From 1e9e177df3e36e93a37bafc3c610ed019e6f48e7 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Mon, 2 Jan 2023 12:05:37 -0500 Subject: SUNRPC: Move svcxdr_init_decode() into ->accept methods Refactor: So that the overhaul of each ->accept method can be done in separate smaller patches, temporarily move the svcxdr_init_decode() call into those methods. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever --- net/sunrpc/svcauth_unix.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'net/sunrpc/svcauth_unix.c') diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c index b1efc34db6ed..3a77f3be2cf0 100644 --- a/net/sunrpc/svcauth_unix.c +++ b/net/sunrpc/svcauth_unix.c @@ -762,6 +762,7 @@ svcauth_null_accept(struct svc_rqst *rqstp) svc_putnl(resv, 0); rqstp->rq_cred.cr_flavor = RPC_AUTH_NULL; + svcxdr_init_decode(rqstp); return SVC_OK; } @@ -835,6 +836,7 @@ svcauth_tls_accept(struct svc_rqst *rqstp) svc_putnl(resv, 0); rqstp->rq_cred.cr_flavor = RPC_AUTH_TLS; + svcxdr_init_decode(rqstp); return SVC_OK; } @@ -900,6 +902,7 @@ svcauth_unix_accept(struct svc_rqst *rqstp) svc_putnl(resv, 0); rqstp->rq_cred.cr_flavor = RPC_AUTH_UNIX; + svcxdr_init_decode(rqstp); return SVC_OK; badcred: -- cgit v1.2.3 From bee13639c0940abdea4dcaaf7f9bc0b88a68322b Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Mon, 2 Jan 2023 12:05:50 -0500 Subject: SUNRPC: Convert svcauth_null_accept() to use xdr_stream Done as part of hardening the server-side RPC header decoding path. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever --- net/sunrpc/svcauth_unix.c | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) (limited to 'net/sunrpc/svcauth_unix.c') diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c index 3a77f3be2cf0..95354f03bb05 100644 --- a/net/sunrpc/svcauth_unix.c +++ b/net/sunrpc/svcauth_unix.c @@ -729,23 +729,41 @@ out: EXPORT_SYMBOL_GPL(svcauth_unix_set_client); +/** + * svcauth_null_accept - Decode and validate incoming RPC_AUTH_NULL credential + * @rqstp: RPC transaction + * + * Return values: + * %SVC_OK: Both credential and verifier are valid + * %SVC_DENIED: Credential or verifier is not valid + * %SVC_GARBAGE: Failed to decode credential or verifier + * %SVC_CLOSE: Temporary failure + * + * rqstp->rq_auth_stat is set as mandated by RFC 5531. + */ static int svcauth_null_accept(struct svc_rqst *rqstp) { - struct kvec *argv = &rqstp->rq_arg.head[0]; struct kvec *resv = &rqstp->rq_res.head[0]; + struct xdr_stream *xdr = &rqstp->rq_arg_stream; struct svc_cred *cred = &rqstp->rq_cred; + u32 flavor, len; + void *body; - if (argv->iov_len < 3*4) - return SVC_GARBAGE; + svcxdr_init_decode(rqstp); - if (svc_getu32(argv) != 0) { - dprintk("svc: bad null cred\n"); + /* Length of Call's credential body field: */ + if (xdr_stream_decode_u32(xdr, &len) < 0) + return SVC_GARBAGE; + if (len != 0) { rqstp->rq_auth_stat = rpc_autherr_badcred; return SVC_DENIED; } - if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) { - dprintk("svc: bad null verf\n"); + + /* Call's verf field: */ + if (xdr_stream_decode_opaque_auth(xdr, &flavor, &body, &len) < 0) + return SVC_GARBAGE; + if (flavor != RPC_AUTH_NULL || len != 0) { rqstp->rq_auth_stat = rpc_autherr_badverf; return SVC_DENIED; } @@ -762,7 +780,6 @@ svcauth_null_accept(struct svc_rqst *rqstp) svc_putnl(resv, 0); rqstp->rq_cred.cr_flavor = RPC_AUTH_NULL; - svcxdr_init_decode(rqstp); return SVC_OK; } -- cgit v1.2.3 From 6181b0c6432bf0807512e85e0c5863f7aca8e515 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Mon, 2 Jan 2023 12:05:56 -0500 Subject: SUNRPC: Convert svcauth_unix_accept() to use xdr_stream Done as part of hardening the server-side RPC header decoding path. Since the server-side of the Linux kernel SunRPC implementation ignores the contents of the Call's machinename field, there's no need for its RPC_AUTH_UNIX authenticator to reject names that are larger than UNX_MAXNODENAME. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever --- include/linux/sunrpc/msg_prot.h | 5 +++ net/sunrpc/svcauth_unix.c | 71 +++++++++++++++++++++++++++++------------ 2 files changed, 56 insertions(+), 20 deletions(-) (limited to 'net/sunrpc/svcauth_unix.c') diff --git a/include/linux/sunrpc/msg_prot.h b/include/linux/sunrpc/msg_prot.h index 02117ed0fa2e..c4b0eb2b2f04 100644 --- a/include/linux/sunrpc/msg_prot.h +++ b/include/linux/sunrpc/msg_prot.h @@ -34,6 +34,11 @@ enum rpc_auth_flavors { RPC_AUTH_GSS_SPKMP = 390011, }; +/* Maximum size (in octets) of the machinename in an AUTH_UNIX + * credential (per RFC 5531 Appendix A) + */ +#define RPC_MAX_MACHINENAME (255) + /* Maximum size (in bytes) of an rpc credential or verifier */ #define RPC_MAX_AUTH_SIZE (400) diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c index 95354f03bb05..b6aef9c5113b 100644 --- a/net/sunrpc/svcauth_unix.c +++ b/net/sunrpc/svcauth_unix.c @@ -867,26 +867,45 @@ struct auth_ops svcauth_tls = { }; +/** + * svcauth_unix_accept - Decode and validate incoming RPC_AUTH_SYS credential + * @rqstp: RPC transaction + * + * Return values: + * %SVC_OK: Both credential and verifier are valid + * %SVC_DENIED: Credential or verifier is not valid + * %SVC_GARBAGE: Failed to decode credential or verifier + * %SVC_CLOSE: Temporary failure + * + * rqstp->rq_auth_stat is set as mandated by RFC 5531. + */ static int svcauth_unix_accept(struct svc_rqst *rqstp) { - struct kvec *argv = &rqstp->rq_arg.head[0]; struct kvec *resv = &rqstp->rq_res.head[0]; + struct xdr_stream *xdr = &rqstp->rq_arg_stream; struct svc_cred *cred = &rqstp->rq_cred; struct user_namespace *userns; - u32 slen, i; - int len = argv->iov_len; + u32 flavor, len, i; + void *body; + __be32 *p; + + svcxdr_init_decode(rqstp); - if ((len -= 3*4) < 0) + /* + * This implementation ignores the length of the Call's + * credential body field and the timestamp and machinename + * fields. + */ + p = xdr_inline_decode(xdr, XDR_UNIT * 3); + if (!p) + return SVC_GARBAGE; + len = be32_to_cpup(p + 2); + if (len > RPC_MAX_MACHINENAME) + return SVC_GARBAGE; + if (!xdr_inline_decode(xdr, len)) return SVC_GARBAGE; - svc_getu32(argv); /* length */ - svc_getu32(argv); /* time stamp */ - slen = XDR_QUADLEN(svc_getnl(argv)); /* machname length */ - if (slen > 64 || (len -= (slen + 3)*4) < 0) - goto badcred; - argv->iov_base = (void*)((__be32*)argv->iov_base + slen); /* skip machname */ - argv->iov_len -= slen*4; /* * Note: we skip uid_valid()/gid_valid() checks here for * backwards compatibility with clients that use -1 id's. @@ -896,20 +915,33 @@ svcauth_unix_accept(struct svc_rqst *rqstp) */ userns = (rqstp->rq_xprt && rqstp->rq_xprt->xpt_cred) ? rqstp->rq_xprt->xpt_cred->user_ns : &init_user_ns; - cred->cr_uid = make_kuid(userns, svc_getnl(argv)); /* uid */ - cred->cr_gid = make_kgid(userns, svc_getnl(argv)); /* gid */ - slen = svc_getnl(argv); /* gids length */ - if (slen > UNX_NGROUPS || (len -= (slen + 2)*4) < 0) + if (xdr_stream_decode_u32(xdr, &i) < 0) + return SVC_GARBAGE; + cred->cr_uid = make_kuid(userns, i); + if (xdr_stream_decode_u32(xdr, &i) < 0) + return SVC_GARBAGE; + cred->cr_gid = make_kgid(userns, i); + + if (xdr_stream_decode_u32(xdr, &len) < 0) + return SVC_GARBAGE; + if (len > UNX_NGROUPS) goto badcred; - cred->cr_group_info = groups_alloc(slen); + p = xdr_inline_decode(xdr, XDR_UNIT * len); + if (!p) + return SVC_GARBAGE; + cred->cr_group_info = groups_alloc(len); if (cred->cr_group_info == NULL) return SVC_CLOSE; - for (i = 0; i < slen; i++) { - kgid_t kgid = make_kgid(userns, svc_getnl(argv)); + for (i = 0; i < len; i++) { + kgid_t kgid = make_kgid(userns, be32_to_cpup(p++)); cred->cr_group_info->gid[i] = kgid; } groups_sort(cred->cr_group_info); - if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) { + + /* Call's verf field: */ + if (xdr_stream_decode_opaque_auth(xdr, &flavor, &body, &len) < 0) + return SVC_GARBAGE; + if (flavor != RPC_AUTH_NULL || len != 0) { rqstp->rq_auth_stat = rpc_autherr_badverf; return SVC_DENIED; } @@ -919,7 +951,6 @@ svcauth_unix_accept(struct svc_rqst *rqstp) svc_putnl(resv, 0); rqstp->rq_cred.cr_flavor = RPC_AUTH_UNIX; - svcxdr_init_decode(rqstp); return SVC_OK; badcred: -- cgit v1.2.3 From e8e38e14009afa90f320b9e806f416954b7dc315 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Mon, 2 Jan 2023 12:06:03 -0500 Subject: SUNRPC: Convert svcauth_tls_accept() to use xdr_stream Done as part of hardening the server-side RPC header decoding path. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever --- net/sunrpc/svcauth_unix.c | 37 ++++++++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 11 deletions(-) (limited to 'net/sunrpc/svcauth_unix.c') diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c index b6aef9c5113b..168e12137754 100644 --- a/net/sunrpc/svcauth_unix.c +++ b/net/sunrpc/svcauth_unix.c @@ -807,25 +807,41 @@ struct auth_ops svcauth_null = { }; +/** + * svcauth_tls_accept - Decode and validate incoming RPC_AUTH_TLS credential + * @rqstp: RPC transaction + * + * Return values: + * %SVC_OK: Both credential and verifier are valid + * %SVC_DENIED: Credential or verifier is not valid + * %SVC_GARBAGE: Failed to decode credential or verifier + * %SVC_CLOSE: Temporary failure + * + * rqstp->rq_auth_stat is set as mandated by RFC 5531. + */ static int svcauth_tls_accept(struct svc_rqst *rqstp) { + struct xdr_stream *xdr = &rqstp->rq_arg_stream; struct svc_cred *cred = &rqstp->rq_cred; - struct kvec *argv = rqstp->rq_arg.head; struct kvec *resv = rqstp->rq_res.head; + u32 flavor, len; + void *body; - if (argv->iov_len < XDR_UNIT * 3) - return SVC_GARBAGE; + svcxdr_init_decode(rqstp); - /* Call's cred length */ - if (svc_getu32(argv) != xdr_zero) { + /* Length of Call's credential body field: */ + if (xdr_stream_decode_u32(xdr, &len) < 0) + return SVC_GARBAGE; + if (len != 0) { rqstp->rq_auth_stat = rpc_autherr_badcred; return SVC_DENIED; } - /* Call's verifier flavor and its length */ - if (svc_getu32(argv) != rpc_auth_null || - svc_getu32(argv) != xdr_zero) { + /* Call's verf field: */ + if (xdr_stream_decode_opaque_auth(xdr, &flavor, &body, &len) < 0) + return SVC_GARBAGE; + if (flavor != RPC_AUTH_NULL || len != 0) { rqstp->rq_auth_stat = rpc_autherr_badverf; return SVC_DENIED; } @@ -836,12 +852,12 @@ svcauth_tls_accept(struct svc_rqst *rqstp) return SVC_DENIED; } - /* Mapping to nobody uid/gid is required */ + /* Signal that mapping to nobody uid/gid is required */ cred->cr_uid = INVALID_UID; cred->cr_gid = INVALID_GID; cred->cr_group_info = groups_alloc(0); if (cred->cr_group_info == NULL) - return SVC_CLOSE; /* kmalloc failure - client must retry */ + return SVC_CLOSE; /* Reply's verifier */ svc_putnl(resv, RPC_AUTH_NULL); @@ -853,7 +869,6 @@ svcauth_tls_accept(struct svc_rqst *rqstp) svc_putnl(resv, 0); rqstp->rq_cred.cr_flavor = RPC_AUTH_TLS; - svcxdr_init_decode(rqstp); return SVC_OK; } -- cgit v1.2.3 From 6898b47a0f9e118636d82c3e2c39e50f82290a91 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Mon, 2 Jan 2023 12:07:32 -0500 Subject: SUNRPC: Hoist init_decode out of svc_authenticate() Now that each ->accept method has been converted to use xdr_stream, the svcxdr_init_decode() calls can be hoisted back up into the generic RPC server code. The dprintk in svc_authenticate() is removed, since trace_svc_authenticate() reports the same information. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever --- net/sunrpc/auth_gss/svcauth_gss.c | 2 -- net/sunrpc/svc.c | 1 + net/sunrpc/svcauth.c | 13 ++++++++----- net/sunrpc/svcauth_unix.c | 6 ------ 4 files changed, 9 insertions(+), 13 deletions(-) (limited to 'net/sunrpc/svcauth_unix.c') diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c index f6d62e39840e..b3a6717e32fd 100644 --- a/net/sunrpc/auth_gss/svcauth_gss.c +++ b/net/sunrpc/auth_gss/svcauth_gss.c @@ -1619,8 +1619,6 @@ svcauth_gss_accept(struct svc_rqst *rqstp) int ret; struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id); - svcxdr_init_decode(rqstp); - rqstp->rq_auth_stat = rpc_autherr_badcred; if (!svcdata) svcdata = kmalloc(sizeof(*svcdata), GFP_KERNEL); diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c index f06622814a95..acac00bc98cc 100644 --- a/net/sunrpc/svc.c +++ b/net/sunrpc/svc.c @@ -1276,6 +1276,7 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv) * We do this before anything else in order to get a decent * auth verifier. */ + svcxdr_init_decode(rqstp); auth_res = svc_authenticate(rqstp); /* Also give the program a chance to reject this call: */ if (auth_res == SVC_OK && progp) diff --git a/net/sunrpc/svcauth.c b/net/sunrpc/svcauth.c index e72ba2f13f6c..67d8245a08af 100644 --- a/net/sunrpc/svcauth.c +++ b/net/sunrpc/svcauth.c @@ -63,14 +63,17 @@ svc_put_auth_ops(struct auth_ops *aops) int svc_authenticate(struct svc_rqst *rqstp) { - rpc_authflavor_t flavor; - struct auth_ops *aops; + struct auth_ops *aops; + u32 flavor; rqstp->rq_auth_stat = rpc_auth_ok; - flavor = svc_getnl(&rqstp->rq_arg.head[0]); - - dprintk("svc: svc_authenticate (%d)\n", flavor); + /* + * Decode the Call credential's flavor field. The credential's + * body field is decoded in the chosen ->accept method below. + */ + if (xdr_stream_decode_u32(&rqstp->rq_arg_stream, &flavor) < 0) + return SVC_GARBAGE; aops = svc_get_auth_ops(flavor); if (aops == NULL) { diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c index 168e12137754..f09a148aa0c1 100644 --- a/net/sunrpc/svcauth_unix.c +++ b/net/sunrpc/svcauth_unix.c @@ -750,8 +750,6 @@ svcauth_null_accept(struct svc_rqst *rqstp) u32 flavor, len; void *body; - svcxdr_init_decode(rqstp); - /* Length of Call's credential body field: */ if (xdr_stream_decode_u32(xdr, &len) < 0) return SVC_GARBAGE; @@ -828,8 +826,6 @@ svcauth_tls_accept(struct svc_rqst *rqstp) u32 flavor, len; void *body; - svcxdr_init_decode(rqstp); - /* Length of Call's credential body field: */ if (xdr_stream_decode_u32(xdr, &len) < 0) return SVC_GARBAGE; @@ -905,8 +901,6 @@ svcauth_unix_accept(struct svc_rqst *rqstp) void *body; __be32 *p; - svcxdr_init_decode(rqstp); - /* * This implementation ignores the length of the Call's * credential body field and the timestamp and machinename -- cgit v1.2.3 From faca8978163bf8f6c0f3043b0f03cf3fe7bf9d64 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Sun, 8 Jan 2023 11:29:51 -0500 Subject: SUNRPC: Move svcxdr_init_encode() into ->accept methods Refactor: So that the overhaul of each ->accept method can be done in separate smaller patches, temporarily move the svcxdr_init_encode() call into those methods. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever --- net/sunrpc/auth_gss/svcauth_gss.c | 5 +++++ net/sunrpc/svc.c | 6 ++---- net/sunrpc/svcauth_unix.c | 3 +++ 3 files changed, 10 insertions(+), 4 deletions(-) (limited to 'net/sunrpc/svcauth_unix.c') diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c index 6ef4f1ecbeec..5c41c34dd83e 100644 --- a/net/sunrpc/auth_gss/svcauth_gss.c +++ b/net/sunrpc/auth_gss/svcauth_gss.c @@ -1250,6 +1250,7 @@ svcauth_gss_legacy_init(struct svc_rqst *rqstp, goto out; ret = SVC_COMPLETE; + svcxdr_init_encode(rqstp); out: cache_put(&rsip->h, sn->rsi_cache); return ret; @@ -1378,6 +1379,7 @@ static int svcauth_gss_proxy_init(struct svc_rqst *rqstp, goto out; ret = SVC_COMPLETE; + svcxdr_init_encode(rqstp); out: gss_free_in_token_pages(&ud.in_token); gssp_free_upcall_data(&ud); @@ -1680,6 +1682,7 @@ svcauth_gss_accept(struct svc_rqst *rqstp) rqstp->rq_auth_stat = rpc_autherr_badcred; switch (gc->gc_svc) { case RPC_GSS_SVC_NONE: + svcxdr_init_encode(rqstp); break; case RPC_GSS_SVC_INTEGRITY: /* placeholders for length and seq. number: */ @@ -1689,6 +1692,7 @@ svcauth_gss_accept(struct svc_rqst *rqstp) rsci->mechctx)) goto garbage_args; rqstp->rq_auth_slack = RPC_MAX_AUTH_SIZE; + svcxdr_init_encode(rqstp); break; case RPC_GSS_SVC_PRIVACY: /* placeholders for length and seq. number: */ @@ -1698,6 +1702,7 @@ svcauth_gss_accept(struct svc_rqst *rqstp) rsci->mechctx)) goto garbage_args; rqstp->rq_auth_slack = RPC_MAX_AUTH_SIZE * 2; + svcxdr_init_encode(rqstp); break; default: goto auth_err; diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c index ce75db5eb9bd..dc23fe44b5bd 100644 --- a/net/sunrpc/svc.c +++ b/net/sunrpc/svc.c @@ -1312,16 +1312,14 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *resv) serv->sv_stats->rpccnt++; trace_svc_process(rqstp, progp->pg_name); - /* Build the reply header. */ - statp = resv->iov_base +resv->iov_len; - svc_putnl(resv, RPC_SUCCESS); + statp = xdr_reserve_space(&rqstp->rq_res_stream, XDR_UNIT); + *statp = rpc_success; /* un-reserve some of the out-queue now that we have a * better idea of reply size */ if (procp->pc_xdrressize) svc_reserve_auth(rqstp, procp->pc_xdrressize<<2); - svcxdr_init_encode(rqstp); /* Call the function that processes the request. */ rc = process.dispatch(rqstp, statp); diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c index f09a148aa0c1..6281d23f98bf 100644 --- a/net/sunrpc/svcauth_unix.c +++ b/net/sunrpc/svcauth_unix.c @@ -778,6 +778,7 @@ svcauth_null_accept(struct svc_rqst *rqstp) svc_putnl(resv, 0); rqstp->rq_cred.cr_flavor = RPC_AUTH_NULL; + svcxdr_init_encode(rqstp); return SVC_OK; } @@ -865,6 +866,7 @@ svcauth_tls_accept(struct svc_rqst *rqstp) svc_putnl(resv, 0); rqstp->rq_cred.cr_flavor = RPC_AUTH_TLS; + svcxdr_init_encode(rqstp); return SVC_OK; } @@ -960,6 +962,7 @@ svcauth_unix_accept(struct svc_rqst *rqstp) svc_putnl(resv, 0); rqstp->rq_cred.cr_flavor = RPC_AUTH_UNIX; + svcxdr_init_encode(rqstp); return SVC_OK; badcred: -- cgit v1.2.3 From b2c88ca65ac829a9570a491bcf1b78f07b1e3841 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Sun, 8 Jan 2023 11:29:57 -0500 Subject: SUNRPC: Use xdr_stream to encode Reply verifier in svcauth_null_accept() Done as part of hardening the server-side RPC header encoding path. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever --- net/sunrpc/svcauth_unix.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'net/sunrpc/svcauth_unix.c') diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c index 6281d23f98bf..b24d6c75588f 100644 --- a/net/sunrpc/svcauth_unix.c +++ b/net/sunrpc/svcauth_unix.c @@ -744,7 +744,6 @@ EXPORT_SYMBOL_GPL(svcauth_unix_set_client); static int svcauth_null_accept(struct svc_rqst *rqstp) { - struct kvec *resv = &rqstp->rq_res.head[0]; struct xdr_stream *xdr = &rqstp->rq_arg_stream; struct svc_cred *cred = &rqstp->rq_cred; u32 flavor, len; @@ -773,12 +772,12 @@ svcauth_null_accept(struct svc_rqst *rqstp) if (cred->cr_group_info == NULL) return SVC_CLOSE; /* kmalloc failure - client must retry */ - /* Put NULL verifier */ - svc_putnl(resv, RPC_AUTH_NULL); - svc_putnl(resv, 0); + svcxdr_init_encode(rqstp); + if (xdr_stream_encode_opaque_auth(&rqstp->rq_res_stream, + RPC_AUTH_NULL, NULL, 0) < 0) + return SVC_CLOSE; rqstp->rq_cred.cr_flavor = RPC_AUTH_NULL; - svcxdr_init_encode(rqstp); return SVC_OK; } -- cgit v1.2.3 From 3b03f3c5d4dbed658ef9a76c3475b2fb37d46451 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Sun, 8 Jan 2023 11:30:03 -0500 Subject: SUNRPC: Use xdr_stream to encode Reply verifier in svcauth_unix_accept() Done as part of hardening the server-side RPC header encoding path. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever --- net/sunrpc/svcauth_unix.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'net/sunrpc/svcauth_unix.c') diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c index b24d6c75588f..e3981e124042 100644 --- a/net/sunrpc/svcauth_unix.c +++ b/net/sunrpc/svcauth_unix.c @@ -894,7 +894,6 @@ struct auth_ops svcauth_tls = { static int svcauth_unix_accept(struct svc_rqst *rqstp) { - struct kvec *resv = &rqstp->rq_res.head[0]; struct xdr_stream *xdr = &rqstp->rq_arg_stream; struct svc_cred *cred = &rqstp->rq_cred; struct user_namespace *userns; @@ -956,12 +955,12 @@ svcauth_unix_accept(struct svc_rqst *rqstp) return SVC_DENIED; } - /* Put NULL verifier */ - svc_putnl(resv, RPC_AUTH_NULL); - svc_putnl(resv, 0); + svcxdr_init_encode(rqstp); + if (xdr_stream_encode_opaque_auth(&rqstp->rq_res_stream, + RPC_AUTH_NULL, NULL, 0) < 0) + return SVC_CLOSE; rqstp->rq_cred.cr_flavor = RPC_AUTH_UNIX; - svcxdr_init_encode(rqstp); return SVC_OK; badcred: -- cgit v1.2.3 From df18f9ccb98a90e51d2d3527d880375db15b1fc8 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Sun, 8 Jan 2023 11:30:09 -0500 Subject: SUNRPC: Use xdr_stream to encode Reply verifier in svcauth_tls_accept() Done as part of hardening the server-side RPC header encoding path. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever --- net/sunrpc/svcauth_unix.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) (limited to 'net/sunrpc/svcauth_unix.c') diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c index e3981e124042..632150a6b947 100644 --- a/net/sunrpc/svcauth_unix.c +++ b/net/sunrpc/svcauth_unix.c @@ -822,9 +822,9 @@ svcauth_tls_accept(struct svc_rqst *rqstp) { struct xdr_stream *xdr = &rqstp->rq_arg_stream; struct svc_cred *cred = &rqstp->rq_cred; - struct kvec *resv = rqstp->rq_res.head; u32 flavor, len; void *body; + __be32 *p; /* Length of Call's credential body field: */ if (xdr_stream_decode_u32(xdr, &len) < 0) @@ -855,17 +855,21 @@ svcauth_tls_accept(struct svc_rqst *rqstp) if (cred->cr_group_info == NULL) return SVC_CLOSE; - /* Reply's verifier */ - svc_putnl(resv, RPC_AUTH_NULL); + svcxdr_init_encode(rqstp); if (rqstp->rq_xprt->xpt_ops->xpo_start_tls) { - svc_putnl(resv, 8); - memcpy(resv->iov_base + resv->iov_len, "STARTTLS", 8); - resv->iov_len += 8; - } else - svc_putnl(resv, 0); + p = xdr_reserve_space(&rqstp->rq_res_stream, XDR_UNIT * 2 + 8); + if (!p) + return SVC_CLOSE; + *p++ = rpc_auth_null; + *p++ = cpu_to_be32(8); + memcpy(p, "STARTTLS", 8); + } else { + if (xdr_stream_encode_opaque_auth(&rqstp->rq_res_stream, + RPC_AUTH_NULL, NULL, 0) < 0) + return SVC_CLOSE; + } rqstp->rq_cred.cr_flavor = RPC_AUTH_TLS; - svcxdr_init_encode(rqstp); return SVC_OK; } -- cgit v1.2.3 From fcef2afffe67db884f2970817b8e721d86df2986 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Sun, 8 Jan 2023 11:30:34 -0500 Subject: SUNRPC: Hoist init_encode out of svc_authenticate() Now that each ->accept method has been converted, the svcxdr_init_encode() calls can be hoisted back up into the generic RPC server code. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever --- net/sunrpc/auth_gss/svcauth_gss.c | 2 -- net/sunrpc/svc.c | 2 ++ net/sunrpc/svcauth_unix.c | 3 --- 3 files changed, 2 insertions(+), 5 deletions(-) (limited to 'net/sunrpc/svcauth_unix.c') diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c index 3d82fbd44229..01080d4659c3 100644 --- a/net/sunrpc/auth_gss/svcauth_gss.c +++ b/net/sunrpc/auth_gss/svcauth_gss.c @@ -1589,8 +1589,6 @@ svcauth_gss_accept(struct svc_rqst *rqstp) int ret; struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id); - svcxdr_init_encode(rqstp); - rqstp->rq_auth_stat = rpc_autherr_badcred; if (!svcdata) svcdata = kmalloc(sizeof(*svcdata), GFP_KERNEL); diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c index dc23fe44b5bd..a5f40453fb14 100644 --- a/net/sunrpc/svc.c +++ b/net/sunrpc/svc.c @@ -1262,6 +1262,8 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *resv) if (rqstp->rq_prog == progp->pg_prog) break; + svcxdr_init_encode(rqstp); + /* * Decode auth data, and add verifier to reply buffer. * We do this before anything else in order to get a decent diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c index 632150a6b947..b101700d155c 100644 --- a/net/sunrpc/svcauth_unix.c +++ b/net/sunrpc/svcauth_unix.c @@ -772,7 +772,6 @@ svcauth_null_accept(struct svc_rqst *rqstp) if (cred->cr_group_info == NULL) return SVC_CLOSE; /* kmalloc failure - client must retry */ - svcxdr_init_encode(rqstp); if (xdr_stream_encode_opaque_auth(&rqstp->rq_res_stream, RPC_AUTH_NULL, NULL, 0) < 0) return SVC_CLOSE; @@ -855,7 +854,6 @@ svcauth_tls_accept(struct svc_rqst *rqstp) if (cred->cr_group_info == NULL) return SVC_CLOSE; - svcxdr_init_encode(rqstp); if (rqstp->rq_xprt->xpt_ops->xpo_start_tls) { p = xdr_reserve_space(&rqstp->rq_res_stream, XDR_UNIT * 2 + 8); if (!p) @@ -959,7 +957,6 @@ svcauth_unix_accept(struct svc_rqst *rqstp) return SVC_DENIED; } - svcxdr_init_encode(rqstp); if (xdr_stream_encode_opaque_auth(&rqstp->rq_res_stream, RPC_AUTH_NULL, NULL, 0) < 0) return SVC_CLOSE; -- cgit v1.2.3 From 4bcf0343e8a69eb22f7e83bfa7cfce32a28c9d95 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Sun, 8 Jan 2023 11:31:05 -0500 Subject: SUNRPC: Set rq_accept_statp inside ->accept methods To navigate around the space that svcauth_gss_accept() reserves for the RPC payload body length and sequence number fields, svcauth_gss_release() does a little dance with the reply's accept_stat, moving the accept_stat value in the response buffer down by two words. Instead, let's have the ->accept() methods each set the proper final location of the accept_stat to avoid having to move things. Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever --- include/linux/sunrpc/svc.h | 19 +++++++++++++++++++ net/sunrpc/auth_gss/svcauth_gss.c | 21 ++++++++++----------- net/sunrpc/svc.c | 2 -- net/sunrpc/svcauth_unix.c | 6 ++++++ 4 files changed, 35 insertions(+), 13 deletions(-) (limited to 'net/sunrpc/svcauth_unix.c') diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h index f40a90ca5de6..392d2d2620fa 100644 --- a/include/linux/sunrpc/svc.h +++ b/include/linux/sunrpc/svc.h @@ -544,4 +544,23 @@ static inline void svcxdr_set_auth_slack(struct svc_rqst *rqstp, int slack) WARN_ON(xdr->p > xdr->end); } +/** + * svcxdr_set_accept_stat - Reserve space for the accept_stat field + * @rqstp: RPC transaction context + * + * Return values: + * %true: Success + * %false: No response buffer space was available + */ +static inline bool svcxdr_set_accept_stat(struct svc_rqst *rqstp) +{ + struct xdr_stream *xdr = &rqstp->rq_res_stream; + + rqstp->rq_accept_statp = xdr_reserve_space(xdr, XDR_UNIT); + if (unlikely(!rqstp->rq_accept_statp)) + return false; + *rqstp->rq_accept_statp = rpc_success; + return true; +} + #endif /* SUNRPC_SVC_H */ diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c index 01080d4659c3..7e7fda9a3e4e 100644 --- a/net/sunrpc/auth_gss/svcauth_gss.c +++ b/net/sunrpc/auth_gss/svcauth_gss.c @@ -1220,7 +1220,7 @@ svcauth_gss_legacy_init(struct svc_rqst *rqstp, if (!svcauth_gss_proc_init_verf(sn->rsc_cache, rqstp, &rsip->out_handle, &rsip->major_status, GSS_SEQ_WIN)) goto out; - if (xdr_stream_encode_u32(&rqstp->rq_res_stream, RPC_SUCCESS) < 0) + if (!svcxdr_set_accept_stat(rqstp)) goto out; if (!svcxdr_encode_gss_init_res(&rqstp->rq_res_stream, &rsip->out_handle, &rsip->out_token, rsip->major_status, @@ -1348,7 +1348,7 @@ static int svcauth_gss_proxy_init(struct svc_rqst *rqstp, if (!svcauth_gss_proc_init_verf(sn->rsc_cache, rqstp, &cli_handle, &ud.major_status, GSS_SEQ_WIN)) goto out; - if (xdr_stream_encode_u32(&rqstp->rq_res_stream, RPC_SUCCESS) < 0) + if (!svcxdr_set_accept_stat(rqstp)) goto out; if (!svcxdr_encode_gss_init_res(&rqstp->rq_res_stream, &cli_handle, &ud.out_token, ud.major_status, @@ -1640,16 +1640,18 @@ svcauth_gss_accept(struct svc_rqst *rqstp) case RPC_GSS_PROC_DESTROY: if (!svcauth_gss_encode_verf(rqstp, rsci->mechctx, gc->gc_seq)) goto auth_err; + if (!svcxdr_set_accept_stat(rqstp)) + goto auth_err; /* Delete the entry from the cache_list and call cache_put */ sunrpc_cache_unhash(sn->rsc_cache, &rsci->h); - if (xdr_stream_encode_u32(&rqstp->rq_res_stream, RPC_SUCCESS) < 0) - goto auth_err; goto complete; case RPC_GSS_PROC_DATA: rqstp->rq_auth_stat = rpcsec_gsserr_ctxproblem; svcdata->verf_start = xdr_reserve_space(&rqstp->rq_res_stream, 0); if (!svcauth_gss_encode_verf(rqstp, rsci->mechctx, gc->gc_seq)) goto auth_err; + if (!svcxdr_set_accept_stat(rqstp)) + goto auth_err; rqstp->rq_cred = rsci->cred; get_group_info(rsci->cred.cr_group_info); rqstp->rq_auth_stat = rpc_autherr_badcred; @@ -1706,7 +1708,6 @@ out: static __be32 * svcauth_gss_prepare_to_wrap(struct svc_rqst *rqstp, struct gss_svc_data *gsd) { - struct xdr_buf *resbuf = &rqstp->rq_res; __be32 *p; u32 verf_len; @@ -1721,13 +1722,11 @@ svcauth_gss_prepare_to_wrap(struct svc_rqst *rqstp, struct gss_svc_data *gsd) p += 1; verf_len = ntohl(*p++); p += XDR_QUADLEN(verf_len); - /* move accept_stat to right place: */ - memcpy(p, p + 2, 4); - /* Also don't wrap if the accept stat is nonzero: */ - if (*p != rpc_success) { - resbuf->head[0].iov_len -= 2 * 4; + + /* Also don't wrap if the accept_stat is nonzero: */ + if (*rqstp->rq_accept_statp != rpc_success) return NULL; - } + p++; return p; } diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c index 16760bc5191f..7b208e063334 100644 --- a/net/sunrpc/svc.c +++ b/net/sunrpc/svc.c @@ -1314,8 +1314,6 @@ svc_process_common(struct svc_rqst *rqstp) trace_svc_process(rqstp, progp->pg_name); aoffset = xdr_stream_pos(xdr); - rqstp->rq_accept_statp = xdr_reserve_space(&rqstp->rq_res_stream, XDR_UNIT); - *rqstp->rq_accept_statp = rpc_success; /* un-reserve some of the out-queue now that we have a * better idea of reply size diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c index b101700d155c..62dfc8cdf8c5 100644 --- a/net/sunrpc/svcauth_unix.c +++ b/net/sunrpc/svcauth_unix.c @@ -775,6 +775,8 @@ svcauth_null_accept(struct svc_rqst *rqstp) if (xdr_stream_encode_opaque_auth(&rqstp->rq_res_stream, RPC_AUTH_NULL, NULL, 0) < 0) return SVC_CLOSE; + if (!svcxdr_set_accept_stat(rqstp)) + return SVC_CLOSE; rqstp->rq_cred.cr_flavor = RPC_AUTH_NULL; return SVC_OK; @@ -866,6 +868,8 @@ svcauth_tls_accept(struct svc_rqst *rqstp) RPC_AUTH_NULL, NULL, 0) < 0) return SVC_CLOSE; } + if (!svcxdr_set_accept_stat(rqstp)) + return SVC_CLOSE; rqstp->rq_cred.cr_flavor = RPC_AUTH_TLS; return SVC_OK; @@ -960,6 +964,8 @@ svcauth_unix_accept(struct svc_rqst *rqstp) if (xdr_stream_encode_opaque_auth(&rqstp->rq_res_stream, RPC_AUTH_NULL, NULL, 0) < 0) return SVC_CLOSE; + if (!svcxdr_set_accept_stat(rqstp)) + return SVC_CLOSE; rqstp->rq_cred.cr_flavor = RPC_AUTH_UNIX; return SVC_OK; -- cgit v1.2.3 From ecfa3987731b1ceb7964075cdc0235da1765622a Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Wed, 18 Jan 2023 10:45:36 -0500 Subject: SUNRPC: Fix whitespace damage in svcauth_unix.c Signed-off-by: Chuck Lever --- net/sunrpc/svcauth_unix.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'net/sunrpc/svcauth_unix.c') diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c index 62dfc8cdf8c5..983c5891cb56 100644 --- a/net/sunrpc/svcauth_unix.c +++ b/net/sunrpc/svcauth_unix.c @@ -800,7 +800,7 @@ struct auth_ops svcauth_null = { .name = "null", .owner = THIS_MODULE, .flavour = RPC_AUTH_NULL, - .accept = svcauth_null_accept, + .accept = svcauth_null_accept, .release = svcauth_null_release, .set_client = svcauth_unix_set_client, }; @@ -879,7 +879,7 @@ struct auth_ops svcauth_tls = { .name = "tls", .owner = THIS_MODULE, .flavour = RPC_AUTH_TLS, - .accept = svcauth_tls_accept, + .accept = svcauth_tls_accept, .release = svcauth_null_release, .set_client = svcauth_unix_set_client, }; @@ -995,7 +995,7 @@ struct auth_ops svcauth_unix = { .name = "unix", .owner = THIS_MODULE, .flavour = RPC_AUTH_UNIX, - .accept = svcauth_unix_accept, + .accept = svcauth_unix_accept, .release = svcauth_unix_release, .domain_release = svcauth_unix_domain_release, .set_client = svcauth_unix_set_client, -- cgit v1.2.3