ecc7638919
[ Upstream commit 6930bcbfb6ceda63e298c6af6d733ecdf6bd4cde ] lockd doesn't currently vet the start and length in nlm4 requests like it should, and can end up generating lock requests with arguments that overflow when passed to the filesystem. The NLM4 protocol uses unsigned 64-bit arguments for both start and length, whereas struct file_lock tracks the start and end as loff_t values. By the time we get around to calling nlm4svc_retrieve_args, we've lost the information that would allow us to determine if there was an overflow. Start tracking the actual start and len for NLM4 requests in the nlm_lock. In nlm4svc_retrieve_args, vet these values to ensure they won't cause an overflow, and return NLM4_FBIG if they do. Link: https://bugzilla.linux-nfs.org/show_bug.cgi?id=392 Reported-by: Jan Kasiak <j.kasiak@gmail.com> Signed-off-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Cc: <stable@vger.kernel.org> # 5.14+ Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
116 lines
2.9 KiB
C
Executable file
116 lines
2.9 KiB
C
Executable file
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* linux/include/linux/lockd/xdr.h
|
|
*
|
|
* XDR types for the NLM protocol
|
|
*
|
|
* Copyright (C) 1996 Olaf Kirch <okir@monad.swb.de>
|
|
*/
|
|
|
|
#ifndef LOCKD_XDR_H
|
|
#define LOCKD_XDR_H
|
|
|
|
#include <linux/fs.h>
|
|
#include <linux/nfs.h>
|
|
#include <linux/sunrpc/xdr.h>
|
|
|
|
#define SM_MAXSTRLEN 1024
|
|
#define SM_PRIV_SIZE 16
|
|
|
|
struct nsm_private {
|
|
unsigned char data[SM_PRIV_SIZE];
|
|
};
|
|
|
|
struct svc_rqst;
|
|
|
|
#define NLM_MAXCOOKIELEN 32
|
|
#define NLM_MAXSTRLEN 1024
|
|
|
|
#define nlm_granted cpu_to_be32(NLM_LCK_GRANTED)
|
|
#define nlm_lck_denied cpu_to_be32(NLM_LCK_DENIED)
|
|
#define nlm_lck_denied_nolocks cpu_to_be32(NLM_LCK_DENIED_NOLOCKS)
|
|
#define nlm_lck_blocked cpu_to_be32(NLM_LCK_BLOCKED)
|
|
#define nlm_lck_denied_grace_period cpu_to_be32(NLM_LCK_DENIED_GRACE_PERIOD)
|
|
|
|
#define nlm_drop_reply cpu_to_be32(30000)
|
|
|
|
/* Lock info passed via NLM */
|
|
struct nlm_lock {
|
|
char * caller;
|
|
unsigned int len; /* length of "caller" */
|
|
struct nfs_fh fh;
|
|
struct xdr_netobj oh;
|
|
u32 svid;
|
|
u64 lock_start;
|
|
u64 lock_len;
|
|
struct file_lock fl;
|
|
};
|
|
|
|
/*
|
|
* NLM cookies. Technically they can be 1K, but Linux only uses 8 bytes.
|
|
* FreeBSD uses 16, Apple Mac OS X 10.3 uses 20. Therefore we set it to
|
|
* 32 bytes.
|
|
*/
|
|
|
|
struct nlm_cookie
|
|
{
|
|
unsigned char data[NLM_MAXCOOKIELEN];
|
|
unsigned int len;
|
|
};
|
|
|
|
/*
|
|
* Generic lockd arguments for all but sm_notify
|
|
*/
|
|
struct nlm_args {
|
|
struct nlm_cookie cookie;
|
|
struct nlm_lock lock;
|
|
u32 block;
|
|
u32 reclaim;
|
|
u32 state;
|
|
u32 monitor;
|
|
u32 fsm_access;
|
|
u32 fsm_mode;
|
|
};
|
|
|
|
typedef struct nlm_args nlm_args;
|
|
|
|
/*
|
|
* Generic lockd result
|
|
*/
|
|
struct nlm_res {
|
|
struct nlm_cookie cookie;
|
|
__be32 status;
|
|
struct nlm_lock lock;
|
|
};
|
|
|
|
/*
|
|
* statd callback when client has rebooted
|
|
*/
|
|
struct nlm_reboot {
|
|
char *mon;
|
|
unsigned int len;
|
|
u32 state;
|
|
struct nsm_private priv;
|
|
};
|
|
|
|
/*
|
|
* Contents of statd callback when monitored host rebooted
|
|
*/
|
|
#define NLMSVC_XDRSIZE sizeof(struct nlm_args)
|
|
|
|
bool nlmsvc_decode_void(struct svc_rqst *rqstp, struct xdr_stream *xdr);
|
|
bool nlmsvc_decode_testargs(struct svc_rqst *rqstp, struct xdr_stream *xdr);
|
|
bool nlmsvc_decode_lockargs(struct svc_rqst *rqstp, struct xdr_stream *xdr);
|
|
bool nlmsvc_decode_cancargs(struct svc_rqst *rqstp, struct xdr_stream *xdr);
|
|
bool nlmsvc_decode_unlockargs(struct svc_rqst *rqstp, struct xdr_stream *xdr);
|
|
bool nlmsvc_decode_res(struct svc_rqst *rqstp, struct xdr_stream *xdr);
|
|
bool nlmsvc_decode_reboot(struct svc_rqst *rqstp, struct xdr_stream *xdr);
|
|
bool nlmsvc_decode_shareargs(struct svc_rqst *rqstp, struct xdr_stream *xdr);
|
|
bool nlmsvc_decode_notify(struct svc_rqst *rqstp, struct xdr_stream *xdr);
|
|
|
|
bool nlmsvc_encode_testres(struct svc_rqst *rqstp, struct xdr_stream *xdr);
|
|
bool nlmsvc_encode_res(struct svc_rqst *rqstp, struct xdr_stream *xdr);
|
|
bool nlmsvc_encode_void(struct svc_rqst *rqstp, struct xdr_stream *xdr);
|
|
bool nlmsvc_encode_shareres(struct svc_rqst *rqstp, struct xdr_stream *xdr);
|
|
|
|
#endif /* LOCKD_XDR_H */
|