* [PATCH 0/2] nfs: protect against corrupt packets and userdata
@ 2026-04-02 7:55 Sascha Hauer
2026-04-02 7:55 ` [PATCH 1/2] fs: nfs: fix stack and packet buffer overflows from long NFS paths Sascha Hauer
2026-04-02 7:55 ` [PATCH 2/2] fs: nfs: fix NULL dereference in nfs_read_req on truncated packets Sascha Hauer
0 siblings, 2 replies; 4+ messages in thread
From: Sascha Hauer @ 2026-04-02 7:55 UTC (permalink / raw)
To: BAREBOX; +Cc: Claude Opus 4.6 (1M context)
One patch protecting against a too long mount path and one against
truncated packets.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
Sascha Hauer (2):
fs: nfs: fix stack and packet buffer overflows from long NFS paths
fs: nfs: fix NULL dereference in nfs_read_req on truncated packets
fs/nfs.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
---
base-commit: 0933e8f2ebf0d91dfcf177a4e4292b02921a53f1
change-id: 20260402-net-nfs-buffer-overflows-48255656eefe
Best regards,
--
Sascha Hauer <s.hauer@pengutronix.de>
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH 1/2] fs: nfs: fix stack and packet buffer overflows from long NFS paths 2026-04-02 7:55 [PATCH 0/2] nfs: protect against corrupt packets and userdata Sascha Hauer @ 2026-04-02 7:55 ` Sascha Hauer 2026-04-02 7:55 ` [PATCH 2/2] fs: nfs: fix NULL dereference in nfs_read_req on truncated packets Sascha Hauer 1 sibling, 0 replies; 4+ messages in thread From: Sascha Hauer @ 2026-04-02 7:55 UTC (permalink / raw) To: BAREBOX; +Cc: Claude Opus 4.6 (1M context) nfs_mount_req() and nfs_umount_req() copy the NFS mount path into a stack-allocated uint32_t data[1024] buffer (4096 bytes) with only ~40 bytes of RPC header overhead. A mount path longer than ~4056 characters overflows the stack array. Additionally, rpc_req() copies the data array into the PKTSIZE (1536) packet buffer with only 1494 bytes available for UDP payload. After the 28-byte RPC call header, paths longer than ~1424 characters overflow the packet buffer. Fix by: - Adding a path length check in nfs_mount_req() and nfs_umount_req() against the stack buffer capacity before constructing the request - Adding a payload size check in rpc_req() before the memcpy to the packet buffer, protecting all RPC callers from overflows Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --- fs/nfs.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/fs/nfs.c b/fs/nfs.c index 0b40c56ff3..edc15e0ce6 100644 --- a/fs/nfs.c +++ b/fs/nfs.c @@ -534,6 +534,13 @@ static struct packet *rpc_req(struct nfs_priv *npriv, int rpc_prog, pkt.vers = hton32(3); } + if (sizeof(pkt) + datalen * sizeof(uint32_t) > + PKTSIZE - ETHER_HDR_SIZE - sizeof(struct iphdr) - sizeof(struct udphdr)) { + dev_err(dev, "RPC request too large (%zu bytes)\n", + sizeof(pkt) + datalen * sizeof(uint32_t)); + return ERR_PTR(-EMSGSIZE); + } + memcpy(payload, &pkt, sizeof(pkt)); memcpy(payload + sizeof(pkt), data, datalen * sizeof(uint32_t)); @@ -786,6 +793,11 @@ static int nfs_mount_req(struct nfs_priv *npriv) pathlen = strlen(npriv->path); + if (pathlen > sizeof(data) - 11 * sizeof(uint32_t)) { + dev_err(dev, "path too long (%d bytes)\n", pathlen); + return -ENAMETOOLONG; + } + dev_dbg(dev, "%s: %s\n", __func__, npriv->path); p = &(data[0]); @@ -862,6 +874,8 @@ static void nfs_umount_req(struct nfs_priv *npriv) struct packet *nfs_packet; pathlen = strlen(npriv->path); + if (pathlen > sizeof(data) - 11 * sizeof(uint32_t)) + return; p = &(data[0]); p = rpc_add_credentials(p); -- 2.47.3 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 2/2] fs: nfs: fix NULL dereference in nfs_read_req on truncated packets 2026-04-02 7:55 [PATCH 0/2] nfs: protect against corrupt packets and userdata Sascha Hauer 2026-04-02 7:55 ` [PATCH 1/2] fs: nfs: fix stack and packet buffer overflows from long NFS paths Sascha Hauer @ 2026-04-02 7:55 ` Sascha Hauer 2026-04-02 10:39 ` Sascha Hauer 1 sibling, 1 reply; 4+ messages in thread From: Sascha Hauer @ 2026-04-02 7:55 UTC (permalink / raw) To: BAREBOX; +Cc: Claude Opus 4.6 (1M context) nfs_read_req() reads the data length (rlen) from the server's READ3res response and uses it to extract the payload via nfs_packet_read(). If a malicious server sends an rlen larger than the remaining packet data, nfs_packet_read() returns NULL. The subsequent kfifo_put() with a NULL source pointer causes a NULL pointer dereference. Add a NULL check after nfs_packet_read() to catch truncated responses. Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --- fs/nfs.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/nfs.c b/fs/nfs.c index edc15e0ce6..d42ef6bc86 100644 --- a/fs/nfs.c +++ b/fs/nfs.c @@ -1194,6 +1194,10 @@ static int nfs_read_req(struct file_priv *priv, uint64_t offset, } p = nfs_packet_read(nfs_packet, rlen); + if (!p) { + ret = -EINVAL; + goto err_free_packet; + } kfifo_put(priv->fifo, (char *)p, rlen); -- 2.47.3 ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] fs: nfs: fix NULL dereference in nfs_read_req on truncated packets 2026-04-02 7:55 ` [PATCH 2/2] fs: nfs: fix NULL dereference in nfs_read_req on truncated packets Sascha Hauer @ 2026-04-02 10:39 ` Sascha Hauer 0 siblings, 0 replies; 4+ messages in thread From: Sascha Hauer @ 2026-04-02 10:39 UTC (permalink / raw) To: BAREBOX; +Cc: Claude Opus 4.6 (1M context) On Thu, Apr 02, 2026 at 09:55:24AM +0200, Sascha Hauer wrote: > nfs_read_req() reads the data length (rlen) from the server's READ3res > response and uses it to extract the payload via nfs_packet_read(). If a > malicious server sends an rlen larger than the remaining packet data, > nfs_packet_read() returns NULL. The subsequent kfifo_put() with a NULL > source pointer causes a NULL pointer dereference. > > Add a NULL check after nfs_packet_read() to catch truncated responses. > > Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> > Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Fixes: 5be38817bc77 ("fs: nfs: do not read past packets") Sascha > --- > fs/nfs.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/fs/nfs.c b/fs/nfs.c > index edc15e0ce6..d42ef6bc86 100644 > --- a/fs/nfs.c > +++ b/fs/nfs.c > @@ -1194,6 +1194,10 @@ static int nfs_read_req(struct file_priv *priv, uint64_t offset, > } > > p = nfs_packet_read(nfs_packet, rlen); > + if (!p) { > + ret = -EINVAL; > + goto err_free_packet; > + } > > kfifo_put(priv->fifo, (char *)p, rlen); > > > -- > 2.47.3 > > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-02 10:39 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2026-04-02 7:55 [PATCH 0/2] nfs: protect against corrupt packets and userdata Sascha Hauer 2026-04-02 7:55 ` [PATCH 1/2] fs: nfs: fix stack and packet buffer overflows from long NFS paths Sascha Hauer 2026-04-02 7:55 ` [PATCH 2/2] fs: nfs: fix NULL dereference in nfs_read_req on truncated packets Sascha Hauer 2026-04-02 10:39 ` Sascha Hauer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox