On Fri, Jul 24, 2020 at 02:55:07PM -0400, Chuck Lever wrote: > Braino when converting "buf->len -=" to "buf->len = len -". > > The result is under-estimation of the ralign and rslack values. On > krb5p mounts, this has caused READDIR to fail with EIO, and KASAN > splats when decoding READLINK replies. > > As a result of fixing this oversight, the gss_unwrap method now > returns a buf->len that can be shorter than priv_len for small > RPC messages. The additional adjustment done in unwrap_priv_data() > can underflow buf->len. This causes the nfsd_request_too_large > check to fail during some NFSv3 operations. > > Reported-by: Marian Rainer-Harbach > Reported-by: Pierre Sauter <pierre.sauter@xxxxxxx> > BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886277 > Fixes: 31c9590ae468 ("SUNRPC: Add "@len" parameter to gss_unwrap()") > Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx> > --- > net/sunrpc/auth_gss/gss_krb5_wrap.c | 2 +- > net/sunrpc/auth_gss/svcauth_gss.c | 1 - > 2 files changed, 1 insertion(+), 2 deletions(-) > > Hi Bruce- > > I can take this in v5.9 if you agree it's a righteous fix. Righteous! Well, seems like a reasonable step, anyway. I just wish I had a more complete understanding. Anyway, Reviewed-by: J. Bruce Fields <bfields@xxxxxxxxxx> --b. > Changes since RFC: > - series squashed into a single patch > - "pad" is still calculated in unwrap_priv_data for later use > > diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c > index cf0fd170ac18..90b8329fef82 100644 > --- a/net/sunrpc/auth_gss/gss_krb5_wrap.c > +++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c > @@ -584,7 +584,7 @@ gss_unwrap_kerberos_v2(struct krb5_ctx *kctx, int offset, int len, > buf->head[0].iov_len); > memmove(ptr, ptr + GSS_KRB5_TOK_HDR_LEN + headskip, movelen); > buf->head[0].iov_len -= GSS_KRB5_TOK_HDR_LEN + headskip; > - buf->len = len - GSS_KRB5_TOK_HDR_LEN + headskip; > + buf->len = len - (GSS_KRB5_TOK_HDR_LEN + headskip); > > /* Trim off the trailing "extra count" and checksum blob */ > xdr_buf_trim(buf, ec + GSS_KRB5_TOK_HDR_LEN + tailskip); > diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c > index 7d83f54aaaa6..258b04372f85 100644 > --- a/net/sunrpc/auth_gss/svcauth_gss.c > +++ b/net/sunrpc/auth_gss/svcauth_gss.c > @@ -990,7 +990,6 @@ unwrap_priv_data(struct svc_rqst *rqstp, struct xdr_buf *buf, u32 seq, struct gs > > maj_stat = gss_unwrap(ctx, 0, priv_len, buf); > pad = priv_len - buf->len; > - buf->len -= pad; > /* The upper layers assume the buffer is aligned on 4-byte boundaries. > * In the krb5p case, at least, the data ends up offset, so we need to > * move it around. */ >
