nfsd: Disable NFSv2 timestamp workaround for NFSv3+

NFSv2 can set the atime and/or mtime of a file to specific timestamps but not
to the server's current time.  To implement the equivalent of utimes("file",
NULL), it uses a heuristic.

NFSv3 and later do support setting the atime and/or mtime to the server's
current time directly.  The NFSv2 heuristic is still enabled, and causes
timestamps to be set wrong sometimes.

Fix this by moving the heuristic into the NFSv2 specific code.  We can leave it
out of the create code path: the owner can always set timestamps arbitrarily,
and the workaround would never trigger.

References: CVE-2015-1350
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Philipp Hahn <hahn@univention.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>

2 files changed, 50 insertions, 38 deletions

diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c
index aecbcd34d336..4cd78ef4c95c 100644
--- a/fs/nfsd/nfsproc.c
+++ b/fs/nfsd/nfsproc.c
@@ -59,13 +59,61 @@ static __be32
 nfsd_proc_setattr(struct svc_rqst *rqstp, struct nfsd_sattrargs *argp,
                                           struct nfsd_attrstat  *resp)
 {
+        struct iattr *iap = &argp->attrs;
+        struct svc_fh *fhp;
         __be32 nfserr;
+
         dprintk("nfsd: SETATTR  %s, valid=%x, size=%ld\n",
                 SVCFH_fmt(&argp->fh),
                 argp->attrs.ia_valid, (long) argp->attrs.ia_size);
 
-        fh_copy(&resp->fh, &argp->fh);
-        nfserr = nfsd_setattr(rqstp, &resp->fh, &argp->attrs,0, (time_t)0);
+        fhp = fh_copy(&resp->fh, &argp->fh);
+
+        /*
+         * NFSv2 does not differentiate between "set-[ac]time-to-now"
+         * which only requires access, and "set-[ac]time-to-X" which
+         * requires ownership.
+         * So if it looks like it might be "set both to the same time which
+         * is close to now", and if inode_change_ok fails, then we
+         * convert to "set to now" instead of "set to explicit time"
+         *
+         * We only call inode_change_ok as the last test as technically
+         * it is not an interface that we should be using.
+         */
+#define BOTH_TIME_SET (ATTR_ATIME_SET | ATTR_MTIME_SET)
+#define MAX_TOUCH_TIME_ERROR (30*60)
+        if ((iap->ia_valid & BOTH_TIME_SET) == BOTH_TIME_SET &&
+            iap->ia_mtime.tv_sec == iap->ia_atime.tv_sec) {
+                /*
+                 * Looks probable.
+                 *
+                 * Now just make sure time is in the right ballpark.
+                 * Solaris, at least, doesn't seem to care what the time
+                 * request is.  We require it be within 30 minutes of now.
+                 */
+                time_t delta = iap->ia_atime.tv_sec - get_seconds();
+                struct inode *inode;
+
+                nfserr = fh_verify(rqstp, fhp, 0, NFSD_MAY_NOP);
+                if (nfserr)
+                        goto done;
+                inode = d_inode(fhp->fh_dentry);
+
+                if (delta < 0)
+                        delta = -delta;
+                if (delta < MAX_TOUCH_TIME_ERROR &&
+                    inode_change_ok(inode, iap) != 0) {
+                        /*
+                         * Turn off ATTR_[AM]TIME_SET but leave ATTR_[AM]TIME.
+                         * This will cause notify_change to set these times
+                         * to "now"
+                         */
+                        iap->ia_valid &= ~BOTH_TIME_SET;
+                }
+        }
+
+        nfserr = nfsd_setattr(rqstp, fhp, iap, 0, (time_t)0);
+done:
         return nfsd_return_attrs(nfserr, resp);
 }
 
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 84d770be056e..92de3747ea8b 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -302,42 +302,6 @@ commit_metadata(struct svc_fh *fhp)
 static void
 nfsd_sanitize_attrs(struct inode *inode, struct iattr *iap)
 {
-        /*
-         * NFSv2 does not differentiate between "set-[ac]time-to-now"
-         * which only requires access, and "set-[ac]time-to-X" which
-         * requires ownership.
-         * So if it looks like it might be "set both to the same time which
-         * is close to now", and if inode_change_ok fails, then we
-         * convert to "set to now" instead of "set to explicit time"
-         *
-         * We only call inode_change_ok as the last test as technically
-         * it is not an interface that we should be using.
-         */
-#define BOTH_TIME_SET (ATTR_ATIME_SET | ATTR_MTIME_SET)
-#define MAX_TOUCH_TIME_ERROR (30*60)
-        if ((iap->ia_valid & BOTH_TIME_SET) == BOTH_TIME_SET &&
-            iap->ia_mtime.tv_sec == iap->ia_atime.tv_sec) {
-                /*
-                 * Looks probable.
-                 *
-                 * Now just make sure time is in the right ballpark.
-                 * Solaris, at least, doesn't seem to care what the time
-                 * request is.  We require it be within 30 minutes of now.
-                 */
-                time_t delta = iap->ia_atime.tv_sec - get_seconds();
-                if (delta < 0)
-                        delta = -delta;
-                if (delta < MAX_TOUCH_TIME_ERROR &&
-                    inode_change_ok(inode, iap) != 0) {
-                        /*
-                         * Turn off ATTR_[AM]TIME_SET but leave ATTR_[AM]TIME.
-                         * This will cause notify_change to set these times
-                         * to "now"
-                         */
-                        iap->ia_valid &= ~BOTH_TIME_SET;
-                }
-        }
-
         /* sanitize the mode change */
         if (iap->ia_valid & ATTR_MODE) {
                 iap->ia_mode &= S_IALLUGO;