[PATCH v2 1/2] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr

[Michael Bommarito]

nfs4_decode_mp_ds_addr() decodes the r_netid and r_addr opaques of a
netaddr4 from a GETDEVICEINFO multipath-DS body, then immediately
calls strrchr(buf, '.') to locate the port separator. Both decodes
use xdr_stream_decode_string_dup(), and the current code checks only
"nlen < 0" / "rlen < 0" before dereferencing the returned string.

When the on-wire opaque has length zero, xdr_stream_decode_opaque_inline()
returns 0 and xdr_stream_decode_string_dup() falls through to its
"*str = NULL; return ret" tail, leaving buf NULL with a return value
of 0. The "< 0" check does not catch this, and the next line is
strrchr(NULL, '.'), a kernel NULL pointer dereference reachable from
any pNFS-flexfile client mounted against a malicious or compromised
metadata server.

Reject the zero-length cases explicitly so the decoder fails with
-EBADMSG (treated as a malformed GETDEVICEINFO body) instead of
panicking the client.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 6b7f3cf96364 ("nfs41: pull decode_ds_addr from file layout to generic pnfs")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>
---
Reproduced via a malicious NFSv4.1/pNFS server returning a flexfile
GETDEVICEINFO body with multipath_count >= 3 and one valid
(netid, uaddr) pair.  Linux 7.0-rc7 + KASAN, QEMU/KVM.  Stock kernel:

  Oops: general protection fault [#1] SMP KASAN NOPTI
  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
  RIP: 0010:strrchr+0x24/0x80
  Call Trace:
   nfs4_decode_mp_ds_addr+0xca/0x570
   nfs4_ff_alloc_deviceid_node+0x357/0x1370
   nfs4_find_get_deviceid+0x6b6/0xa90
   nfs4_ff_layout_prepare_ds+0x3cf/0xa40
   ff_layout_choose_ds_for_read+0x14c/0x350
   ff_layout_pg_init_read+0x2a2/0xb90
   ...
   nfs_file_splice_read+0xcf/0x190
   do_sendfile+0x8eb/0xdf0
  Kernel panic - not syncing: Fatal exception

Deterministic for any multipath_count >= 3; multipath_count <= 2
does not crash because the loop ends before consuming the malformed
trailing bytes.

Patched kernel rejects the same crafted body and a baseline
multipath_count = 1 mount + read completes normally.

 fs/nfs/pnfs_nfs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/nfs/pnfs_nfs.c b/fs/nfs/pnfs_nfs.c
index 12632a706da88..0ff43dbcb7cd7 100644
--- a/fs/nfs/pnfs_nfs.c
+++ b/fs/nfs/pnfs_nfs.c
@@ -1075,14 +1075,14 @@ nfs4_decode_mp_ds_addr(struct net *net, struct xdr_stream *xdr, gfp_t gfp_flags)
 	/* r_netid */
 	nlen = xdr_stream_decode_string_dup(xdr, &netid, XDR_MAX_NETOBJ,
 					    gfp_flags);
-	if (unlikely(nlen < 0))
+	if (unlikely(nlen <= 0))
 		goto out_err;
 
 	/* r_addr: ip/ip6addr with port in dec octets - see RFC 5665 */
 	/* port is ".ABC.DEF", 8 chars max */
 	rlen = xdr_stream_decode_string_dup(xdr, &buf, INET6_ADDRSTRLEN +
 					    IPV6_SCOPE_ID_LEN + 8, gfp_flags);
-	if (unlikely(rlen < 0))
+	if (unlikely(rlen <= 0))
 		goto out_free_netid;
 
 	/* replace port '.' with '-' */
-- 
2.53.0