The patch titled
nfs-check-lengths-more-thoroughly-in-nfs4-readdir-xdr-decode update
has been added to the -mm tree. Its filename is
nfs-check-lengths-more-thoroughly-in-nfs4-readdir-xdr-decode-update.patch
See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this
------------------------------------------------------
Subject: nfs-check-lengths-more-thoroughly-in-nfs4-readdir-xdr-decode update
From: Trond Myklebust <trond.myklebust@xxxxxxxxxx>
Hmm... Your patch fails to check for buffer overflows on the read of the
bitmap/attribute length, and on the end-of-record markers.
Signed-off-by: Trond Myklebust <Trond.Myklebust@xxxxxxxxxx>
Cc: David Howells <dhowells@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
fs/nfs/nfs4xdr.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff -puN fs/nfs/nfs4xdr.c~nfs-check-lengths-more-thoroughly-in-nfs4-readdir-xdr-decode-update fs/nfs/nfs4xdr.c
--- a/fs/nfs/nfs4xdr.c~nfs-check-lengths-more-thoroughly-in-nfs4-readdir-xdr-decode-update
+++ a/fs/nfs/nfs4xdr.c
@@ -3374,6 +3374,7 @@ static int decode_readdir(struct xdr_str
if (pglen > recvd)
pglen = recvd;
xdr_read_pages(xdr, pglen);
+
BUG_ON(pglen + readdir->pgbase > PAGE_CACHE_SIZE);
kaddr = p = (uint32_t *) kmap_atomic(page, KM_USER0);
end = p + ((pglen + readdir->pgbase) >> 2);
@@ -3389,16 +3390,16 @@ static int decode_readdir(struct xdr_str
goto err_unmap;
}
xlen = XDR_QUADLEN(len);
- if (end - p < xlen)
+ if (end - p < xlen + 1)
goto short_pkt;
dprintk("filename = %*s\n", len, (char *)p);
p += xlen;
len = ntohl(*p++); /* bitmap length */
- if (end - p < len)
+ if (end - p < len + 1)
goto short_pkt;
p += len;
attrlen = XDR_QUADLEN(ntohl(*p++));
- if (end - p < attrlen + 1)
+ if (end - p < attrlen + 2)
goto short_pkt;
p += attrlen; /* attributes */
entry = p;
_
Patches currently in -mm which might be from trond.myklebust@xxxxxxxxxx are
origin.patch
add-newline-to-nfs-dprintk.patch
nfs-fix-up-warnings.patch
nfs-check-lengths-more-thoroughly-in-nfs4-readdir-xdr-decode.patch
nfs-check-lengths-more-thoroughly-in-nfs4-readdir-xdr-decode-update.patch
fs-cache-provide-a-filesystem-specific-syncable-page-bit.patch
fs-cache-generic-filesystem-caching-facility.patch
fs-cache-release-page-private-in-failed-readahead.patch
fs-cache-make-kafs-use-fs-cache.patch
nfs-use-local-caching.patch
fs-cache-cachefiles-ia64-missing-copy_page-export.patch
fs-cache-cachefiles-a-cache-that-backs-onto-a-mounted-filesystem.patch
autofs-make-sure-all-dentries-refs-are-released-before-calling-kill_anon_super.patch
vfs-destroy-the-dentries-contributed-by-a-superblock-on-unmounting.patch
vfs-make-filldir_t-and-struct-kstat-deal-in-64-bit-inode-numbers.patch
vfs-make-filldir_t-and-struct-kstat-deal-in-64-bit-inode-numbers-alpha-fix.patch
nfs-represent-64-bit-fileids-as-64-bit-inode-numbers-on-32-bit-systems.patch
restore-rogue-readahead-printk.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
