.19, these are all clean cherry-picks. Backports > for older kernel versions is in progress. > > [Potential regression] > NFSD servers might misbehave. > > Chuck Lever (8): > SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation > SUNRPC: Fix svcxdr_init_encode's buflen calculation > NFSD: Protect against send buffer overflow in NFSv2 READDIR > NFSD: Protect against send buffer overflow in NFSv3 READDIR > NFSD: Protect against send buffer overflow in NFSv2 READ > NFSD: Protect against send buffer overflow in NFSv3 READ > NFSD: Remove "inline" directives on op_rsize_bop helpers > NFSD: Cap rsize_bop result based on send buffer size > > fs/nfsd/nfs3proc.c | 11 +-- > fs/nfsd/nfs4proc.c | 169 ++++++++++++++++++++++--------------- > fs/nfsd/nfsproc.c | 6 +- > fs/nfsd/xdr4.h | 3 +- > include/linux/sunrpc/svc.h | 19 ++++- > 5 files changed, 125 insertions(+), 83 deletions(-) > Applied to kinetic,jammy:linux/master-next and jammy:linux-hwe-5.17/hwe-5.17-next. Note that for Kinetic patches 1-6 were already applied from the latest stable. They appeared to be the same as in this submission, so only patches 7 and 8 were applied on top. Thanks. -Stefan
Thadeu Lima de Souza Cascardo kirjoitti 11.11.2022 klo 15.48: > [Impact] > A malicious client can cause a buffer overflow on the nfsd server by sending > a crafted RPC message. > > [Backport] > For 5.14, 5.15, 5.17 and 5.19, these are all clean cherry-picks. Backports > for older kernel versions is in progress. > > [Potential regression] > NFSD servers might misbehave. > > Chuck Lever (8): > SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation > SUNRPC: Fix svcxdr_init_encode's buflen calculation > NFSD: Protect against send buffer overflow in NFSv2 READDIR > NFSD: Protect against send buffer overflow in NFSv3 READDIR > NFSD: Protect against send buffer overflow in NFSv2 READ > NFSD: Protect against send buffer overflow in NFSv3 READ > NFSD: Remove "inline" directives on op_rsize_bop helpers > NFSD: Cap rsize_bop result based on send buffer size > > fs/nfsd/nfs3proc.c | 11 +-- > fs/nfsd/nfs4proc.c | 169 ++++++++++++++++++++++--------------- > fs/nfsd/nfsproc.c | 6 +- > fs/nfsd/xdr4.h | 3 +- > include/linux/sunrpc/svc.h | 19 ++++- > 5 files changed, 125 insertions(+), 83 deletions(-) > applied to oem-5.14, thanks