On 2022/11/12 13:01, yangerkun wrote:
Hi, Chuck Lever,
CVE-2022-43945(https://nvd.nist.gov/vuln/detail/CVE-2022-43945) describe
that a normal request header ended with garbage data can trigger the
nfsd overflow since nfsd share the request and response with the same
pages array.
It seems that the
patchset(https://lore.kernel.org/linux-nfs/166204973526.1435.6068003336048840051.stgit@xxxxxxxxxxxxxxxxxxxxx/T/#t)
has solved NFSv2/NFSv3, but leave NFSv4 still vulnerably?
Another question, for stable branch like lts-5.10, since NFSv2/NFSv3 did
not switch to xdr_stream, the nfs_request_too_big in nfsd_dispatch will
reject the request like READ/READDIR with too large request. So it seems
branch without that "switch" seems ok for NFSv2/NFSv3, but NFSv3 still
vulnerably. right?
Looking forward to your reply!
Sorry, notice that 76ce4dcec0dc"NFSD: Cap rsize_bop result based on send
buffer size") fix same problem for NFSv4.
So, for the stable branch like lts-5.10 which NFSv2/NFSv3 do not switch
to xdr_stream, it seems we only need 76ce4dcec0dc"NFSD: Cap rsize_bop
result based on send buffer size"). Right?
Thanks,
Erkun Yang
.