Message ID | 20221111134830.879929-6-cascardo@canonical.com |
---|---|
State | New |
Headers | show
Return-Path: <kernel-team-bounces@lists.ubuntu.com> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=JFKws6r2; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4N80Ry5rZQz23mY for <incoming@patchwork.ozlabs.org>; Sat, 12 Nov 2022 00:49:18 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from <kernel-team-bounces@lists.ubuntu.com>) id 1otUPA-0005cp-B8; Fri, 11 Nov 2022 13:49:12 +0000 Received: from smtp-relay-canonical-0.internal ([10.131.114.83] helo=smtp-relay-canonical-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from <cascardo@canonical.com>) id 1otUP9-0005a4-6I for kernel-team@lists.ubuntu.com; Fri, 11 Nov 2022 13:49:11 +0000 Received: from quatroqueijos.. (unknown [179.93.206.76]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id AB1DD422AC for <kernel-team@lists.ubuntu.com>; Fri, 11 Nov 2022 13:49:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1668174546; bh=ZZFhtnTjhwaAzX6C3YZw+3R0gple9Y/YXsxNPn9Oxpc=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=JFKws6r2EitsciaPixK7KaKwJn4WjJNxhnA5ekyf2YShHu3GiOWXdXXumqrGBovDD UVOPJHkLJLU9bdfl3BHP5j1iWACtWVsd97r562EypxPyo+0yD0+mV3q8VOD/8hgho6 7v/Fsnsh4P6IXfTGimUrhbnK8DqzjAi/dsfhWMNuzELAyhlQpx02Zb5n/fi/cTyR+8 3ZotxM6zstdBiQgGGAKlO/A6yTFW6S1cN7V4nBmp8XFw4Q0SX7ailRSRTiIX0UtCLO geR1F6eoU2q2L3hCjg9CYm9PQtCdm9hu0lnb4c/k2WE0uI6pP7VYnJcG7HxG4wB/Cz XyccEV7j1jJIA== From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU J/K/HWE-5.17/OEM-5.14 5/8] NFSD: Protect against send buffer overflow in NFSv2 READ Date: Fri, 11 Nov 2022 10:48:27 -0300 Message-Id: <20221111134830.879929-6-cascardo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221111134830.879929-1-cascardo@canonical.com> References: <20221111134830.879929-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com> List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>, <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe> List-Archive: <https://lists.ubuntu.com/archives/kernel-team> List-Post: <mailto:kernel-team@lists.ubuntu.com> List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help> List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>, <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com> |
Series |
CVE-2022-43945 - NFSD buffer overflow
|
expand
|
diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c index 346639fea76a..f65eba938a57 100644 --- a/fs/nfsd/nfsproc.c +++ b/fs/nfsd/nfsproc.c @@ -182,6 +182,7 @@ nfsd_proc_read(struct svc_rqst *rqstp) argp->count, argp->offset); argp->count = min_t(u32, argp->count, NFSSVC_MAXBLKSIZE_V2); + argp->count = min_t(u32, argp->count, rqstp->rq_res.buflen); v = 0; len = argp->count;