[PATCH 5.8 380/464] SUNRPC: Fix ("SUNRPC: Add "@len" parameter to gss_unwrap()")

Mon, 17 Aug 2020 12:22:42 -0700 

From: Chuck Lever <chuck.le...@oracle.com>

[ Upstream commit 986a4b63d3bc5f2c0eb4083b05aff2bf883b7b2f ]

Braino when converting "buf->len -=" to "buf->len = len -".

The result is under-estimation of the ralign and rslack values. On
krb5p mounts, this has caused READDIR to fail with EIO, and KASAN
splats when decoding READLINK replies.

As a result of fixing this oversight, the gss_unwrap method now
returns a buf->len that can be shorter than priv_len for small
RPC messages. The additional adjustment done in unwrap_priv_data()
can underflow buf->len. This causes the nfsd_request_too_large
check to fail during some NFSv3 operations.

Reported-by: Marian Rainer-Harbach
Reported-by: Pierre Sauter <pierre.sau...@stwm.de>
BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886277
Fixes: 31c9590ae468 ("SUNRPC: Add "@len" parameter to gss_unwrap()")
Reviewed-by: J. Bruce Fields <bfie...@redhat.com>
Signed-off-by: Chuck Lever <chuck.le...@oracle.com>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
 net/sunrpc/auth_gss/gss_krb5_wrap.c | 2 +-
 net/sunrpc/auth_gss/svcauth_gss.c   | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c 
b/net/sunrpc/auth_gss/gss_krb5_wrap.c
index cf0fd170ac189..90b8329fef824 100644
--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -584,7 +584,7 @@ gss_unwrap_kerberos_v2(struct krb5_ctx *kctx, int offset, 
int len,
                                                        buf->head[0].iov_len);
        memmove(ptr, ptr + GSS_KRB5_TOK_HDR_LEN + headskip, movelen);
        buf->head[0].iov_len -= GSS_KRB5_TOK_HDR_LEN + headskip;
-       buf->len = len - GSS_KRB5_TOK_HDR_LEN + headskip;
+       buf->len = len - (GSS_KRB5_TOK_HDR_LEN + headskip);
 
        /* Trim off the trailing "extra count" and checksum blob */
        xdr_buf_trim(buf, ec + GSS_KRB5_TOK_HDR_LEN + tailskip);
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c 
b/net/sunrpc/auth_gss/svcauth_gss.c
index 46027d0c903f9..c28051f7d217d 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -958,7 +958,6 @@ unwrap_priv_data(struct svc_rqst *rqstp, struct xdr_buf 
*buf, u32 seq, struct gs
 
        maj_stat = gss_unwrap(ctx, 0, priv_len, buf);
        pad = priv_len - buf->len;
-       buf->len -= pad;
        /* The upper layers assume the buffer is aligned on 4-byte boundaries.
         * In the krb5p case, at least, the data ends up offset, so we need to
         * move it around. */
-- 
2.25.1

Reply via email to