[thirdparty/kernel/stable-queue.git] / queue-4.4 / nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch

From 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Sat, 30 Mar 2019 10:21:07 +0900
Subject: NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family.

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

commit 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 upstream.

syzbot is reporting uninitialized value at rpc_sockaddr2uaddr() [1]. This
is because syzbot is setting AF_INET6 to "struct sockaddr_in"->sin_family
(which is embedded into user-visible "struct nfs_mount_data" structure)
despite nfs23_validate_mount_data() cannot pass sizeof(struct sockaddr_in6)
bytes of AF_INET6 address to rpc_sockaddr2uaddr().

Since "struct nfs_mount_data" structure is user-visible, we can't change
"struct nfs_mount_data" to use "struct sockaddr_storage". Therefore,
assuming that everybody is using AF_INET family when passing address via
"struct nfs_mount_data"->addr, reject if its sin_family is not AF_INET.

[1] https://syzkaller.appspot.com/bug?id=599993614e7cbbf66bc2656a919ab2a95fb5d75c

Reported-by: syzbot <syzbot+047a11c361b872896a4f@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/super.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2020,7 +2020,8 @@ static int nfs23_validate_mount_data(voi
 		memcpy(sap, &data->addr, sizeof(data->addr));
 		args->nfs_server.addrlen = sizeof(data->addr);
 		args->nfs_server.port = ntohs(data->addr.sin_port);
-		if (!nfs_verify_server_address(sap))
+		if (sap->sa_family != AF_INET ||
+		    !nfs_verify_server_address(sap))
 			goto out_no_address;
 
 		if (!(data->flags & NFS_MOUNT_TCP))
Commit	Line	Data
9e4b7051 GKH	1	From 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 Mon Sep 17 00:00:00 2001
	2	From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
	3	Date: Sat, 30 Mar 2019 10:21:07 +0900
	4	Subject: NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family.
	5
	6	From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
	7
	8	commit 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 upstream.
	9
	10	syzbot is reporting uninitialized value at rpc_sockaddr2uaddr() [1]. This
	11	is because syzbot is setting AF_INET6 to "struct sockaddr_in"->sin_family
	12	(which is embedded into user-visible "struct nfs_mount_data" structure)
	13	despite nfs23_validate_mount_data() cannot pass sizeof(struct sockaddr_in6)
	14	bytes of AF_INET6 address to rpc_sockaddr2uaddr().
	15
	16	Since "struct nfs_mount_data" structure is user-visible, we can't change
	17	"struct nfs_mount_data" to use "struct sockaddr_storage". Therefore,
	18	assuming that everybody is using AF_INET family when passing address via
	19	"struct nfs_mount_data"->addr, reject if its sin_family is not AF_INET.
	20
	21	[1] https://syzkaller.appspot.com/bug?id=599993614e7cbbf66bc2656a919ab2a95fb5d75c
	22
	23	Reported-by: syzbot <syzbot+047a11c361b872896a4f@syzkaller.appspotmail.com>
	24	Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
	25	Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
	26	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	27
	28	---
	29	fs/nfs/super.c \| 3 ++-
	30	1 file changed, 2 insertions(+), 1 deletion(-)
	31
	32	--- a/fs/nfs/super.c
	33	+++ b/fs/nfs/super.c
	34	@@ -2020,7 +2020,8 @@ static int nfs23_validate_mount_data(voi
	35	memcpy(sap, &data->addr, sizeof(data->addr));
	36	args->nfs_server.addrlen = sizeof(data->addr);
	37	args->nfs_server.port = ntohs(data->addr.sin_port);
	38	- if (!nfs_verify_server_address(sap))
	39	+ if (sap->sa_family != AF_INET \|\|
	40	+ !nfs_verify_server_address(sap))
	41	goto out_no_address;
	42
	43	if (!(data->flags & NFS_MOUNT_TCP))