Re: [PATCH] nfsd: fix heap overflow in NFSv4.0 LOCK replay cache

Next message: David Matlack: "Re: [PATCH] PCI: Disable ATS via quirk before notifying IOMMU drivers"
Previous message: Birger Koblitz: "[PATCH net-next v2] r8152: Add 2500baseT EEE status/configuration support"
In reply to: Jeff Layton: "[PATCH] nfsd: fix heap overflow in NFSv4.0 LOCK replay cache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Chuck Lever

Date: Tue Feb 24 2026 - 12:42:03 EST

From: Chuck Lever <chuck.lever@xxxxxxxxxx>

On Tue, 24 Feb 2026 11:33:35 -0500, Jeff Layton wrote:
> The NFSv4.0 replay cache uses a fixed 112-byte inline buffer
> (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.
> This size was calculated based on OPEN responses and does not account
> for LOCK denied responses, which include the conflicting lock owner as
> a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).
>
> When a LOCK operation is denied due to a conflict with an existing lock
> that has a large owner, nfsd4_encode_operation() copies the full encoded
> response into the undersized replay buffer via read_bytes_from_xdr_buf()
> with no bounds check. This results in a slab-out-of-bounds write of up
> to 944 bytes past the end of the buffer, corrupting adjacent heap memory.
>
> [...]

Applied to nfsd-testing, thanks!

[1/1] nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
commit: 1e8e9913672a31c6fdd0d237cd3cec88435bd66e

--
Chuck Lever