CVE-2022-48827

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSD: Fix the behavior of READ near OFFSET_MAX<br /> <br /> Dan Aloni reports:<br /> &gt; Due to commit 8cfb9015280d ("NFS: Always provide aligned buffers to<br /> &gt; the RPC read layers") on the client, a read of 0xfff is aligned up<br /> &gt; to server rsize of 0x1000.<br /> &gt;<br /> &gt; As a result, in a test where the server has a file of size<br /> &gt; 0x7fffffffffffffff, and the client tries to read from the offset<br /> &gt; 0x7ffffffffffff000, the read causes loff_t overflow in the server<br /> &gt; and it returns an NFS code of EINVAL to the client. The client as<br /> &gt; a result indefinitely retries the request.<br /> <br /> The Linux NFS client does not handle NFS?ERR_INVAL, even though all<br /> NFS specifications permit servers to return that status code for a<br /> READ.<br /> <br /> Instead of NFS?ERR_INVAL, have out-of-range READ requests succeed<br /> and return a short result. Set the EOF flag in the result to prevent<br /> the client from retrying the READ request. This behavior appears to<br /> be consistent with Solaris NFS servers.<br /> <br /> Note that NFSv3 and NFSv4 use u64 offset values on the wire. These<br /> must be converted to loff_t internally before use -- an implicit<br /> type cast is not adequate for this purpose. Otherwise VFS checks<br /> against sb-&gt;s_maxbytes do not work properly.