From 279997974099abbc4a1ac28ed243f62bc039cf65 Mon Sep 17 00:00:00 2001
From: Yannick Cote <ycote@redhat.com>
Date: Mon, 12 Dec 2022 19:34:33 -0500
Subject: [KPATCH CVE-2022-43945] kpatch fixes for CVE-2022-43945
Kernels:
5.14.0-162.6.1.el9_1
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/14
Approved-by: Joe Lawrence (@joe.lawrence)
Changes since last build:
[x86_64]:
ax88179_178a.o: changed function: ax88179_rx_fixup
callback_xdr.o: changed function: nfs_callback_dispatch
intel_gt.o: changed function: intel_gt_invalidate_tlbs
nfs3proc.o: changed function: nfsd3_init_dirlist_pages
nfs3proc.o: changed function: nfsd3_proc_read
nfsproc.o: changed function: nfsd_proc_read
nfsproc.o: changed function: nfsd_proc_readdir
nfssvc.o: changed function: nfsd_dispatch
pipe.o: changed function: pipe_resize_ring
svc.o: changed function: nlmsvc_dispatch
[ppc64le]:
ax88179_178a.o: changed function: ax88179_rx_fixup
callback_xdr.o: changed function: nfs_callback_dispatch
nfs3proc.o: changed function: nfsd3_init_dirlist_pages
nfs3proc.o: changed function: nfsd3_proc_read
nfsproc.o: changed function: nfsd_proc_read
nfsproc.o: changed function: nfsd_proc_readdir
nfssvc.o: changed function: nfsd_dispatch
pipe.o: changed function: pipe_resize_ring
svc.o: changed function: nlmsvc_dispatch
---------------------------
Modifications:
- Take out modifications to header routines and roll new kpatch versions
of them to be included at all call sites.
- Wrapped new routines: svcxdr_init_decode(), svcxdr_init_encode()
commit a7e335af244128a81a936cfc8d23509e29fc0b72
Author: Scott Mayhew <smayhew@redhat.com>
Date: Thu Nov 10 13:41:53 2022 -0500
SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation
Bugzilla: https://bugzilla.redhat.com/2141769
CVE: CVE-2022-43945
Y-Commit: 63e941917cd28dff8b33ce5c8658aac3b7dc5c75
O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141770
O-CVE: CVE-2022-43945
commit 90bfc37b5ab91c1a6165e3e5cfc49bf04571b762
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Thu Sep 1 15:09:53 2022 -0400
SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation
Ensure that stream-based argument decoding can't go past the actual
end of the receive buffer. xdr_init_decode's calculation of the
value of xdr->end over-estimates the end of the buffer because the
Linux kernel RPC server code does not remove the size of the RPC
header from rqstp->rq_arg before calling the upper layer's
dispatcher.
The server-side still uses the svc_getnl() macros to decode the
RPC call header. These macros reduce the length of the head iov
but do not update the total length of the message in the buffer
(buf->len).
A proper fix for this would be to replace the use of svc_getnl() and
friends in the RPC header decoder, but that would be a large and
invasive change that would be difficult to backport.
Fixes: 5191955d6fc6 ("SUNRPC: Prepare for xdr_stream-style decoding on the server-side")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Patrick Talbert <ptalbert@redhat.com>
commit 8d718c29ff4601ff5ca279421f7e2187a38d856f
Author: Scott Mayhew <smayhew@redhat.com>
Date: Thu Nov 10 13:41:52 2022 -0500
SUNRPC: Fix svcxdr_init_encode's buflen calculation
Bugzilla: https://bugzilla.redhat.com/2141769
CVE: CVE-2022-43945
Y-Commit: 02ef2175406bbe8753f6ff08d3dae4d927f88c69
O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141770
O-CVE: CVE-2022-43945
commit 1242a87da0d8cd2a428e96ca68e7ea899b0f4624
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Thu Sep 1 15:09:59 2022 -0400
SUNRPC: Fix svcxdr_init_encode's buflen calculation
Commit 2825a7f90753 ("nfsd4: allow encoding across page boundaries")
added an explicit computation of the remaining length in the rq_res
XDR buffer.
