[PATCH 2/2] sunrpc: add bounds checking to svc_rqst_replace_page

[PATCH 1/2] nfsd: don't replace page in rq_pages if it's a continuation of last page · Jeff Layton <jlayton@kernel.org> · 2023-03-17
[PATCH 2/2] sunrpc: add bounds checking to svc_rqst_replace_page · Jeff Layton <jlayton@kernel.org> · 2023-03-17
Re: [PATCH 2/2] sunrpc: add bounds checking to svc_rqst_replace_page · Chuck Lever III <chuck.lever@oracle.com> · 2023-03-17
Re: [PATCH 2/2] sunrpc: add bounds checking to svc_rqst_replace_page · Jeff Layton <jlayton@kernel.org> · 2023-03-17
Re: [PATCH 2/2] sunrpc: add bounds checking to svc_rqst_replace_page · Chuck Lever III <chuck.lever@oracle.com> · 2023-03-17
Re: [PATCH 1/2] nfsd: don't replace page in rq_pages if it's a continuation of last page · Jeff Layton <jlayton@kernel.org> · 2023-03-17
Re: [PATCH 1/2] nfsd: don't replace page in rq_pages if it's a continuation of last page · Chuck Lever III <chuck.lever@oracle.com> · 2023-03-17
Re: [PATCH 1/2] nfsd: don't replace page in rq_pages if it's a continuation of last page · Jeff Layton <jlayton@kernel.org> · 2023-03-17
Re: [PATCH 1/2] nfsd: don't replace page in rq_pages if it's a continuation of last page · Chuck Lever III <chuck.lever@oracle.com> · 2023-03-17
Re: [PATCH 1/2] nfsd: don't replace page in rq_pages if it's a continuation of last page · Jeff Layton <jlayton@kernel.org> · 2023-03-17

STALE1185d

From: Jeff Layton <jlayton@kernel.org>
Date: 2023-03-17 10:56:17
Subsystem: kernel nfsd, sunrpc, and lockd servers, networking [general], nfs, sunrpc, and lockd clients, the rest · Maintainers: Chuck Lever, Jeff Layton, "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Trond Myklebust, Anna Schumaker, Linus Torvalds

There's no good way to handle this gracefully, but if rq_next_page ends
up pointing outside the array, we can at least crash the box before it
scribbles over too much else.

Signed-off-by: Jeff Layton <jlayton@kernel.org>
---
 net/sunrpc/svc.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index fea7ce8fba14..864e62945647 100644
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c

@@ -845,6 +845,16 @@ EXPORT_SYMBOL_GPL(svc_set_num_threads);
  */
 void svc_rqst_replace_page(struct svc_rqst *rqstp, struct page *page)
 {
+	struct page **begin, **end;
+
+	/*
+	 * Bounds check: make sure rq_next_page points into the rq_respages
+	 * part of the array.
+	 */
+	begin = rqstp->rq_pages;
+	end = &rqstp->rq_pages[RPCSVC_MAXPAGES];
+	BUG_ON(rqstp->rq_next_page < begin || rqstp->rq_next_page > end);
+
 	if (*rqstp->rq_next_page) {
 		if (!pagevec_space(&rqstp->rq_pvec))
 			__pagevec_release(&rqstp->rq_pvec);

-- 
2.39.2

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help