From 9b4bc5423447796134efeabaf76fbd669428a028 Mon Sep 17 00:00:00 2001

From: Yannick Cote <ycote@redhat.com>

Date: Fri, 2 Dec 2022 12:58:38 -0500

Subject: [KPATCH CVE-2022-43945] kpatch fixes for CVE-2022-43945

Kernels:

4.18.0-425.3.1.el8

4.18.0-425.10.1.el8_7

Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/76

Approved-by: Joe Lawrence (@joe.lawrence)

Changes since last build:

arches: x86_64 ppc64le

callback_xdr.o: changed function: nfs_callback_dispatch

mremap.o: changed function: move_page_tables

nfs3proc.o: changed function: nfsd3_init_dirlist_pages

nfs3proc.o: changed function: nfsd3_proc_read

nfsproc.o: changed function: nfsd_proc_read

nfsproc.o: changed function: nfsd_proc_readdir

nfssvc.o: changed function: nfsd_dispatch

svc.o: changed function: nlmsvc_dispatch

---------------------------

Modifications:

- Take out modifications to header routines and roll new kpatch versions

  of them to be included at all call sites.

- Wrapped new routines: svcxdr_init_decode(), svcxdr_init_encode()

commit e608b2dbbb132ebed6b63967b0915159cdf52ce4

Author: Scott Mayhew <smayhew@redhat.com>

Date:   Thu Nov 10 13:46:47 2022 -0500

    SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation

    Bugzilla: https://bugzilla.redhat.com/2143172

    CVE: CVE-2022-43945

    Y-Commit: 804daece339d51a00b7b466cc648139009b1c0fb

    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141774

    O-CVE: CVE-2022-43945

    commit 90bfc37b5ab91c1a6165e3e5cfc49bf04571b762

    Author: Chuck Lever <chuck.lever@oracle.com>

    Date:   Thu Sep 1 15:09:53 2022 -0400

        SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation

        Ensure that stream-based argument decoding can't go past the actual

        end of the receive buffer. xdr_init_decode's calculation of the

        value of xdr->end over-estimates the end of the buffer because the

        Linux kernel RPC server code does not remove the size of the RPC

        header from rqstp->rq_arg before calling the upper layer's

        dispatcher.

        The server-side still uses the svc_getnl() macros to decode the

        RPC call header. These macros reduce the length of the head iov

        but do not update the total length of the message in the buffer

        (buf->len).

        A proper fix for this would be to replace the use of svc_getnl() and

        friends in the RPC header decoder, but that would be a large and

        invasive change that would be difficult to backport.

        Fixes: 5191955d6fc6 ("SUNRPC: Prepare for xdr_stream-style decoding on the server-side")

        Reviewed-by: Jeff Layton <jlayton@kernel.org>

        Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

    Signed-off-by: Scott Mayhew <smayhew@redhat.com>

    Signed-off-by: Jarod Wilson <jarod@redhat.com>

commit c43d2ebcf1b3893e044ee76490cbc225212dcd09

Author: Scott Mayhew <smayhew@redhat.com>

Date:   Thu Nov 10 13:46:47 2022 -0500

    SUNRPC: Fix svcxdr_init_encode's buflen calculation

    Bugzilla: https://bugzilla.redhat.com/2143172

    CVE: CVE-2022-43945

    Y-Commit: 0dfe425436b4e11f1cd68ed8cbf4a8c4276d47c6

    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141774

    O-CVE: CVE-2022-43945

    commit 1242a87da0d8cd2a428e96ca68e7ea899b0f4624

    Author: Chuck Lever <chuck.lever@oracle.com>

    Date:   Thu Sep 1 15:09:59 2022 -0400

        SUNRPC: Fix svcxdr_init_encode's buflen calculation

        Commit 2825a7f90753 ("nfsd4: allow encoding across page boundaries")

        added an explicit computation of the remaining length in the rq_res

        XDR buffer.

        The computation appears to suffer from an "off-by-one" bug. Because

        buflen is too large by one page, XDR encoding can run off the end of

        the send buffer by eventually trying to use the struct page address

        in rq_page_end, which always contains NULL.

