linux.git - Linux kernel source tree

diff options

author	Jenny Guanni Qu <qguanni@gmail.com>	2026-03-13 22:42:07 +0000
committer	Trond Myklebust <trond.myklebust@hammerspace.com>	2026-04-13 14:04:16 -0700
commit	94545ffc0ae8ae6ab6590e9d7fed4da8123060cb (patch)
tree	6f2fb70ce83348b6550442e2d1c80af08d7bc8ff /include/linux
parent	b0ed12538fdfeb39c844eba3fa4c269ddb4ebca7 (diff)

pnfs/flexfiles: validate ds_versions_cnt is non-zero

nfs4_ff_alloc_deviceid_node() reads version_count from XDR without checking it is non-zero. When a malicious NFS server sends a pNFS LAYOUTGET response with version_count=0, kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10). The subsequent ds_versions[0] access in nfs4_ff_layout_ds_version() and other callers dereferences this invalid pointer, causing an out-of-bounds read. Add a check for version_count == 0 after parsing it from XDR, before the allocation. The OOB read was confirmed with KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] from accessing ZERO_SIZE_PTR. Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver") Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com> Reported-by: Dawid Moczadło <dawid@vidocsecurity.com> Tested-by: Jenny Guanni Qu <qguanni@gmail.com> Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>

Diffstat (limited to 'include/linux')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: