From: Sasha Levin Date: Sun, 24 Nov 2024 14:13:06 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v4.19.325~133 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e99c18ebcd3c406b938f192e0db08a41d4f877df;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch b/queue-5.4/cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch new file mode 100644 index 00000000000..a0226b9e636 --- /dev/null +++ b/queue-5.4/cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch @@ -0,0 +1,60 @@ +From fbbb494cf1a9ac1af7cf8c537197354ab4fa6923 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 16:29:43 +0100 +Subject: cifs: Fix buffer overflow when parsing NFS reparse points +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +commit e2a8910af01653c1c268984855629d71fb81f404 upstream. + +ReparseDataLength is sum of the InodeType size and DataBuffer size. +So to get DataBuffer size it is needed to subtract InodeType's size from +ReparseDataLength. + +Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer +at position after the end of the buffer because it does not subtract +InodeType size from the length. Fix this problem and correctly subtract +variable len. + +Member InodeType is present only when reparse buffer is large enough. Check +for ReparseDataLength before accessing InodeType to prevent another invalid +memory access. + +Major and minor rdev values are present also only when reparse buffer is +large enough. Check for reparse buffer size before calling reparse_mkdev(). + +Fixes: d5ecebc4900d ("smb3: Allow query of symlinks stored as reparse points") +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Pali Rohár +Signed-off-by: Steve French +[use variable name symlink_buf, the other buf->InodeType accesses are +not used in current version so skip] +Signed-off-by: Mahmoud Adam +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2ops.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index b2e45e168548b..64ac683498e03 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -2539,6 +2539,12 @@ parse_reparse_posix(struct reparse_posix_data *symlink_buf, + + /* See MS-FSCC 2.1.2.6 for the 'NFS' style reparse tags */ + len = le16_to_cpu(symlink_buf->ReparseDataLength); ++ if (len < sizeof(symlink_buf->InodeType)) { ++ cifs_dbg(VFS, "srv returned malformed nfs buffer\n"); ++ return -EIO; ++ } ++ ++ len -= sizeof(symlink_buf->InodeType); + + if (le64_to_cpu(symlink_buf->InodeType) != NFS_SPECFILE_LNK) { + cifs_dbg(VFS, "%lld not a supported symlink type\n", +-- +2.43.0 + diff --git a/queue-5.4/nfsd-force-all-nfsv4.2-copy-requests-to-be-synchrono.patch b/queue-5.4/nfsd-force-all-nfsv4.2-copy-requests-to-be-synchrono.patch new file mode 100644 index 00000000000..aabf34508b6 --- /dev/null +++ b/queue-5.4/nfsd-force-all-nfsv4.2-copy-requests-to-be-synchrono.patch @@ -0,0 +1,68 @@ +From 700af1e11e00fe48e4edbea8358aa1fa0b721980 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Nov 2024 14:13:15 -0500 +Subject: NFSD: Force all NFSv4.2 COPY requests to be synchronous + +From: Chuck Lever + +[ Upstream commit 8d915bbf39266bb66082c1e4980e123883f19830 ] + +We've discovered that delivering a CB_OFFLOAD operation can be +unreliable in some pretty unremarkable situations. Examples +include: + + - The server dropped the connection because it lost a forechannel + NFSv4 request and wishes to force the client to retransmit + - The GSS sequence number window under-flowed + - A network partition occurred + +When that happens, all pending callback operations, including +CB_OFFLOAD, are lost. NFSD does not retransmit them. + +Moreover, the Linux NFS client does not yet support sending an +OFFLOAD_STATUS operation to probe whether an asynchronous COPY +operation has finished. Thus, on Linux NFS clients, when a +CB_OFFLOAD is lost, asynchronous COPY can hang until manually +interrupted. + +I've tried a couple of remedies, but so far the side-effects are +worse than the disease and they have had to be reverted. So +temporarily force COPY operations to be synchronous so that the use +of CB_OFFLOAD is avoided entirely. This is a fix that can easily be +backported to LTS kernels. I am working on client patches that +introduce an implementation of OFFLOAD_STATUS. + +Note that NFSD arbitrarily limits the size of a copy_file_range +to 4MB to avoid indefinitely blocking an nfsd thread. A short +COPY result is returned in that case, and the client can present +a fresh COPY request for the remainder. + +Link: https://nvd.nist.gov/vuln/detail/CVE-2024-49974 +[ cel: adjusted to apply to origin/linux-5.4.y ] +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4proc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index e38f873f98a7f..27e9754ad3b9d 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1262,6 +1262,13 @@ nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + __be32 status; + struct nfsd4_copy *async_copy = NULL; + ++ /* ++ * Currently, async COPY is not reliable. Force all COPY ++ * requests to be synchronous to avoid client application ++ * hangs waiting for COPY completion. ++ */ ++ copy->cp_synchronous = 1; ++ + status = nfsd4_verify_copy(rqstp, cstate, ©->cp_src_stateid, + ©->nf_src, ©->cp_dst_stateid, + ©->nf_dst); +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index edd9fc33209..5dcde1a54fe 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -22,3 +22,5 @@ asoc-stm-prevent-potential-division-by-zero-in-stm32.patch asoc-stm-prevent-potential-division-by-zero-in-stm32.patch-8785 proc-softirqs-replace-seq_printf-with-seq_put_decima.patch ipmr-fix-access-to-mfc_cache_list-without-lock-held.patch +cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch +nfsd-force-all-nfsv4.2-copy-requests-to-be-synchrono.patch