* [PATCH] Fix possible stack smash in nfs_idmap_read_and_verify_message @ 2018-04-17 20:11 Dave Wysochanski 2018-05-15 13:06 ` David Wysochanski 0 siblings, 1 reply; 5+ messages in thread From: Dave Wysochanski @ 2018-04-17 20:11 UTC (permalink / raw) To: linux-nfs In nfs_idmap_read_and_verify_message there is an unprotected sprintf that converts the __u32 'im_id' from struct idmap_msg to 'id_str' that is a stack variable of 'NFS_UINT_MAXLEN' (defined as 11). If a uid or gid value is > 2147483647 = 0x7fffffff we corrupt kernel memory by one byte and if CONFIG_CC_STACKPROTECTOR_STRONG is set we see a stack-protector panic as follows: [11558053.616565] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa05b8a8c [11558053.639063] CPU: 6 PID: 9423 Comm: rpc.idmapd Tainted: G W ------------ T 3.10.0-514.el7.x86_64 #1 [11558053.641990] Hardware name: Red Hat OpenStack Compute, BIOS 1.10.2-3.el7_4.1 04/01/2014 [11558053.644462] ffffffff818c7bc0 00000000b1f3aec1 ffff880de0f9bd48 ffffffff81685eac [11558053.646430] ffff880de0f9bdc8 ffffffff8167f2b3 ffffffff00000010 ffff880de0f9bdd8 [11558053.648313] ffff880de0f9bd78 00000000b1f3aec1 ffffffff811dcb03 ffffffffa05b8a8c [11558053.650107] Call Trace: [11558053.651347] [<ffffffff81685eac>] dump_stack+0x19/0x1b [11558053.653013] [<ffffffff8167f2b3>] panic+0xe3/0x1f2 [11558053.666240] [<ffffffff811dcb03>] ? kfree+0x103/0x140 [11558053.682589] [<ffffffffa05b8a8c>] ? idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4] [11558053.689710] [<ffffffff810855db>] __stack_chk_fail+0x1b/0x30 [11558053.691619] [<ffffffffa05b8a8c>] idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4] [11558053.693867] [<ffffffffa00209d6>] rpc_pipe_write+0x56/0x70 [sunrpc] [11558053.695763] [<ffffffff811fe12d>] vfs_write+0xbd/0x1e0 [11558053.702236] [<ffffffff810acccc>] ? task_work_run+0xac/0xe0 [11558053.704215] [<ffffffff811fec4f>] SyS_write+0x7f/0xe0 [11558053.709674] [<ffffffff816964c9>] system_call_fastpath+0x16/0x1b Fix this by snprintf and a safe length based on sizeof(id_str). Signed-off-by: Dave Wysochanski <dwysocha@redhat.com> Reported-by: Stephen Johnston <sjohnsto@redhat.com> --- fs/nfs/nfs4idmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c index 22dc30a679a0..a8c663f8dd99 100644 --- a/fs/nfs/nfs4idmap.c +++ b/fs/nfs/nfs4idmap.c @@ -627,7 +627,7 @@ static int nfs_idmap_read_and_verify_message(struct idmap_msg *im, if (strcmp(upcall->im_name, im->im_name) != 0) break; /* Note: here we store the NUL terminator too */ - len = sprintf(id_str, "%d", im->im_id) + 1; + len = snprintf(id_str, sizeof(id_str), "%u", im->im_id) + 1; ret = nfs_idmap_instantiate(key, authkey, id_str, len); break; case IDMAP_CONV_IDTONAME: -- 2.14.3 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] Fix possible stack smash in nfs_idmap_read_and_verify_message 2018-04-17 20:11 [PATCH] Fix possible stack smash in nfs_idmap_read_and_verify_message Dave Wysochanski @ 2018-05-15 13:06 ` David Wysochanski 2018-05-15 13:59 ` Trond Myklebust 0 siblings, 1 reply; 5+ messages in thread From: David Wysochanski @ 2018-05-15 13:06 UTC (permalink / raw) To: linux-nfs On Tue, 