The computation appears to suffer from an "off-by-one" bug. Because
buflen is too large by one page, XDR encoding can run off the end of
the send buffer by eventually trying to use the struct page address
in rq_page_end, which always contains NULL.
Fixes: bddfdbcddbe2 ("NFSD: Extract the svcxdr_init_encode() helper")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Patrick Talbert <ptalbert@redhat.com>
commit b4648565ad97ee05956cabbb56d89f29932e7a02
Author: Scott Mayhew <smayhew@redhat.com>
Date: Thu Nov 10 13:41:52 2022 -0500
NFSD: Protect against send buffer overflow in NFSv2 READDIR
Bugzilla: https://bugzilla.redhat.com/2141769
CVE: CVE-2022-43945
Y-Commit: 13ed52506cc7713e48ae64bd11ba867295aed137
O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141770
O-CVE: CVE-2022-43945
commit 00b4492686e0497fdb924a9d4c8f6f99377e176c
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Thu Sep 1 15:10:05 2022 -0400
NFSD: Protect against send buffer overflow in NFSv2 READDIR
Restore the previous limit on the @count argument to prevent a
buffer overflow attack.
Fixes: 53b1119a6e50 ("NFSD: Fix READDIR buffer overflow")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Patrick Talbert <ptalbert@redhat.com>
commit 08fca21e5fe53bd2e0ef7ddbe9cb302ccedeba45
Author: Scott Mayhew <smayhew@redhat.com>
Date: Thu Nov 10 13:41:52 2022 -0500
NFSD: Protect against send buffer overflow in NFSv3 READDIR
Bugzilla: https://bugzilla.redhat.com/2141769
CVE: CVE-2022-43945
Y-Commit: 2a688c7c62dce0bc5e4377d82d830fe2955503cc
O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141770
O-CVE: CVE-2022-43945
commit 640f87c190e0d1b2a0fcb2ecf6d2cd53b1c41991
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Thu Sep 1 15:10:12 2022 -0400
NFSD: Protect against send buffer overflow in NFSv3 READDIR
Since before the git era, NFSD has conserved the number of pages
held by each nfsd thread by combining the RPC receive and send
buffers into a single array of pages. This works because there are
no cases where an operation needs a large RPC Call message and a
large RPC Reply message at the same time.
Once an RPC Call has been received, svc_process() updates
svc_rqst::rq_res to describe the part of rq_pages that can be
used for constructing the Reply. This means that the send buffer
(rq_res) shrinks when the received RPC record containing the RPC
Call is large.
A client can force this shrinkage on TCP by sending a correctly-
formed RPC Call header contained in an RPC record that is
excessively large. The full maximum payload size cannot be
constructed in that case.
Thanks to Aleksi Illikainen and Kari Hulkko for uncovering this
issue.
Reported-by: Ben Ronallo <Benjamin.Ronallo@synopsys.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Patrick Talbert <ptalbert@redhat.com>
commit 5665aff4c12502c39f372548d1be622d99ad2252
Author: Scott Mayhew <smayhew@redhat.com>
Date: Thu Nov 10 13:41:52 2022 -0500
NFSD: Protect against send buffer overflow in NFSv2 READ
Bugzilla: https://bugzilla.redhat.com/2141769
CVE: CVE-2022-43945
Y-Commit: 385d7c5a859c93544e7aad1dfe8e955f2035ab5f
O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141770
O-CVE: CVE-2022-43945
commit 401bc1f90874280a80b93f23be33a0e7e2d1f912
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Thu Sep 1 15:10:18 2022 -0400
NFSD: Protect against send buffer overflow in NFSv2 READ
Since before the git era, NFSD has conserved the number of pages
held by each nfsd thread by combining the RPC receive and send
buffers into a single array of pages. This works because there are
no cases where an operation needs a large RPC Call message and a
large RPC Reply at the same time.
