Re: NFS/credentials leak in 2.6.29-rc1

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "J. Bruce Fields" <bfields@fieldses.org>
To: Evgeniy Polyakov <zbr@ioremap.net>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>,
	linux-fsdevel@vger.kernel.org,
	David Howells <dhowells@redhat.com>
Subject: Re: NFS/credentials leak in 2.6.29-rc1
Date: Tue, 20 Jan 2009 18:53:41 -0500	[thread overview]
Message-ID: <20090120235341.GA29017@fieldses.org> (raw)
In-Reply-To: <20090120152304.GA28592@ioremap.net>

On Tue, Jan 20, 2009 at 06:23:04PM +0300, Evgeniy Polyakov wrote:
> On Tue, Jan 20, 2009 at 10:11:25AM -0500, J. Bruce Fields (bfields@fieldses.org) wrote:
> > This doesn't look familiar, no; thanks for the report.  I guess we
> > should take a careful look at the recent changes to fs/nfsd/auth.c?
> 
> If creds are allocated in nfsd_setuser() and never freed? groups_alloc()
> can also explain size-256 slab grew, so this may be the place where
> things are allocated, but why they are not freed?
> This may also explain why I did not see this for the large sequential
> IO, since number of requests to the server was noticebly smaller, than
> in random IO test.

Looking through nfsd_setuser(), one obvious bug: in the (flags &
NFSEXP_ALLSQUASH) case, we never check the return value from the
groups_alloc(0).  If it returns NULL, we dereference it anyway.

But that's unrelated.  For the cred reference counting:

	- revert_creds(get_cred(current->real_cred)) modifies
	  current->cred, putting the old value and getting the new.  OK.
	- new = prepare_creds() creates a new object with count 1.  All
	  subsequent exits from the function go through the oom or error
	  labels, which put new. OK.
	- Each of the three ALLSQUASH/ROOTSQUASH/else paths create a new
	  reference to a groups_info struct in gi, which is
	  unconditionally assigned to new by set_groups().  set_groups()
	  takes its own reference on gi, then we put the original
	  reference in the following put_group_info().  OK.
	- Finally, we put_cred(override_creds(new)).  That modifies
	  current->cred again, putting the old value and getting the
	  new.

Hm.  But that last part's not OK; aren't we still holding our own
reference to new, in addition to the one that override_creds() just
took?  So I think we need the following?

--b.

diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c
index c903e04..9966e9e 100644
--- a/fs/nfsd/auth.c
+++ b/fs/nfsd/auth.c
@@ -85,6 +85,7 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
 		new->cap_effective = cap_raise_nfsd_set(new->cap_effective,
 							new->cap_permitted);
 	put_cred(override_creds(new));
+	put_cred(new);
 	return 0;
 
 oom:

next prev parent reply	other threads:[~2009-01-20 23:53 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-01-20 11:46 NFS/credentials leak in 2.6.29-rc1 Evgeniy Polyakov
2009-01-20 13:37 ` Trond Myklebust
2009-01-20 13:49   ` Evgeniy Polyakov
2009-01-20 15:11 ` J. Bruce Fields
2009-01-20 15:23   ` Evgeniy Polyakov
2009-01-20 23:53     ` J. Bruce Fields [this message]
2009-01-21 12:23     ` David Howells
2009-01-21 12:37       ` Evgeniy Polyakov
2009-01-21 22:39         ` J. Bruce Fields
2009-01-21 22:46           ` Evgeniy Polyakov
2009-01-21 23:18             ` J. Bruce Fields
2009-01-21 23:31               ` Evgeniy Polyakov
2009-01-27  0:49         ` J. Bruce Fields
2009-01-27  9:26           ` Evgeniy Polyakov
2009-01-27 22:07             ` J. Bruce Fields
2009-01-29 14:37               ` Evgeniy Polyakov
2009-01-29 18:52                 ` J. Bruce Fields
2009-01-29 19:00                   ` Evgeniy Polyakov
2009-02-05 13:22         ` David Howells
2009-02-05 17:21           ` J. Bruce Fields
2009-01-21 13:17       ` David Howells
2009-01-21 13:18         ` Evgeniy Polyakov
2009-01-21 22:37       ` J. Bruce Fields
2009-01-22  7:08       ` David Howells
2009-01-22 16:43         ` J. Bruce Fields
2009-01-20 21:44 ` David Howells
2009-01-21 22:42   ` J. Bruce Fields

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c903e04 dfblob:9966e9e )
 OR (
bs:"Re: NFS/credentials leak in 2.6.29-rc1" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090120235341.GA29017@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=dhowells@redhat.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=trond.myklebust@fys.uio.no \
    --cc=zbr@ioremap.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).