iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
76f47128f9
linux/fs/nfsd
History
J. Bruce Fields 76f47128f9 nfsd: fix rare symlink decoding bug 
An NFS operation that creates a new symlink includes the symlink data,
which is xdr-encoded as a length followed by the data plus 0 to 3 bytes
of zero-padding as required to reach a 4-byte boundary.

The vfs, on the other hand, wants null-terminated data.

The simple way to handle this would be by copying the data into a newly
allocated buffer with space for the final null.

The current nfsd_symlink code tries to be more clever by skipping that
step in the (likely) case where the byte following the string is already
0.

But that assumes that the byte following the string is ours to look at.
In fact, it might be the first byte of a page that we can't read, or of
some object that another task might modify.

Worse, the NFSv4 code tries to fix the problem by actually writing to
that byte.

In the NFSv2/v3 cases this actually appears to be safe:

	- nfs3svc_decode_symlinkargs explicitly null-terminates the data
	  (after first checking its length and copying it to a new
	  page).
	- NFSv2 limits symlinks to 1k.  The buffer holding the rpc
	  request is always at least a page, and the link data (and
	  previous fields) have maximum lengths that prevent the request
	  from reaching the end of a page.

In the NFSv4 case the CREATE op is potentially just one part of a long
compound so can end up on the end of a page if you're unlucky.

The minimal fix here is to copy and null-terminate in the NFSv4 case.
The nfsd_symlink() interface here seems too fragile, though.  It should
really either do the copy itself every time or just require a
null-terminated string.

Reported-by: Jeff Layton <jlayton@primarydata.com>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2014-06-27 16:10:46 -04:00
..
acl.h nfsd4: use xdr_reserve_space in attribute encoding 2014-05-28 14:52:34 -04:00
auth.c NFSD: Cleanup unused variable in nfsd_setuser() 2014-05-30 17:32:21 -04:00
auth.h nfsd: Remove nfsd_luid, nfsd_lgid, nfsd_ruid and nfsd_rgid 2013-02-13 06:15:51 -08:00
cache.h nfsd: get rid of unused function definition 2014-01-02 17:53:23 -05:00
current_stateid.h nfsd41: use current stateid by value 2012-02-15 11:20:45 -05:00
export.c NFSD: Error out when getting more than one fsloc/secinfo/uuid 2014-05-30 17:32:25 -04:00
export.h NFSD: Using type of uint32_t for ex_nflavors instead of int 2014-05-30 17:32:24 -04:00
fault_inject.c NFSD: Use simple_read_from_buffer for coping data to userspace 2014-05-08 14:59:52 -04:00
idmap.h nfsd4: use xdr_reserve_space in attribute encoding 2014-05-28 14:52:34 -04:00
Kconfig nfsd: fix Kconfig syntax 2013-10-26 15:37:26 -04:00
lockd.c nfsd: Remove deprecated nfsctl system call and related code. 2011-07-15 18:58:42 -04:00
Makefile NFSD: Added fault injection 2011-11-07 21:10:47 -05:00
netns.h NFSD: Don't start lockd when only NFSv4 is running 2014-01-03 18:18:50 -05:00
nfs2acl.c nfsd: Remove assignments inside conditions 2014-05-22 15:52:23 -04:00
nfs3acl.c nfsd: Remove assignments inside conditions 2014-05-22 15:52:23 -04:00
nfs3proc.c switch vfs_getattr() to struct path 2013-02-26 02:46:08 -05:00
nfs3xdr.c nfsd: Remove assignments inside conditions 2014-05-22 15:52:23 -04:00
nfs4acl.c nfsd4: use xdr_reserve_space in attribute encoding 2014-05-28 14:52:34 -04:00
nfs4callback.c nfsd: set timeparms.to_maxval in setup_callback_client 2014-04-18 14:34:31 +02:00
nfs4idmap.c nfsd4: use xdr_reserve_space in attribute encoding 2014-05-28 14:52:34 -04:00
nfs4proc.c nfsd: fix rare symlink decoding bug 2014-06-27 16:10:46 -04:00
nfs4recover.c nfsd: switch to %p[dD] 2013-10-24 23:34:51 -04:00
nfs4state.c NFSD: Don't hand out delegations for 30 seconds after recalling them. 2014-06-17 16:42:47 -04:00
nfs4xdr.c nfsd: fix rare symlink decoding bug 2014-06-27 16:10:46 -04:00
nfscache.c nfsd: don't halt scanning the DRC LRU list when there's an RC_INPROG entry 2014-06-06 19:22:49 -04:00
nfsctl.c NFSD: Get rid of empty function nfs4_state_init 2014-05-08 14:59:52 -04:00
nfsd.h NFSD: Get rid of empty function nfs4_state_init 2014-05-08 14:59:52 -04:00
nfsfh.c SUNRPC/NFSD: Remove using of dprintk with KERN_WARNING 2014-05-30 20:25:28 -04:00
nfsfh.h nfsd: remove <linux/nfsd/nfsfh.h> 2014-05-06 17:54:53 -04:00
nfsproc.c switch vfs_getattr() to struct path 2013-02-26 02:46:08 -05:00
nfssvc.c nfsd: Only set PF_LESS_THROTTLE when really needed. 2014-05-22 15:59:19 -04:00
nfsxdr.c nfsd: Remove assignments inside conditions 2014-05-22 15:52:23 -04:00
state.h nfsd4: allow larger 4.1 session drc slots 2014-05-23 09:03:41 -04:00
stats.c nfsd: move <linux/nfsd/stats.h> to fs/nfsd 2014-05-06 17:54:55 -04:00
stats.h nfsd: move <linux/nfsd/stats.h> to fs/nfsd 2014-05-06 17:54:55 -04:00
vfs.c nfsd: remove unused function nfsd_read_file 2014-05-30 17:32:27 -04:00
vfs.h nfsd: remove unused function nfsd_read_file 2014-05-30 17:32:27 -04:00
xdr3.h nfsd: fix encode_entryplus_baggage stack usage 2014-01-23 13:50:27 -05:00
xdr4.h nfsd4: allow large readdirs 2014-05-30 17:32:03 -04:00
xdr4cb.h nfsd4: check backchannel attributes on create_session 2013-04-09 16:53:56 -04:00
xdr.h nfsd: handle vfs_getattr errors in acl protocol 2013-02-26 02:46:09 -05:00