Commit 92661b89 authored Feb 27, 2025 by Dan Carpenter Committed by Li Lingfeng Feb 27, 2025

NFSD: prevent underflow in nfssvc_decode_writeargs()

stable inclusion
from stable-v4.19.238
commit 9f0f048c1bfa7867d565a95fd8c28f4484ba1043
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP4WZ
CVE: CVE-2022-49280

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9f0f048c1bfa7867d565a95fd8c28f4484ba1043



--------------------------------

commit 184416d4 upstream.

Smatch complains:

	fs/nfsd/nfsxdr.c:341 nfssvc_decode_writeargs()
	warn: no lower bound on 'args->len'

Change the type to unsigned to prevent this issue.

Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>

parent 33c097cb

fs/nfsd/nfsproc.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -214,7 +214,7 @@ nfsd_proc_write(struct svc_rqst *rqstp)
		unsigned long cnt = argp->len;
		unsigned int nvecs;

		dprintk("nfsd: WRITE %s %d bytes at %d\n",
		dprintk("nfsd: WRITE %s %u bytes at %d\n",
		SVCFH_fmt(&argp->fh),
		argp->len, argp->offset);

fs/nfsd/xdr.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -33,7 +33,7 @@ struct nfsd_readargs {
		struct nfsd_writeargs {
		svc_fh fh;
		__u32 offset;
		int len;
		__u32 len;
		struct kvec first;
		};