        Fixes: bddfdbcddbe2 ("NFSD: Extract the svcxdr_init_encode() helper")

        Reviewed-by: Jeff Layton <jlayton@kernel.org>

        Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

    Signed-off-by: Scott Mayhew <smayhew@redhat.com>

    Signed-off-by: Jarod Wilson <jarod@redhat.com>

commit 2c36509ef08d24a538bca8369ec0e88420813c3b

Author: Scott Mayhew <smayhew@redhat.com>

Date:   Thu Nov 10 13:46:47 2022 -0500

    NFSD: Protect against send buffer overflow in NFSv2 READDIR

    Bugzilla: https://bugzilla.redhat.com/2143172

    CVE: CVE-2022-43945

    Y-Commit: f4e8bb36f1ddd7d2111db324154793c7c6d3cad1

    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141774

    O-CVE: CVE-2022-43945

    commit 00b4492686e0497fdb924a9d4c8f6f99377e176c

    Author: Chuck Lever <chuck.lever@oracle.com>

    Date:   Thu Sep 1 15:10:05 2022 -0400

        NFSD: Protect against send buffer overflow in NFSv2 READDIR

        Restore the previous limit on the @count argument to prevent a

        buffer overflow attack.

        Fixes: 53b1119a6e50 ("NFSD: Fix READDIR buffer overflow")

        Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

        Reviewed-by: Jeff Layton <jlayton@kernel.org>

        Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

    Signed-off-by: Scott Mayhew <smayhew@redhat.com>

    Signed-off-by: Jarod Wilson <jarod@redhat.com>

commit e7f5ff9960dd6667538bf642a42168473e1d987d

Author: Scott Mayhew <smayhew@redhat.com>

Date:   Thu Nov 10 13:46:47 2022 -0500

    NFSD: Protect against send buffer overflow in NFSv3 READDIR

    Bugzilla: https://bugzilla.redhat.com/2143172

    CVE: CVE-2022-43945

    Y-Commit: c33579e1e26c423888888482a0e1ca9a0980f292

    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141774

    O-CVE: CVE-2022-43945

    commit 640f87c190e0d1b2a0fcb2ecf6d2cd53b1c41991

    Author: Chuck Lever <chuck.lever@oracle.com>

    Date:   Thu Sep 1 15:10:12 2022 -0400

        NFSD: Protect against send buffer overflow in NFSv3 READDIR

        Since before the git era, NFSD has conserved the number of pages

        held by each nfsd thread by combining the RPC receive and send

        buffers into a single array of pages. This works because there are

        no cases where an operation needs a large RPC Call message and a

        large RPC Reply message at the same time.

        Once an RPC Call has been received, svc_process() updates

        svc_rqst::rq_res to describe the part of rq_pages that can be

        used for constructing the Reply. This means that the send buffer

        (rq_res) shrinks when the received RPC record containing the RPC

        Call is large.

        A client can force this shrinkage on TCP by sending a correctly-

        formed RPC Call header contained in an RPC record that is

        excessively large. The full maximum payload size cannot be

        constructed in that case.

        Thanks to Aleksi Illikainen and Kari Hulkko for uncovering this

        issue.

        Reported-by: Ben Ronallo <Benjamin.Ronallo@synopsys.com>

        Cc: <stable@vger.kernel.org>

        Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

        Reviewed-by: Jeff Layton <jlayton@kernel.org>

        Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

    Signed-off-by: Scott Mayhew <smayhew@redhat.com>

    Signed-off-by: Jarod Wilson <jarod@redhat.com>

commit be58a0f8fe047e3cbc9891133b34cd323d01f8e3

Author: Scott Mayhew <smayhew@redhat.com>

Date:   Thu Nov 10 13:46:47 2022 -0500

    NFSD: Protect against send buffer overflow in NFSv2 READ

    Bugzilla: https://bugzilla.redhat.com/2143172

    CVE: CVE-2022-43945

    Y-Commit: 436325d0734d253f50a547b842a95ed4bb752ae3

    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141774

    O-CVE: CVE-2022-43945

    commit 401bc1f90874280a80b93f23be33a0e7e2d1f912

    Author: Chuck Lever <chuck.lever@oracle.com>

    Date:   Thu Sep 1 15:10:18 2022 -0400

        NFSD: Protect against send buffer overflow in NFSv2 READ

        Since before the git era, NFSD has conserved the number of pages

        held by each nfsd thread by combining the RPC receive and send

        buffers into a single array of pages. This works because there are

        no cases where an operation needs a large RPC Call message and a

        large RPC Reply at the same time.

        Once an RPC Call has been received, svc_process() updates

        svc_rqst::rq_res to describe the part of rq_pages that can be

        used for constructing the Reply. This means that the send buffer

        (rq_res) shrinks when the received RPC record containing the RPC

        Call is large.

        A client can force this shrinkage on TCP by sending a correctly-

        formed RPC Call header contained in an RPC record that is

        excessively large. The full maximum payload size cannot be

        constructed in that case.

        Cc: <stable@vger.kernel.org>

        Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

        Reviewed-by: Jeff Layton <jlayton@kernel.org>

        Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

    Signed-off-by: Scott Mayhew <smayhew@redhat.com>

    Signed-off-by: Jarod Wilson <jarod@redhat.com>

commit b0be04c547fb3f2c98bda81f9f93e68dfdcad398

Author: Scott Mayhew <smayhew@redhat.com>

Date:   Thu Nov 10 13:46:46 2022 -0500

    NFSD: Protect against send buffer overflow in NFSv3 READ

    Bugzilla: https://bugzilla.redhat.com/2143172

    CVE: CVE-2022-43945

    Y-Commit: cc970cde839098c5dd3d1dd013620ca972d4c9db

    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141774

    O-CVE: CVE-2022-43945

    commit fa6be9cc6e80ec79892ddf08a8c10cabab9baf38

    Author: Chuck Lever <chuck.lever@oracle.com>

    Date:   Thu Sep 1 15:10:24 2022 -0400

        NFSD: Protect against send buffer overflow in NFSv3 READ

        Since before the git era, NFSD has conserved the number of pages

        held by each nfsd thread by combining the RPC receive and send

        buffers into a single array of pages. This works because there are

        no cases where an operation needs a large RPC Call message and a

        large RPC Reply at the same time.

        Once an RPC Call has been received, svc_process() updates

        svc_rqst::rq_res to describe the part of rq_pages that can be

        used for constructing the Reply. This means that the send buffer

        (rq_res) shrinks when the received RPC record containing the RPC

        Call is large.

        A client can force this shrinkage on TCP by sending a correctly-

        formed RPC Call header contained in an RPC record that is

        excessively large. The full maximum payload size cannot be

        constructed in that case.

        Cc: <stable@vger.kernel.org>

        Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

        Reviewed-by: Jeff Layton <jlayton@kernel.org>

        Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

    Signed-off-by: Scott Mayhew <smayhew@redhat.com>

    Signed-off-by: Jarod Wilson <jarod@redhat.com>

Signed-off-by: Yannick Cote <ycote@redhat.com>

---

 fs/lockd/svc.c                        |  6 ++-

 fs/nfs/callback_xdr.c                 |  6 ++-

 fs/nfsd/nfs3proc.c                    | 11 +++---

 fs/nfsd/nfsproc.c                     |  6 +--

 fs/nfsd/nfssvc.c                      |  6 ++-

 include/linux/kpatch_cve_2022_43945.h | 53 +++++++++++++++++++++++++++

 6 files changed, 74 insertions(+), 14 deletions(-)

 create mode 100644 include/linux/kpatch_cve_2022_43945.h

diff --git a/fs/lockd/svc.c b/fs/lockd/svc.c

index 31fd841010c2..13f3813b38a8 100644

--- a/fs/lockd/svc.c

+++ b/fs/lockd/svc.c

@@ -767,6 +767,8 @@ static void __exit exit_nlm(void)

 module_init(init_nlm);

 module_exit(exit_nlm);

+#include <linux/kpatch_cve_2022_43945.h>

+

 /**

  * nlmsvc_dispatch - Process an NLM Request

  * @rqstp: incoming request

@@ -780,7 +782,7 @@ static int nlmsvc_dispatch(struct svc_rqst *rqstp, __be32 *statp)

 {

 	const struct svc_procedure *procp = rqstp->rq_procinfo;

-	svcxdr_init_decode(rqstp);

+	kpatch_cve_2022_43945_svcxdr_init_decode(rqstp);

 	if (!procp->pc_decode(rqstp, &rqstp->rq_arg_stream))

 		goto out_decode_err;

@@ -790,7 +792,7 @@ static int nlmsvc_dispatch(struct svc_rqst *rqstp, __be32 *statp)

 	if (*statp != rpc_success)

 		return 1;

-	svcxdr_init_encode(rqstp);

+	kpatch_cve_2022_43945_svcxdr_init_encode(rqstp);

 	if (!procp->pc_encode(rqstp, &rqstp->rq_res_stream))

 		goto out_encode_err;

diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c

index a67c41ec545f..9438f91b9c2d 100644

--- a/fs/nfs/callback_xdr.c

+++ b/fs/nfs/callback_xdr.c

@@ -983,13 +983,15 @@ static __be32 nfs4_callback_compound(struct svc_rqst *rqstp)

 	return rpc_success;

 }

+#include <linux/kpatch_cve_2022_43945.h>

+

 static int

 nfs_callback_dispatch(struct svc_rqst *rqstp, __be32 *statp)

 {

 	const struct svc_procedure *procp = rqstp->rq_procinfo;

-	svcxdr_init_decode(rqstp);

-	svcxdr_init_encode(rqstp);

+	kpatch_cve_2022_43945_svcxdr_init_decode(rqstp);

+	kpatch_cve_2022_43945_svcxdr_init_encode(rqstp);

 	*statp = procp->pc_func(rqstp);

 	return 1;

diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c

index f1d81704d5bd..233f07958b09 100644

--- a/fs/nfsd/nfs3proc.c

+++ b/fs/nfsd/nfs3proc.c

@@ -146,7 +146,6 @@ nfsd3_proc_read(struct svc_rqst *rqstp)

 {

 	struct nfsd3_readargs *argp = rqstp->rq_argp;

 	struct nfsd3_readres *resp = rqstp->rq_resp;

-	u32 max_blocksize = svc_max_payload(rqstp);

 	unsigned int len;

 	int v;

@@ -155,7 +154,8 @@ nfsd3_proc_read(struct svc_rqst *rqstp)

 				(unsigned long) argp->count,

 				(unsigned long long) argp->offset);

-	argp->count = min_t(u32, argp->count, max_blocksize);

+	argp->count = min_t(u32, argp->count, svc_max_payload(rqstp));

+	argp->count = min_t(u32, argp->count, rqstp->rq_res.buflen);

 	if (argp->offset > (u64)OFFSET_MAX)

 		argp->offset = (u64)OFFSET_MAX;

 	if (argp->offset + argp->count > (u64)OFFSET_MAX)

@@ -451,13 +451,14 @@ static void nfsd3_init_dirlist_pages(struct svc_rqst *rqstp,

 {

 	struct xdr_buf *buf = &resp->dirlist;

 	struct xdr_stream *xdr = &resp->xdr;

-

-	count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp));

+	unsigned int sendbuf = min_t(unsigned int, rqstp->rq_res.buflen,

+				     svc_max_payload(rqstp));

 	memset(buf, 0, sizeof(*buf));

 	/* Reserve room for the NULL ptr & eof flag (-2 words) */

-	buf->buflen = count - XDR_UNIT * 2;

+	buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), sendbuf);

+	buf->buflen -= XDR_UNIT * 2;

 	buf->pages = rqstp->rq_next_page;

 	rqstp->rq_next_page += (buf->buflen + PAGE_SIZE - 1) >> PAGE_SHIFT;

diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c

index e4b0e0e6d1bc..87d0c443767c 100644

--- a/fs/nfsd/nfsproc.c

+++ b/fs/nfsd/nfsproc.c

@@ -182,6 +182,7 @@ nfsd_proc_read(struct svc_rqst *rqstp)

 		argp->count, argp->offset);

 	argp->count = min_t(u32, argp->count, NFSSVC_MAXBLKSIZE_V2);

+	argp->count = min_t(u32, argp->count, rqstp->rq_res.buflen);

 	v = 0;

 	len = argp->count;

@@ -561,12 +562,11 @@ static void nfsd_init_dirlist_pages(struct svc_rqst *rqstp,

 	struct xdr_buf *buf = &resp->dirlist;

 	struct xdr_stream *xdr = &resp->xdr;

-	count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp));

-

 	memset(buf, 0, sizeof(*buf));

 	/* Reserve room for the NULL ptr & eof flag (-2 words) */

-	buf->buflen = count - XDR_UNIT * 2;

+	buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), (u32)PAGE_SIZE);

+	buf->buflen -= XDR_UNIT * 2;

 	buf->pages = rqstp->rq_next_page;

 	rqstp->rq_next_page++;

diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c

index c3c5613c29a8..b9aaf205ec0f 100644

--- a/fs/nfsd/nfssvc.c

+++ b/fs/nfsd/nfssvc.c

@@ -985,6 +985,8 @@ nfsd(void *vrqstp)

 	return 0;

 }

+#include <linux/kpatch_cve_2022_43945.h>

+

 /**

  * nfsd_dispatch - Process an NFS or NFSACL Request

  * @rqstp: incoming request

@@ -1006,7 +1008,7 @@ int nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)

 	 */

 	rqstp->rq_cachetype = proc->pc_cachetype;

-	svcxdr_init_decode(rqstp);

+	kpatch_cve_2022_43945_svcxdr_init_decode(rqstp);

 	if (!proc->pc_decode(rqstp, &rqstp->rq_arg_stream))

 		goto out_decode_err;

@@ -1023,7 +1025,7 @@ int nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)

 	 * Need to grab the location to store the status, as

 	 * NFSv4 does some encoding while processing

 	 */

-	svcxdr_init_encode(rqstp);

+	kpatch_cve_2022_43945_svcxdr_init_encode(rqstp);

 	*statp = proc->pc_func(rqstp);

 	if (*statp == rpc_drop_reply || test_bit(RQ_DROPME, &rqstp->rq_flags))

diff --git a/include/linux/kpatch_cve_2022_43945.h b/include/linux/kpatch_cve_2022_43945.h

new file mode 100644

index 000000000000..d52392485a57

--- /dev/null

+++ b/include/linux/kpatch_cve_2022_43945.h

@@ -0,0 +1,53 @@

+#ifndef _KPATCH_CVE_2022_43945_H

+#define _KPATCH_CVE_2022_43945_H

+

+/*

+ * svcxdr_init_decode - Prepare an xdr_stream for Call decoding

+ * @rqstp: controlling server RPC transaction context

+ *

+ * This function currently assumes the RPC header in rq_arg has

+ * already been decoded. Upon return, xdr->p points to the

+ * location of the upper layer header.

+ */

+static inline void kpatch_cve_2022_43945_svcxdr_init_decode(struct svc_rqst *rqstp)

+{

+	struct xdr_stream *xdr = &rqstp->rq_arg_stream;

+	struct xdr_buf *buf = &rqstp->rq_arg;

+	struct kvec *argv = buf->head;

+

+	/*

+	 * svc_getnl() and friends do not keep the xdr_buf's ::len

+	 * field up to date. Refresh that field before initializing

+	 * the argument decoding stream.

+	 */

+	buf->len = buf->head->iov_len + buf->page_len + buf->tail->iov_len;

+

+	xdr_init_decode(xdr, buf, argv->iov_base, NULL);

+	xdr_set_scratch_page(xdr, rqstp->rq_scratch_page);

+}

+

+/*

+ * svcxdr_init_encode - Prepare an xdr_stream for svc Reply encoding

+ * @rqstp: controlling server RPC transaction context

+ *

+ */

+static inline void kpatch_cve_2022_43945_svcxdr_init_encode(struct svc_rqst *rqstp)

+{

+	struct xdr_stream *xdr = &rqstp->rq_res_stream;

+	struct xdr_buf *buf = &rqstp->rq_res;

+	struct kvec *resv = buf->head;

+

+	xdr_reset_scratch_buffer(xdr);

+

+	xdr->buf = buf;

+	xdr->iov = resv;

+	xdr->p   = resv->iov_base + resv->iov_len;

+	xdr->end = resv->iov_base + PAGE_SIZE - rqstp->rq_auth_slack;

+	buf->len = resv->iov_len;

+	xdr->page_ptr = buf->pages - 1;

+	buf->buflen = PAGE_SIZE * (rqstp->rq_page_end - buf->pages);

+	buf->buflen -= rqstp->rq_auth_slack;

+	xdr->rqst = NULL;

+}

+

+#endif /* _KPATCH_CVE_2022_43945_H */

-- 

2.39.1