The recursive-descent volume parser in fs/nfs/blocklayout/dev.c has
three problems reachable from a malicious NFS server:
- Server-supplied volume indices are used without bounds checking,
causing an OOB heap read at volumes[idx].type.
- The mutual recursion between bl_parse_deviceid and the type-specific
parsers has no depth limit, so a cyclic or deeply chained topology
overflows the kernel stack.
- When nr_volumes is 0, the entry point computes nr_volumes - 1 as the
starting index, underflowing to -1.
Patch 1 fixes the memory-safety issues: index validation, depth cap,
and nr_volumes == 0 rejection.
Patch 2 adds a total parse-operation budget (PNFS_BLOCK_MAX_PARSE_OPS)
to prevent resource exhaustion from DAG-shaped topologies where shared
child references cause exponential tree materialization.
A standalone test exercising all three bug classes and the fixes is at:
tools/testing/pnfs-blocklayout/test-volume-parser.c
Werner Kasselman (2):
pnfs/blocklayout: validate volume indices and limit recursion depth
pnfs/blocklayout: cap total parse operations in volume topology
fs/nfs/blocklayout/blocklayout.h | 2 ++
fs/nfs/blocklayout/dev.c | 61 ++++++++++++++++++++++++--------
2 files changed, 49 insertions(+), 14 deletions(-)
--
2.43.0