[PATCH v2 2/2] NFSv4/flexfile,filelayout: bound multipath DS count in GETDEVICEINFO

[Michael Bommarito]

Both the flexfile and the (legacy) file pNFS layout drivers decode a
multipath-DS count from a server-supplied GETDEVICEINFO body and then
iterate it via nfs4_decode_mp_ds_addr() without any upper bound. The
filelayout driver already caps the outer ds_num against
NFS4_PNFS_MAX_MULTI_CNT (== 256) but applies no equivalent cap to the
inner mp_count; the flexfile driver applies no cap on either.

In addition, both inner loops ignore a NULL return from
nfs4_decode_mp_ds_addr(), so once the on-wire data no longer matches
a valid netaddr4 encoding the loop is free to consume the trailing
bytes of the device_addr opaque as garbage netid + uaddr pairs. A
malicious or compromised pNFS metadata server can therefore drive
the inner loop indefinitely (up to 2^32 - 1 iterations) against a
fixed-size 56-byte body, with each iteration triggering an
allocation / kmemdup_nul cycle inside the decoder.

Promote NFS4_PNFS_MAX_MULTI_CNT from the filelayout private header to
include/linux/nfs4.h so both drivers (and any future pNFS layout
driver that decodes a multipath address list) bound the wire-level
field consistently. Apply the cap to the inner mp_count in both
drivers, matching the existing ds_num check, and bail on the first
NULL return so a server that lies about mp_count cannot quietly
extend the loop into the trailing layout-body bytes. This is
defense-in-depth on top of the companion patch which closes the
NULL-deref in nfs4_decode_mp_ds_addr(); either patch alone closes
the kernel-panic shape, both together close the latent
unbounded-decode class.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 35124a0994fc ("Cleanup XDR parsing for LAYOUTGET, GETDEVICEINFO")
Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>
---
Changes in v2:
- Carry the stripe_index provenance comment from filelayout.h to the
  new NFS4_PNFS_MAX_MULTI_CNT location in include/linux/nfs4.h, as
  Anna requested.

With this patch alone the crafted GETDEVICEINFO at multipath_count >= 3
is rejected at the bound check; malformed netaddr in the inner loop
bails on the first NULL return.  Either this patch or the companion
1/2 closes the panic; both together close the unbounded-decode class.

Baseline multipath_count = 1 mount + read completes normally.

 fs/nfs/filelayout/filelayout.h            |  2 +-
 fs/nfs/filelayout/filelayoutdev.c         |  7 +++++--
 fs/nfs/flexfilelayout/flexfilelayoutdev.c | 10 ++++++++--
 include/linux/nfs4.h                      |  5 +++++
 4 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/fs/nfs/filelayout/filelayout.h b/fs/nfs/filelayout/filelayout.h
index c7bb5da93307d..03298f2e7cd69 100644
--- a/fs/nfs/filelayout/filelayout.h
+++ b/fs/nfs/filelayout/filelayout.h
@@ -39,7 +39,7 @@
  * RFC 5661 multipath_list4 structures.
  */
 #define NFS4_PNFS_MAX_STRIPE_CNT 4096
-#define NFS4_PNFS_MAX_MULTI_CNT  256 /* 256 fit into a u8 stripe_index */
+/* NFS4_PNFS_MAX_MULTI_CNT now in <linux/nfs4.h>; shared with flexfile. */
 
 enum stripetype4 {
 	STRIPE_SPARSE = 1,
diff --git a/fs/nfs/filelayout/filelayoutdev.c b/fs/nfs/filelayout/filelayoutdev.c
index 7226989ee4d53..c58c786dcf011 100644
--- a/fs/nfs/filelayout/filelayoutdev.c
+++ b/fs/nfs/filelayout/filelayoutdev.c
@@ -159,10 +159,13 @@ nfs4_fl_alloc_deviceid_node(struct nfs_server *server, struct pnfs_device *pdev,
 			goto out_err_free_deviceid;
 
 		mp_count = be32_to_cpup(p); /* multipath count */
+		if (mp_count > NFS4_PNFS_MAX_MULTI_CNT)
+			goto out_err_free_deviceid;
 		for (j = 0; j < mp_count; j++) {
 			da = nfs4_decode_mp_ds_addr(net, &stream, gfp_flags);
-			if (da)
-				list_add_tail(&da->da_node, &dsaddrs);
+			if (!da)
+				break;
+			list_add_tail(&da->da_node, &dsaddrs);
 		}
 		if (list_empty(&dsaddrs)) {
 			dprintk("%s: no suitable DS addresses found\n",
diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
index c40395ae08142..faed05cbe9f1c 100644
--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
@@ -78,12 +78,18 @@ nfs4_ff_alloc_deviceid_node(struct nfs_server *server, struct pnfs_device *pdev,
 		goto out_err_drain_dsaddrs;
 	mp_count = be32_to_cpup(p);
 	dprintk("%s: multipath ds count %d\n", __func__, mp_count);
+	if (mp_count > NFS4_PNFS_MAX_MULTI_CNT) {
+		dprintk("%s: multipath count %u greater than supported maximum %d\n",
+			__func__, mp_count, NFS4_PNFS_MAX_MULTI_CNT);
+		goto out_err_drain_dsaddrs;
+	}
 
 	for (i = 0; i < mp_count; i++) {
 		/* multipath ds */
 		da = nfs4_decode_mp_ds_addr(net, &stream, gfp_flags);
-		if (da)
-			list_add_tail(&da->da_node, &dsaddrs);
+		if (!da)
+			break;
+		list_add_tail(&da->da_node, &dsaddrs);
 	}
 	if (list_empty(&dsaddrs)) {
 		dprintk("%s: no suitable DS addresses found\n",
diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h
index d87be1f25273a..79f4168cb6ab7 100644
--- a/include/linux/nfs4.h
+++ b/include/linux/nfs4.h
@@ -767,6 +767,11 @@ enum pnfs_block_extent_state {
 	PNFS_BLOCK_NONE_DATA		= 3,
 };
 
+/* Maximum NFSv4.1 pNFS multipath data-server address count;
+ * 256 fits in the u8 stripe_index used by the filelayout driver.
+ */
+#define NFS4_PNFS_MAX_MULTI_CNT		256
+
 /* on the wire size of a block layout extent */
 #define PNFS_BLOCK_EXTENT_SIZE \
 	(7 * sizeof(__be32) + NFS4_DEVICEID4_SIZE)
-- 
2.53.0