[PATCH 0/2] pnfs/blocklayout: harden GETDEVICEINFO volume parser

Next message: Aaron Ma: "Re: [PATCH v2 RESEND] ASoC: sdw_utils: cs42l43: allow spk component names to be combined"
Previous message: Miguel Ojeda: "Re: [PATCH 6.18 000/198] 6.18.24-rc1 review"
Next in thread: Werner Kasselman: "[PATCH 1/2] pnfs/blocklayout: validate volume indices and limit recursion depth"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Werner Kasselman

Date: Tue Apr 21 2026 - 06:04:33 EST

The recursive-descent volume parser in fs/nfs/blocklayout/dev.c has
three problems reachable from a malicious NFS server:

- Server-supplied volume indices are used without bounds checking,
causing an OOB heap read at volumes[idx].type.
- The mutual recursion between bl_parse_deviceid and the type-specific
parsers has no depth limit, so a cyclic or deeply chained topology
overflows the kernel stack.
- When nr_volumes is 0, the entry point computes nr_volumes - 1 as the
starting index, underflowing to -1.

Patch 1 fixes the memory-safety issues: index validation, depth cap,
and nr_volumes == 0 rejection.

Patch 2 adds a total parse-operation budget (PNFS_BLOCK_MAX_PARSE_OPS)
to prevent resource exhaustion from DAG-shaped topologies where shared
child references cause exponential tree materialization.

A standalone test exercising all three bug classes and the fixes is at:
tools/testing/pnfs-blocklayout/test-volume-parser.c

Werner Kasselman (2):
pnfs/blocklayout: validate volume indices and limit recursion depth
pnfs/blocklayout: cap total parse operations in volume topology

fs/nfs/blocklayout/blocklayout.h | 2 ++
fs/nfs/blocklayout/dev.c | 61 ++++++++++++++++++++++++--------
2 files changed, 49 insertions(+), 14 deletions(-)

--
2.43.0