Once an RPC Call has been received, svc_process() updates
svc_rqst::rq_res to describe the part of rq_pages that can be
used for constructing the Reply. This means that the send buffer
(rq_res) shrinks when the received RPC record containing the RPC
Call is large.
A client can force this shrinkage on TCP by sending a correctly-
formed RPC Call header contained in an RPC record that is
excessively large. The full maximum payload size cannot be
constructed in that case.
Cc: <stable@vger.kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Patrick Talbert <ptalbert@redhat.com>
commit f036edb9860c89970440f8d524831b11afd399fb
Author: Scott Mayhew <smayhew@redhat.com>
Date: Thu Nov 10 13:41:52 2022 -0500
NFSD: Protect against send buffer overflow in NFSv3 READ
Bugzilla: https://bugzilla.redhat.com/2141769
CVE: CVE-2022-43945
Y-Commit: 45f0034c12711e534531b23c15c04aa060c9ed47
O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141770
O-CVE: CVE-2022-43945
commit fa6be9cc6e80ec79892ddf08a8c10cabab9baf38
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Thu Sep 1 15:10:24 2022 -0400
NFSD: Protect against send buffer overflow in NFSv3 READ
Since before the git era, NFSD has conserved the number of pages
held by each nfsd thread by combining the RPC receive and send
buffers into a single array of pages. This works because there are
no cases where an operation needs a large RPC Call message and a
large RPC Reply at the same time.
Once an RPC Call has been received, svc_process() updates
svc_rqst::rq_res to describe the part of rq_pages that can be
used for constructing the Reply. This means that the send buffer
(rq_res) shrinks when the received RPC record containing the RPC
Call is large.
A client can force this shrinkage on TCP by sending a correctly-
formed RPC Call header contained in an RPC record that is
excessively large. The full maximum payload size cannot be
constructed in that case.
Cc: <stable@vger.kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Patrick Talbert <ptalbert@redhat.com>
Signed-off-by: Yannick Cote <ycote@redhat.com>
---
fs/lockd/svc.c | 6 ++-
fs/nfs/callback_xdr.c | 6 ++-
fs/nfsd/nfs3proc.c | 11 +++---
fs/nfsd/nfsproc.c | 6 +--
fs/nfsd/nfssvc.c | 6 ++-
include/linux/kpatch_cve_2022_43945.h | 53 +++++++++++++++++++++++++++
6 files changed, 74 insertions(+), 14 deletions(-)
create mode 100644 include/linux/kpatch_cve_2022_43945.h
diff --git a/fs/lockd/svc.c b/fs/lockd/svc.c
index b220e1b91726..e8b6e09af323 100644
--- a/fs/lockd/svc.c
+++ b/fs/lockd/svc.c
@@ -768,6 +768,8 @@ static void __exit exit_nlm(void)
module_init(init_nlm);
module_exit(exit_nlm);
+#include <linux/kpatch_cve_2022_43945.h>
+
/**
* nlmsvc_dispatch - Process an NLM Request
* @rqstp: incoming request
@@ -781,7 +783,7 @@ static int nlmsvc_dispatch(struct svc_rqst *rqstp, __be32 *statp)
{
const struct svc_procedure *procp = rqstp->rq_procinfo;
- svcxdr_init_decode(rqstp);
+ kpatch_cve_2022_43945_svcxdr_init_decode(rqstp);
if (!procp->pc_decode(rqstp, &rqstp->rq_arg_stream))
goto out_decode_err;
