--- /dev/null
+From fbbb494cf1a9ac1af7cf8c537197354ab4fa6923 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 16:29:43 +0100
+Subject: cifs: Fix buffer overflow when parsing NFS reparse points
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+commit e2a8910af01653c1c268984855629d71fb81f404 upstream.
+
+ReparseDataLength is sum of the InodeType size and DataBuffer size.
+So to get DataBuffer size it is needed to subtract InodeType's size from
+ReparseDataLength.
+
+Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer
+at position after the end of the buffer because it does not subtract
+InodeType size from the length. Fix this problem and correctly subtract
+variable len.
+
+Member InodeType is present only when reparse buffer is large enough. Check
+for ReparseDataLength before accessing InodeType to prevent another invalid
+memory access.
+
+Major and minor rdev values are present also only when reparse buffer is
+large enough. Check for reparse buffer size before calling reparse_mkdev().
+
+Fixes: d5ecebc4900d ("smb3: Allow query of symlinks stored as reparse points")
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+[use variable name symlink_buf, the other buf->InodeType accesses are
+not used in current version so skip]
+Signed-off-by: Mahmoud Adam <mngyadam@amazon.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2ops.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index b2e45e168548b..64ac683498e03 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -2539,6 +2539,12 @@ parse_reparse_posix(struct reparse_posix_data *symlink_buf,
+
+ /* See MS-FSCC 2.1.2.6 for the 'NFS' style reparse tags */
+ len = le16_to_cpu(symlink_buf->ReparseDataLength);
++ if (len < sizeof(symlink_buf->InodeType)) {
++ cifs_dbg(VFS, "srv returned malformed nfs buffer\n");
++ return -EIO;
++ }
++
++ len -= sizeof(symlink_buf->InodeType);
+
+ if (le64_to_cpu(symlink_buf->InodeType) != NFS_SPECFILE_LNK) {
+ cifs_dbg(VFS, "%lld not a supported symlink type\n",
+--
+2.43.0
+
--- /dev/null
+From 700af1e11e00fe48e4edbea8358aa1fa0b721980 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Nov 2024 14:13:15 -0500
+Subject: NFSD: Force all NFSv4.2 COPY requests to be synchronous
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 8d915bbf39266bb66082c1e4980e123883f19830 ]
+
+We've discovered that delivering a CB_OFFLOAD operation can be
+unreliable in some pretty unremarkable situations. Examples
+include:
+
+ - The server dropped the connection because it lost a forechannel
+ NFSv4 request and wishes to force the client to retransmit
+ - The GSS sequence number window under-flowed
+ - A network partition occurred
+
+When that happens, all pending callback operations, including
+CB_OFFLOAD, are lost. NFSD does not retransmit them.
+
+Moreover, the Linux NFS client does not yet support sending an
+OFFLOAD_STATUS operation to probe whether an asynchronous COPY
+operation has finished. Thus, on Linux NFS clients, when a
+CB_OFFLOAD is lost, asynchronous COPY can hang until manually
+interrupted.
+
+I've tried a couple of remedies, but so far the side-effects are
+worse than the disease and they have had to be reverted. So
+temporarily force COPY operations to be synchronous so that the use
+of CB_OFFLOAD is avoided entirely. This is a fix that can easily be
+backported to LTS kernels. I am working on client patches that
+introduce an implementation of OFFLOAD_STATUS.
+
+Note that NFSD arbitrarily limits the size of a copy_file_range
+to 4MB to avoid indefinitely blocking an nfsd thread. A short
+COPY result is returned in that case, and the client can present
+a fresh COPY request for the remainder.
+
+Link: https://nvd.nist.gov/vuln/detail/CVE-2024-49974
+[ cel: adjusted to apply to origin/linux-5.4.y ]
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4proc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
+index e38f873f98a7f..27e9754ad3b9d 100644
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1262,6 +1262,13 @@ nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+ __be32 status;
+ struct nfsd4_copy *async_copy = NULL;
+
++ /*
++ * Currently, async COPY is not reliable. Force all COPY
++ * requests to be synchronous to avoid client application
++ * hangs waiting for COPY completion.
++ */
++ copy->cp_synchronous = 1;
++
+ status = nfsd4_verify_copy(rqstp, cstate, ©->cp_src_stateid,
+ ©->nf_src, ©->cp_dst_stateid,
+ ©->nf_dst);
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
