[PATCH RFC 2/6] NFSD: Fix NFSv3 SETATTR's handling of large file sizes

Chuck Lever <chuck.lever@xxxxxxxxxx> · Thu, 27 Jan 2022 11:08:38 -0500

iattr::ia_size is a loff_t, so the XDR decoders must be careful to
deal with incoming client size values that are larger than s64_max.

VFS size comparisons (like in inode_newsize_ok) should now work as
expected -- it returns -EFBIG if the new size is larger than the
underlying filesystem's s_maxbytes.

However, RFC 1813 permits only WRITE to return NFS3ERR_FBIG. Add an
extra check to prevent NFSv3 SETATTR from returning FBIG.

Other NFSv3 procedures that take sattr3 arguments need to be audited
for this issue.

Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
---
 fs/nfsd/nfs3proc.c |   19 ++++++++++++++++++-
 fs/nfsd/nfs3xdr.c  |    2 +-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c
index 8ef53f6726ec..aa0f0261ddac 100644
--- a/fs/nfsd/nfs3proc.c
+++ b/fs/nfsd/nfs3proc.c
@@ -66,13 +66,30 @@ nfsd3_proc_setattr(struct svc_rqst *rqstp)
 {
 	struct nfsd3_sattrargs *argp = rqstp->rq_argp;
 	struct nfsd3_attrstat *resp = rqstp->rq_resp;
+	struct iattr *iap = &argp->attrs;
 
 	dprintk("nfsd: SETATTR(3)  %s\n",
 				SVCFH_fmt(&argp->fh));
 
 	fh_copy(&resp->fh, &argp->fh);
-	resp->status = nfsd_setattr(rqstp, &resp->fh, &argp->attrs,
+
+	if (iap->ia_valid & ATTR_SIZE) {
+		struct super_block *sb;
+
+		resp->status = fh_verify(rqstp, &resp->fh, S_IFREG,
+			NFSD_MAY_SATTR|NFSD_MAY_WRITE|NFSD_MAY_OWNER_OVERRIDE);
+		if (resp->status != nfs_ok)
+			goto out;
+
+		resp->status = nfserr_inval;
+		sb = resp->fh.fh_dentry->d_sb;
+		if (iap->ia_size < 0 || iap->ia_size > sb->s_maxbytes)
+			goto out;
+	}
+
+	resp->status = nfsd_setattr(rqstp, &resp->fh, iap,
 				    argp->check_guard, argp->guardtime);
+out:
 	return rpc_success;
 }
 
diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
index 7c45ba4db61b..2e47a07029f1 100644
--- a/fs/nfsd/nfs3xdr.c
+++ b/fs/nfsd/nfs3xdr.c
@@ -254,7 +254,7 @@ svcxdr_decode_sattr3(struct svc_rqst *rqstp, struct xdr_stream *xdr,
 		if (xdr_stream_decode_u64(xdr, &newsize) < 0)
 			return false;
 		iap->ia_valid |= ATTR_SIZE;
-		iap->ia_size = min_t(u64, newsize, NFS_OFFSET_MAX);
+		iap->ia_size = newsize;
 	}
 	if (xdr_stream_decode_u32(xdr, &set_it) < 0)
 		return false;







