diff mbox series

[v2] NFSD: prevent integer overflow on 32 bit systems

Message ID 20220315153406.GA1527@kili (mailing list archive)
State New, archived
Headers show
Series [v2] NFSD: prevent integer overflow on 32 bit systems | expand

Commit Message

Dan Carpenter March 15, 2022, 3:34 p.m. UTC 
On a 32 bit system, the "len * sizeof(*p)" operation can have an
integer overflow.

c: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: add stable to the CC.  Use SIZE_MAX.

 include/linux/sunrpc/xdr.h | 2 ++
 1 file changed, 2 insertions(+)

Comments

Chuck Lever III March 15, 2022, 4:22 p.m. UTC | #1 
> On Mar 15, 2022, at 11:34 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> 
> On a 32 bit system, the "len * sizeof(*p)" operation can have an
> integer overflow.
> 
> c: stable@vger.kernel.org
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Trond, this patch was To: me, but either you or I can take this.
Please let me know your preference.


> ---
> v2: add stable to the CC.  Use SIZE_MAX.
> 
> include/linux/sunrpc/xdr.h | 2 ++
> 1 file changed, 2 insertions(+)
> 
> diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h
> index b519609af1d0..4417f667c757 100644
> --- a/include/linux/sunrpc/xdr.h
> +++ b/include/linux/sunrpc/xdr.h
> @@ -731,6 +731,8 @@ xdr_stream_decode_uint32_array(struct xdr_stream *xdr,
> 
> 	if (unlikely(xdr_stream_decode_u32(xdr, &len) < 0))
> 		return -EBADMSG;
> +	if (len > SIZE_MAX / sizeof(*p))
> +		return -EBADMSG;
> 	p = xdr_inline_decode(xdr, len * sizeof(*p));
> 	if (unlikely(!p))
> 		return -EBADMSG;
> -- 
> 2.20.1
> 

--
Chuck Lever
Trond Myklebust March 15, 2022, 4:30 p.m. UTC | #2 
On Tue, 2022-03-15 at 16:22 +0000, Chuck Lever III wrote:
> 
> 
> > On Mar 15, 2022, at 11:34 AM, Dan Carpenter
> > <dan.carpenter@oracle.com> wrote:
> > 
> > On a 32 bit system, the "len * sizeof(*p)" operation can have an
> > integer overflow.
> > 
> > c: stable@vger.kernel.org
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> Trond, this patch was To: me, but either you or I can take this.
> Please let me know your preference.
> 

I don't mind either way. If you've got it applied already, then let's
send it through your tree.
Chuck Lever III March 15, 2022, 4:39 p.m. UTC | #3 
> On Mar 15, 2022, at 12:30 PM, Trond Myklebust <trondmy@hammerspace.com> wrote:
> 
> On Tue, 2022-03-15 at 16:22 +0000, Chuck Lever III wrote:
>> 
>> 
>>> On Mar 15, 2022, at 11:34 AM, Dan Carpenter
>>> <dan.carpenter@oracle.com> wrote:
>>> 
>>> On a 32 bit system, the "len * sizeof(*p)" operation can have an
>>> integer overflow.
>>> 
>>> c: stable@vger.kernel.org
>>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>> 
>> Trond, this patch was To: me, but either you or I can take this.
>> Please let me know your preference.
>> 
> 
> I don't mind either way. If you've got it applied already, then let's
> send it through your tree.

I've applied this one and "prevent underflow in nfssvc_decode_writeargs".
Thanks, Trond and Dan!


--
Chuck Lever
diff mbox series

Patch

diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h
index b519609af1d0..4417f667c757 100644
--- a/include/linux/sunrpc/xdr.h
+++ b/include/linux/sunrpc/xdr.h
@@ -731,6 +731,8 @@  xdr_stream_decode_uint32_array(struct xdr_stream *xdr,
 
 	if (unlikely(xdr_stream_decode_u32(xdr, &len) < 0))
 		return -EBADMSG;
+	if (len > SIZE_MAX / sizeof(*p))
+		return -EBADMSG;
 	p = xdr_inline_decode(xdr, len * sizeof(*p));
 	if (unlikely(!p))
 		return -EBADMSG;