From: Kinglong Mee <kinglongmee@gmail.com>
To: Bernd Schubert <bernd.schubert@fastmail.fm>, linux-nfs@vger.kernel.org
Subject: Re: [PATCH] nfsd: nfsd4_decode_create: Fix a possible NULL pointer dereference
Date: Mon, 21 Apr 2014 11:22:26 +0800 [thread overview]
Message-ID: <53548EF2.40408@gmail.com> (raw)
In-Reply-To: <lis0kj$kaj$1@ger.gmane.org>
On 2014/4/19 04:06, Bernd Schubert wrote:
> While running FhGFS-to-NFS stress tests, I noticed this bug (with a
> RHEL 6.5 kernel, but I think it also in linux-git).
>
> [ 3428.087489] BUG: unable to handle kernel paging request at ffff880735fb8000
> [ 3428.094821] IP: [<ffffffffa038066e>] nfsd4_create+0x27e/0x380 [nfsd]
>
> gdb resolves this to
>
> (gdb) l *(nfsd4_create+0x27e)
> 0x1469e is in nfsd4_create (fs/nfsd/nfs4proc.c:527).
> 522 * null-terminate by brute force, since at worst we
> 523 * will overwrite the first byte of the create namelen
> 524 * in the XDR buffer, which has already been extracted
> 525 * during XDR decode.
> 526 */
> 527 create->cr_linkname[create->cr_linklen] = 0;
> 528
> 529 status = nfsd_symlink(rqstp, &cstate->current_fh,
> 530 create->cr_name, create->cr_namelen,
> 531 create->cr_linkname, create->cr_linklen,
>
>
> create->cr_linkname is set in nfsd4_decode_create and
> even current .git does not check for the result of savemem
> there.
>
> --
> nfsd: nfsd4_decode_create: Fix a possible NULL pointer dereference
>
> From: Bernd Schubert <bernd.schubert@itwm.fraunhofer.de>
>
> create->cr_linkname was later used without any check if savemem()
> succeeded.
>
>
> Signed-off-by: Bernd Schubert <bernd.schubert@fastmail.fm>
> ---
> fs/nfsd/nfs4xdr.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
> index 2723c1b..eb65d1e 100644
> --- a/fs/nfsd/nfs4xdr.c
> +++ b/fs/nfsd/nfs4xdr.c
> @@ -603,6 +603,10 @@ nfsd4_decode_create(struct nfsd4_compoundargs *argp, struct nfsd4_create *create
> READ32(create->cr_linklen);
> READ_BUF(create->cr_linklen);
> SAVEMEM(create->cr_linkname, create->cr_linklen);
> + status = check_filename(create->cr_linkname,
> + create->cr_linklen);
Don't call check_filename() here.
cr_linkname maybe a path contains '/', or '.',
check_filename will return error nfserr_badname for those path.
IMO, just check whether the length is zero as,
if (create->cr_linklen == 0)
return nfserr_inval;
thanks,
Kinglong Mee
next prev parent reply other threads:[~2014-04-21 3:23 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-18 20:06 [PATCH] nfsd: nfsd4_decode_create: Fix a possible NULL pointer dereference Bernd Schubert
2014-04-21 3:22 ` Kinglong Mee [this message]
2014-04-22 10:06 ` Bernd Schubert
2014-05-24 0:42 ` Kinglong Mee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53548EF2.40408@gmail.com \
--to=kinglongmee@gmail.com \
--cc=bernd.schubert@fastmail.fm \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.