All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dave Jones <davej@redhat.com>
To: Chris Wright <chrisw@sous-sol.org>
Cc: linux-kernel@vger.kernel.org, stable@kernel.org,
	Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk,
	Mike OConnor <mjo@dojo.mi.org>,
	trond.myklebust@netapp.com, Greg Banks <gnb@melbourne.sgi.com>
Subject: Re: [patch 38/39] Normal user can panic NFS client with direct I/O (CVE-2006-0555)
Date: Wed, 1 Mar 2006 23:33:23 -0500	[thread overview]
Message-ID: <20060302043323.GC31863@redhat.com> (raw)
In-Reply-To: <20060227223407.671256000@sorel.sous-sol.org>

On Mon, Feb 27, 2006 at 02:32:38PM -0800, Chris Wright wrote:
 > -stable review patch.  If anyone has any objections, please let us know.
 > ------------------
 > 
 > This is CVE-2006-0555 and SGI bug 946529.  A normal user can panic an
 > NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT.
 > 
 > Signed-off-by: Chris Wright <chrisw@sous-sol.org>
 > ---
 > 
 >  fs/nfs/direct.c |    5 +++++
 >  1 files changed, 5 insertions(+)
 > 
 > --- linux-2.6.15.4.orig/fs/nfs/direct.c
 > +++ linux-2.6.15.4/fs/nfs/direct.c
 > @@ -106,6 +106,11 @@ nfs_get_user_pages(int rw, unsigned long
 >  		result = get_user_pages(current, current->mm, user_addr,
 >  					page_count, (rw == READ), 0,
 >  					*pages, NULL);
 > +		if (result >= 0 && result < page_count) {
 > +			nfs_free_user_pages(*pages, result, 0);
 > +			*pages = NULL;
 > +			result = -EFAULT;
 > +		}
 >  		up_read(&current->mm->mmap_sem);
 >  	}
 >  	return result;

Also broken in 2.6.15.5 it seems :-/

fs/nfs/direct.c: In function 'nfs_get_user_pages':
fs/nfs/direct.c:110: warning: implicit declaration of function 'nfs_free_user_pages'
fs/nfs/direct.c: At top level:
fs/nfs/direct.c:127: warning: conflicting types for 'nfs_free_user_pages'
fs/nfs/direct.c:127: error: static declaration of 'nfs_free_user_pages' follows non-static declaration
fs/nfs/direct.c:110: error: previous implicit declaration of 'nfs_free_user_pages' was here

Some function juggling should do the trick.

Signed-off-by: Dave Jones <davej@redhat.com>

--- linux-2.6.15/fs/nfs/direct.c~	2006-03-01 23:31:37.000000000 -0500
+++ linux-2.6.15/fs/nfs/direct.c	2006-03-01 23:32:01.000000000 -0500
@@ -73,6 +73,23 @@ struct nfs_direct_req {
 				error;		/* any reported error */
 };
 
+/**
+ * nfs_free_user_pages - tear down page struct array
+ * @pages: array of page struct pointers underlying target buffer
+ * @npages: number of pages in the array
+ * @do_dirty: dirty the pages as we release them
+ */
+static void
+nfs_free_user_pages(struct page **pages, int npages, int do_dirty)
+{
+	int i;
+	for (i = 0; i < npages; i++) {
+		if (do_dirty)
+			set_page_dirty_lock(pages[i]);
+		page_cache_release(pages[i]);
+	}
+	kfree(pages);
+}
 
 /**
  * nfs_get_user_pages - find and set up pages underlying user's buffer
@@ -117,24 +134,6 @@ nfs_get_user_pages(int rw, unsigned long
 }
 
 /**
- * nfs_free_user_pages - tear down page struct array
- * @pages: array of page struct pointers underlying target buffer
- * @npages: number of pages in the array
- * @do_dirty: dirty the pages as we release them
- */
-static void
-nfs_free_user_pages(struct page **pages, int npages, int do_dirty)
-{
-	int i;
-	for (i = 0; i < npages; i++) {
-		if (do_dirty)
-			set_page_dirty_lock(pages[i]);
-		page_cache_release(pages[i]);
-	}
-	kfree(pages);
-}
-
-/**
  * nfs_direct_req_release - release  nfs_direct_req structure for direct read
  * @kref: kref object embedded in an nfs_direct_req structure
  *

  reply	other threads:[~2006-03-02  4:38 UTC|newest]

