]>
Commit | Line | Data |
---|---|---|
9e4b7051 GKH |
1 | From 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 Mon Sep 17 00:00:00 2001 |
2 | From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | |
3 | Date: Sat, 30 Mar 2019 10:21:07 +0900 | |
4 | Subject: NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family. | |
5 | ||
6 | From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | |
7 | ||
8 | commit 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 upstream. | |
9 | ||
10 | syzbot is reporting uninitialized value at rpc_sockaddr2uaddr() [1]. This | |
11 | is because syzbot is setting AF_INET6 to "struct sockaddr_in"->sin_family | |
12 | (which is embedded into user-visible "struct nfs_mount_data" structure) | |
13 | despite nfs23_validate_mount_data() cannot pass sizeof(struct sockaddr_in6) | |
14 | bytes of AF_INET6 address to rpc_sockaddr2uaddr(). | |
15 | ||
16 | Since "struct nfs_mount_data" structure is user-visible, we can't change | |
17 | "struct nfs_mount_data" to use "struct sockaddr_storage". Therefore, | |
18 | assuming that everybody is using AF_INET family when passing address via | |
19 | "struct nfs_mount_data"->addr, reject if its sin_family is not AF_INET. | |
20 | ||
21 | [1] https://syzkaller.appspot.com/bug?id=599993614e7cbbf66bc2656a919ab2a95fb5d75c | |
22 | ||
23 | Reported-by: syzbot <syzbot+047a11c361b872896a4f@syzkaller.appspotmail.com> | |
24 | Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | |
25 | Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> | |
26 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
27 | ||
28 | --- | |
29 | fs/nfs/super.c | 3 ++- | |
30 | 1 file changed, 2 insertions(+), 1 deletion(-) | |
31 | ||
32 | --- a/fs/nfs/super.c | |
33 | +++ b/fs/nfs/super.c | |
34 | @@ -2020,7 +2020,8 @@ static int nfs23_validate_mount_data(voi | |
35 | memcpy(sap, &data->addr, sizeof(data->addr)); | |
36 | args->nfs_server.addrlen = sizeof(data->addr); | |
37 | args->nfs_server.port = ntohs(data->addr.sin_port); | |
38 | - if (!nfs_verify_server_address(sap)) | |
39 | + if (sap->sa_family != AF_INET || | |
40 | + !nfs_verify_server_address(sap)) | |
41 | goto out_no_address; | |
42 | ||
43 | if (!(data->flags & NFS_MOUNT_TCP)) |