@@ -791,7 +793,7 @@ static int nlmsvc_dispatch(struct svc_rqst *rqstp, __be32 *statp)
if (*statp != rpc_success)
return 1;
- svcxdr_init_encode(rqstp);
+ kpatch_cve_2022_43945_svcxdr_init_encode(rqstp);
if (!procp->pc_encode(rqstp, &rqstp->rq_res_stream))
goto out_encode_err;
diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c
index a67c41ec545f..9438f91b9c2d 100644
--- a/fs/nfs/callback_xdr.c
+++ b/fs/nfs/callback_xdr.c
@@ -983,13 +983,15 @@ static __be32 nfs4_callback_compound(struct svc_rqst *rqstp)
return rpc_success;
}
+#include <linux/kpatch_cve_2022_43945.h>
+
static int
nfs_callback_dispatch(struct svc_rqst *rqstp, __be32 *statp)
{
const struct svc_procedure *procp = rqstp->rq_procinfo;
- svcxdr_init_decode(rqstp);
- svcxdr_init_encode(rqstp);
+ kpatch_cve_2022_43945_svcxdr_init_decode(rqstp);
+ kpatch_cve_2022_43945_svcxdr_init_encode(rqstp);
*statp = procp->pc_func(rqstp);
return 1;
diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c
index 9d2667a8dbd1..e0eb8b7acec8 100644
--- a/fs/nfsd/nfs3proc.c
+++ b/fs/nfsd/nfs3proc.c
@@ -147,7 +147,6 @@ nfsd3_proc_read(struct svc_rqst *rqstp)
{
struct nfsd3_readargs *argp = rqstp->rq_argp;
struct nfsd3_readres *resp = rqstp->rq_resp;
- u32 max_blocksize = svc_max_payload(rqstp);
unsigned int len;
int v;
@@ -156,7 +155,8 @@ nfsd3_proc_read(struct svc_rqst *rqstp)
(unsigned long) argp->count,
(unsigned long long) argp->offset);
- argp->count = min_t(u32, argp->count, max_blocksize);
+ argp->count = min_t(u32, argp->count, svc_max_payload(rqstp));
+ argp->count = min_t(u32, argp->count, rqstp->rq_res.buflen);
if (argp->offset > (u64)OFFSET_MAX)
argp->offset = (u64)OFFSET_MAX;
if (argp->offset + argp->count > (u64)OFFSET_MAX)
@@ -554,13 +554,14 @@ static void nfsd3_init_dirlist_pages(struct svc_rqst *rqstp,
{
struct xdr_buf *buf = &resp->dirlist;
struct xdr_stream *xdr = &resp->xdr;
-
- count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp));
+ unsigned int sendbuf = min_t(unsigned int, rqstp->rq_res.buflen,
+ svc_max_payload(rqstp));
memset(buf, 0, sizeof(*buf));
/* Reserve room for the NULL ptr & eof flag (-2 words) */
- buf->buflen = count - XDR_UNIT * 2;
+ buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), sendbuf);
+ buf->buflen -= XDR_UNIT * 2;
buf->pages = rqstp->rq_next_page;
rqstp->rq_next_page += (buf->buflen + PAGE_SIZE - 1) >> PAGE_SHIFT;
diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c
index de282f3273c5..6c15d4ac52e8 100644
--- a/fs/nfsd/nfsproc.c
+++ b/fs/nfsd/nfsproc.c
@@ -182,6 +182,7 @@ nfsd_proc_read(struct svc_rqst *rqstp)
argp->count, argp->offset);
argp->count = min_t(u32, argp->count, NFSSVC_MAXBLKSIZE_V2);
+ argp->count = min_t(u32, argp->count, rqstp->rq_res.buflen);
v = 0;
len = argp->count;
@@ -561,12 +562,11 @@ static void nfsd_init_dirlist_pages(struct svc_rqst *rqstp,
struct xdr_buf *buf = &resp->dirlist;
struct xdr_stream *xdr = &resp->xdr;
- count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp));
-
memset(buf, 0, sizeof(*buf));
/* Reserve room for the NULL ptr & eof flag (-2 words) */
- buf->buflen = count - XDR_UNIT * 2;
+ buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), (u32)PAGE_SIZE);
+ buf->buflen -= XDR_UNIT * 2;
buf->pages = rqstp->rq_next_page;
rqstp->rq_next_page++;
diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
index 80431921e5d7..125f490147df 100644
--- a/fs/nfsd/nfssvc.c
+++ b/fs/nfsd/nfssvc.c
@@ -990,6 +990,8 @@ nfsd(void *vrqstp)
return 0;
}
+#include <linux/kpatch_cve_2022_43945.h>
+
/**
* nfsd_dispatch - Process an NFS or NFSACL Request
* @rqstp: incoming request
@@ -1011,7 +1013,7 @@ int nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
*/
rqstp->rq_cachetype = proc->pc_cachetype;
- svcxdr_init_decode(rqstp);
+ kpatch_cve_2022_43945_svcxdr_init_decode(rqstp);
if (!proc->pc_decode(rqstp, &rqstp->rq_arg_stream))
goto out_decode_err;
@@ -1028,7 +1030,7 @@ int nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
* Need to grab the location to store the status, as
* NFSv4 does some encoding while processing
*/
- svcxdr_init_encode(rqstp);
+ kpatch_cve_2022_43945_svcxdr_init_encode(rqstp);
*statp = proc->pc_func(rqstp);
if (*statp == rpc_drop_reply || test_bit(RQ_DROPME, &rqstp->rq_flags))
diff --git a/include/linux/kpatch_cve_2022_43945.h b/include/linux/kpatch_cve_2022_43945.h
new file mode 100644
index 000000000000..d52392485a57
--- /dev/null
+++ b/include/linux/kpatch_cve_2022_43945.h
@@ -0,0 +1,53 @@
+#ifndef _KPATCH_CVE_2022_43945_H
+#define _KPATCH_CVE_2022_43945_H
+
+/*
+ * svcxdr_init_decode - Prepare an xdr_stream for Call decoding
+ * @rqstp: controlling server RPC transaction context
+ *
+ * This function currently assumes the RPC header in rq_arg has
+ * already been decoded. Upon return, xdr->p points to the
+ * location of the upper layer header.
+ */
+static inline void kpatch_cve_2022_43945_svcxdr_init_decode(struct svc_rqst *rqstp)
+{
+ struct xdr_stream *xdr = &rqstp->rq_arg_stream;
+ struct xdr_buf *buf = &rqstp->rq_arg;
+ struct kvec *argv = buf->head;
+
+ /*
+ * svc_getnl() and friends do not keep the xdr_buf's ::len
+ * field up to date. Refresh that field before initializing
+ * the argument decoding stream.
+ */
+ buf->len = buf->head->iov_len + buf->page_len + buf->tail->iov_len;
+
+ xdr_init_decode(xdr, buf, argv->iov_base, NULL);
+ xdr_set_scratch_page(xdr, rqstp->rq_scratch_page);
+}
+
+/*
+ * svcxdr_init_encode - Prepare an xdr_stream for svc Reply encoding
+ * @rqstp: controlling server RPC transaction context
+ *
+ */
+static inline void kpatch_cve_2022_43945_svcxdr_init_encode(struct svc_rqst *rqstp)
+{
+ struct xdr_stream *xdr = &rqstp->rq_res_stream;
+ struct xdr_buf *buf = &rqstp->rq_res;
+ struct kvec *resv = buf->head;
+
+ xdr_reset_scratch_buffer(xdr);
+
+ xdr->buf = buf;
+ xdr->iov = resv;
+ xdr->p = resv->iov_base + resv->iov_len;
+ xdr->end = resv->iov_base + PAGE_SIZE - rqstp->rq_auth_slack;
+ buf->len = resv->iov_len;
+ xdr->page_ptr = buf->pages - 1;
+ buf->buflen = PAGE_SIZE * (rqstp->rq_page_end - buf->pages);
+ buf->buflen -= rqstp->rq_auth_slack;
+ xdr->rqst = NULL;
+}
+
+#endif /* _KPATCH_CVE_2022_43945_H */
--
2.39.0