mbox series

[UBUNTU,B,F,0/1] CVE-2022-43945

Message ID 20221214163721.570055-1-cascardo@canonical.com
Headers show
Series CVE-2022-43945 | expand

Message

Thadeu Lima de Souza Cascardo Dec. 14, 2022, 4:37 p.m. UTC 
[Impact]
A remote user may cause an out-of-bounds access on a NFS server.

The other fixes for this vulnerability were either:

1) not applicable, since they were fixing newer commits not present
   on 5.4 or 4.15.
2) only affected NFSv2 or NFSv3, but those were mitigated by function
   nfs_request_too_big, which was removed around 5.8.

[Testing]
A smoke test was done by mounting a localhost NFS server using -o nfsvers=4.

A PoC was built but did not manage to trigger any oops.

[Potential regression]
NFS servers might break.

Chuck Lever (1):
  NFSD: Cap rsize_bop result based on send buffer size

 fs/nfsd/nfs4proc.c | 35 +++++++++++++++++++++--------------
 1 file changed, 21 insertions(+), 14 deletions(-)

Comments

Tim Gardner Dec. 14, 2022, 5:15 p.m. UTC | #1 
On 12/14/22 9:37 AM, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> A remote user may cause an out-of-bounds access on a NFS server.
> 
> The other fixes for this vulnerability were either:
> 
> 1) not applicable, since they were fixing newer commits not present
>     on 5.4 or 4.15.
> 2) only affected NFSv2 or NFSv3, but those were mitigated by function
>     nfs_request_too_big, which was removed around 5.8.
> 
> [Testing]
> A smoke test was done by mounting a localhost NFS server using -o nfsvers=4.
> 
> A PoC was built but did not manage to trigger any oops.
> 
> [Potential regression]
> NFS servers might break.
> 
> Chuck Lever (1):
>    NFSD: Cap rsize_bop result based on send buffer size
> 
>   fs/nfsd/nfs4proc.c | 35 +++++++++++++++++++++--------------
>   1 file changed, 21 insertions(+), 14 deletions(-)
> 
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Cengiz Can Dec. 14, 2022, 10:03 p.m. UTC | #2 
On Wed, 2022-12-14 at 13:37 -0300, Thadeu Lima de Souza Cascardo wrote:
> Chuck Lever (1):
>   NFSD: Cap rsize_bop result based on send buffer size

Acked-by: Cengiz Can <cengiz.can@canonical.com>
Luke Nowakowski-Krijger Jan. 5, 2023, 3:53 a.m. UTC | #3 
Applied to bionic:linux master-next

Thanks!
- Luke

On Wed, Dec 14, 2022 at 8:39 AM Thadeu Lima de Souza Cascardo <
cascardo@canonical.com> wrote:

> [Impact]
> A remote user may cause an out-of-bounds access on a NFS server.
>
> The other fixes for this vulnerability were either:
>
> 1) not applicable, since they were fixing newer commits not present
>    on 5.4 or 4.15.
> 2) only affected NFSv2 or NFSv3, but those were mitigated by function
>    nfs_request_too_big, which was removed around 5.8.
>
> [Testing]
> A smoke test was done by mounting a localhost NFS server using -o
> nfsvers=4.
>
> A PoC was built but did not manage to trigger any oops.
>
> [Potential regression]
> NFS servers might break.
>
> Chuck Lever (1):
>   NFSD: Cap rsize_bop result based on send buffer size
>
>  fs/nfsd/nfs4proc.c | 35 +++++++++++++++++++++--------------
>  1 file changed, 21 insertions(+), 14 deletions(-)
>
> --
> 2.34.1
>
>
> --
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>