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-02-27 22:32 [patch 00/39] Chris Wright
2006-02-27 22:32 ` [patch 01/39] ppc32: Put cache flush routines back into .relocate_code section Chris Wright
2006-02-27 22:32 ` [patch 02/39] [PATCH] s390: add #ifdef __KERNEL__ to asm-s390/setup.h Chris Wright
2006-02-27 22:32 ` [patch 03/39] shmdt cannot detach not-alined shm segment cleanly Chris Wright
2006-02-27 22:32 ` [patch 04/39] [PATCH] [BRIDGE]: netfilter missing symbol has_bridge_parent Chris Wright
2006-02-28  2:38   ` Horms
2006-02-27 22:32 ` [patch 05/39] [PATCH] i386: Move phys_proc_id/early intel workaround to correct function Chris Wright
2006-02-27 22:32 ` [patch 06/39] [PATCH] hugetlbfs mmap ENOMEM failure Chris Wright
2006-02-27 22:32 ` [patch 07/39] [PATCH] reiserfs: disable automatic enabling of reiserfs inode attributes Chris Wright
2006-02-27 22:32 ` [patch 08/39] [NET]: Revert skb_copy_datagram_iovec() recursion elimination Chris Wright
2006-02-27 22:32 ` [patch 09/39] [IPV6]: Address autoconfiguration does not work after device down/up cycle Chris Wright
2006-02-27 22:32 ` [patch 10/39] [PATCH] i386/x86-64: Dont IPI to offline cpus on shutdown Chris Wright
2006-02-27 22:37   ` Andi Kleen
2006-02-27 23:18     ` Chris Wright
2006-02-28  7:02       ` Eric W. Biederman
2006-03-01 22:19         ` Chris Wright
2006-02-27 22:32 ` [patch 11/39] [PATCH] sys_signal: initialize ->sa_mask Chris Wright
2006-02-27 22:32 ` [patch 12/39] [PATCH] do_sigaction: cleanup ->sa_mask manipulation Chris Wright
2006-02-27 22:32 ` [patch 13/39] [PATCH] [IA64] sys32_signal() forgets to initialize ->sa_mask Chris Wright
2006-02-27 22:32 ` [patch 14/39] [PATCH] Fix s390 build failure Chris Wright
2006-02-27 22:32 ` [patch 15/39] [PATCH] [BRIDGE]: Fix deadlock in br_stp_disable_bridge Chris Wright
2006-02-27 22:32 ` [patch 16/39] [PATCH] fix zap_threads ptrace related problems Chris Wright
2006-02-27 22:32 ` [patch 17/39] [PATCH] fix deadlock in ext2 Chris Wright
2006-02-27 22:32 ` [patch 18/39] [PATCH] sys_mbind sanity checking Chris Wright
2006-03-02  4:10   ` Dave Jones
2006-03-02  6:07     ` [stable] " Chris Wright
2006-02-27 22:32 ` [patch 19/39] [PATCH] it87: Fix oops on removal Chris Wright
2006-02-27 22:32 ` [patch 20/39] [PATCH] hwmon it87: Probe i2c 0x2d only Chris Wright
2006-02-27 22:32 ` [patch 21/39] [PATCH] Fix snd-usb-audio in 32-bit compat environment Chris Wright
2006-02-27 22:32 ` [patch 22/39] [PATCH] alsa: fix bogus snd_device_free() in opl3-oss.c Chris Wright
2006-02-27 22:32 ` [patch 23/39] [PATCH] cfi: init wait queue in chip struct Chris Wright
2006-02-27 22:32 ` [patch 24/39] [PATCH] gbefb: Set default of FB_GBE_MEM to 4 MB Chris Wright
2006-02-27 22:32 ` [patch 25/39] [PATCH] dm: missing bdput/thaw_bdev at removal Chris Wright
2006-02-27 22:32 ` [patch 26/39] [PATCH] dm: free minor after unlink gendisk Chris Wright
2006-02-27 22:32 ` [patch 27/39] [PATCH] ramfs: update dir mtime and ctime Chris Wright
2006-02-27 22:32 ` [patch 28/39] [PATCH] gbefb: IP32 gbefb depth change fix Chris Wright
2006-02-27 22:32 ` [patch 29/39] [PATCH] skge: speed setting Chris Wright
2006-02-27 22:32 ` [patch 30/39] [PATCH] skge: fix NAPI/irq race Chris Wright
2006-02-27 22:32 ` [patch 31/39] [PATCH] skge: genesis phy initialization fix Chris Wright
2006-02-27 22:32 ` [patch 32/39] [PATCH] skge: fix SMP race Chris Wright
2006-02-27 22:32 ` [patch 33/39] [PATCH] x86_64: Check for bad elf entry address Chris Wright
2006-02-27 22:32 ` [patch 34/39] [NETLINK]: Fix a severe bug Chris Wright
2006-02-27 22:32 ` [patch 35/39] [PATCH] sd: fix memory corruption with broken mode page headers Chris Wright
2006-02-27 22:32 ` [patch 36/39] [PATCH] sbp2: fix another deadlock after disconnection Chris Wright
2006-02-27 22:32 ` [patch 37/39] [PATCH] XFS ftruncate() bug could expose stale data (CVE-2006-0554) Chris Wright
2006-02-27 22:32 ` [patch 38/39] Normal user can panic NFS client with direct I/O (CVE-2006-0555) Chris Wright
2006-03-02  4:33   ` Dave Jones [this message]
2006-03-02  7:25     ` [stable] " Chris Wright
2006-02-27 22:32 ` [patch 39/39] [PATCH] IB/mthca: max_inline_data handling tweaks Chris Wright

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20060302043323.GC31863@redhat.com \
    --to=davej@redhat.com \
    --cc=akpm@osdl.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=chrisw@sous-sol.org \
    --cc=chuckw@quantumlinux.com \
    --cc=gnb@melbourne.sgi.com \
    --cc=jmforbes@linuxtx.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mjo@dojo.mi.org \
    --cc=rdunlap@xenotime.net \
    --cc=stable@kernel.org \
    --cc=torvalds@osdl.org \
    --cc=trond.myklebust@netapp.com \
    --cc=tytso@mit.edu \
    --cc=zwane@arm.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.