linux/fs/nfsd
Chuck Lever fc788f64f1 nfsd: Limit end of page list when decoding NFSv4 WRITE
When processing an NFSv4 WRITE operation, argp->end should never
point past the end of the data in the final page of the page list.
Otherwise, nfsd4_decode_compound can walk into uninitialized memory.

More critical, nfsd4_decode_write is failing to increment argp->pagelen
when it increments argp->pagelist.  This can cause later xdr decoders
to assume more data is available than really is, which can cause server
crashes on malformed requests.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2017-08-24 18:05:30 -04:00
..
acl.h
auth.c cred: simpler, 1D supplementary groups 2016-10-07 18:46:30 -07:00
auth.h
blocklayout.c block: Make most scsi_req_init() calls implicit 2017-06-20 19:27:14 -06:00
blocklayoutxdr.c Highlights: 2016-08-04 19:59:06 -04:00
blocklayoutxdr.h
cache.h
current_stateid.h nfsd4: properly type op_get_currentstateid callbacks 2017-05-15 17:42:27 +02:00
export.c nfsd: namespace-prefix uuid_parse 2017-06-05 16:56:38 +02:00
export.h
fault_inject.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
flexfilelayout.c nfsd: don't set a FL_LAYOUT lease for flexfiles layouts 2016-09-16 16:15:52 -04:00
flexfilelayoutxdr.c
flexfilelayoutxdr.h
idmap.h
Kconfig block: make scsi_request and scsi ioctl support optional 2017-01-31 10:53:05 -07:00
lockd.c
Makefile
netns.h netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
nfs2acl.c sunrpc: mark all struct svc_version instances as const 2017-05-15 17:42:31 +02:00
nfs3acl.c sunrpc: mark all struct svc_version instances as const 2017-05-15 17:42:31 +02:00
nfs3proc.c sunrpc: mark all struct svc_version instances as const 2017-05-15 17:42:31 +02:00
nfs3xdr.c nfsd4: factor ctime into change attribute 2017-07-12 15:55:00 -04:00
nfs4acl.c
nfs4callback.c nfsd: Fix a memory scribble in the callback channel 2017-07-17 13:15:06 -04:00
nfs4idmap.c nfsd/idmap: return nfserr_inval for 0-length names 2017-02-17 16:25:59 -05:00
nfs4layouts.c driver core patches for 4.11-rc1 2017-02-22 11:44:32 -08:00
nfs4proc.c Linux 4.12-rc5 2017-06-28 13:34:15 -04:00
nfs4recover.c
nfs4state.c nfsd4: properly type op_func callbacks 2017-05-15 17:42:29 +02:00
nfs4xdr.c nfsd: Limit end of page list when decoding NFSv4 WRITE 2017-08-24 18:05:30 -04:00
nfscache.c lib/vsprintf.c: remove %Z support 2017-02-27 18:43:47 -08:00
nfsctl.c fs: constify tree_descr arrays passed to simple_fill_super() 2017-04-26 23:54:06 -04:00
nfsd.h sunrpc: mark all struct svc_version instances as const 2017-05-15 17:42:31 +02:00
nfsfh.c nfsd: check d_can_lookup in fh_verify of directories 2016-08-04 17:11:48 -04:00
nfsfh.h nfsd4: factor ctime into change attribute 2017-07-12 15:55:00 -04:00
nfsproc.c sunrpc: mark all struct svc_version instances as const 2017-05-15 17:42:31 +02:00
nfssvc.c sunrpc: mark all struct svc_version instances as const 2017-05-15 17:42:31 +02:00
nfsxdr.c Linux 4.12-rc5 2017-06-28 13:34:15 -04:00
pnfs.h nfsd: don't set a FL_LAYOUT lease for flexfiles layouts 2016-09-16 16:15:52 -04:00
state.h nfsd/callback: Cleanup callback cred on shutdown 2017-02-17 16:26:00 -05:00
stats.c
stats.h
trace.c
trace.h
vfs.c Merge branch 'work.read_write' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-07-05 14:35:57 -07:00
vfs.h statx: Add a system call to make enhanced file info available 2017-03-02 20:51:15 -05:00
xdr3.h sunrpc: properly type pc_encode callbacks 2017-05-15 17:42:25 +02:00
xdr4.h nfsd4: properly type op_func callbacks 2017-05-15 17:42:29 +02:00
xdr4cb.h nfsd: plumb in a CB_NOTIFY_LOCK operation 2016-09-26 15:20:35 -04:00
xdr.h sunrpc: properly type pc_encode callbacks 2017-05-15 17:42:25 +02:00