From d9bac0b9d612ee6c0836da7fad31d36429301a30 Mon Sep 17 00:00:00 2001 From: NeilBrown Date: Mar 20 2024 01:32:39 +0000 Subject: NFSD: fix nfsd4_listxattr_validate_cookie (git-fixes). --- diff --git a/patches.suse/NFSD-fix-nfsd4_listxattr_validate_cookie.patch b/patches.suse/NFSD-fix-nfsd4_listxattr_validate_cookie.patch new file mode 100644 index 0000000..803d27a --- /dev/null +++ b/patches.suse/NFSD-fix-nfsd4_listxattr_validate_cookie.patch @@ -0,0 +1,47 @@ +From: Jorge Mora +Date: Thu, 25 Jan 2024 07:46:54 -0700 +Subject: [PATCH] NFSD: fix nfsd4_listxattr_validate_cookie +Git-commit: 52a357db8074e18aa51085a8c8d8af7057dffa11 +Patch-mainline: v6.9-rc1 +References: git-fixes + +If LISTXATTRS is sent with a correct cookie but a small maxcount, +this could lead function nfsd4_listxattr_validate_cookie to +return NFS4ERR_BAD_COOKIE. If maxcount = 20, then second check +on function gives RHS = 3 thus any cookie larger than 3 returns +NFS4ERR_BAD_COOKIE. + +There is no need to validate the cookie on the return XDR buffer +since attribute referenced by cookie will be the first in the +return buffer. + +Fixes: 23e50fe3a5e6 ("nfsd: implement the xattr functions and en/decode logic") +Signed-off-by: Jorge Mora +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Acked-by: NeilBrown + +--- + fs/nfsd/nfs4xdr.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -5032,16 +5032,11 @@ nfsd4_listxattr_validate_cookie(struct n + + /* + * If the cookie is larger than the maximum number we can fit +- * in either the buffer we just got back from vfs_listxattr, or, +- * XDR-encoded, in the return buffer, it's invalid. ++ * in the buffer we just got back from vfs_listxattr, it's invalid. + */ + if (cookie > (listxattrs->lsxa_len) / (XATTR_USER_PREFIX_LEN + 2)) + return nfserr_badcookie; + +- if (cookie > (listxattrs->lsxa_maxcount / +- (XDR_QUADLEN(XATTR_USER_PREFIX_LEN + 2) + 4))) +- return nfserr_badcookie; +- + *offsetp = (u32)cookie; + return 0; + } diff --git a/series.conf b/series.conf index f968bb7..2f28bec 100644 --- a/series.conf +++ b/series.conf @@ -45588,6 +45588,7 @@ patches.suse/arm64-dts-imx8mm-venice-gw71xx-fix-USB-OTG-VBUS-2.patch patches.suse/SUNRPC-fix-a-memleak-in-gss_import_v2_context.patch patches.suse/SUNRPC-fix-some-memleaks-in-gssx_dec_option_array.patch + patches.suse/NFSD-fix-nfsd4_listxattr_validate_cookie.patch patches.suse/doc-guide-kernel-doc-tell-about-object-like-macros.patch patches.suse/wifi-b43-Stop-wake-correct-queue-in-DMA-Tx-path-when.patch patches.suse/wifi-b43-Stop-wake-correct-queue-in-PIO-Tx-path-when.patch