2018-04-17 at 16:11 -0400, Dave Wysochanski wrote: > In nfs_idmap_read_and_verify_message there is an unprotected sprintf > that converts the __u32 'im_id' from struct idmap_msg to 'id_str' > that is a stack variable of 'NFS_UINT_MAXLEN' (defined as 11). > If a uid or gid value is > 2147483647 = 0x7fffffff we corrupt > kernel memory by one byte and if CONFIG_CC_STACKPROTECTOR_STRONG > is set we see a stack-protector panic as follows: > > [11558053.616565] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa05b8a8c > > [11558053.639063] CPU: 6 PID: 9423 Comm: rpc.idmapd Tainted: G W ------------ T 3.10.0-514.el7.x86_64 #1 > [11558053.641990] Hardware name: Red Hat OpenStack Compute, BIOS 1.10.2-3.el7_4.1 04/01/2014 > [11558053.644462] ffffffff818c7bc0 00000000b1f3aec1 ffff880de0f9bd48 ffffffff81685eac > [11558053.646430] ffff880de0f9bdc8 ffffffff8167f2b3 ffffffff00000010 ffff880de0f9bdd8 > [11558053.648313] ffff880de0f9bd78 00000000b1f3aec1 ffffffff811dcb03 ffffffffa05b8a8c > [11558053.650107] Call Trace: > [11558053.651347] [<ffffffff81685eac>] dump_stack+0x19/0x1b > [11558053.653013] [<ffffffff8167f2b3>] panic+0xe3/0x1f2 > [11558053.666240] [<ffffffff811dcb03>] ? kfree+0x103/0x140 > [11558053.682589] [<ffffffffa05b8a8c>] ? idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4] > [11558053.689710] [<ffffffff810855db>] __stack_chk_fail+0x1b/0x30 > [11558053.691619] [<ffffffffa05b8a8c>] idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4] > [11558053.693867] [<ffffffffa00209d6>] rpc_pipe_write+0x56/0x70 [sunrpc] > [11558053.695763] [<ffffffff811fe12d>] vfs_write+0xbd/0x1e0 > [11558053.702236] [<ffffffff810acccc>] ? task_work_run+0xac/0xe0 > [11558053.704215] [<ffffffff811fec4f>] SyS_write+0x7f/0xe0 > [11558053.709674] [<ffffffff816964c9>] system_call_fastpath+0x16/0x1b > > Fix this by snprintf and a safe length based on sizeof(id_str). > > Signed-off-by: Dave Wysochanski <dwysocha@redhat.com> > Reported-by: Stephen Johnston <sjohnsto@redhat.com> > --- > fs/nfs/nfs4idmap.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c > index 22dc30a679a0..a8c663f8dd99 100644 > --- a/fs/nfs/nfs4idmap.c > +++ b/fs/nfs/nfs4idmap.c > @@ -627,7 +627,7 @@ static int nfs_idmap_read_and_verify_message(struct idmap_msg *im, > if (strcmp(upcall->im_name, im->im_name) != 0) > break; > /* Note: here we store the NUL terminator too */ > - len = sprintf(id_str, "%d", im->im_id) + 1; > + len = snprintf(id_str, sizeof(id_str), "%u", im->im_id) + 1; > ret = nfs_idmap_instantiate(key, authkey, id_str, len); > break; > case IDMAP_CONV_IDTONAME: I did not see any reply to this and we did have one customer hit this which caused a considerable outage of many machines. In essence once this happened, it became a DoS on all machines using idmapping and they implemented a temporary workaround. Anna / Trond - if you need me to improve the patch header or want clarification or see a problem with it, please let me know. Thanks. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Fix possible stack smash in nfs_idmap_read_and_verify_message 2018-05-15 13:06 ` David Wysochanski @ 2018-05-15 13:59 ` Trond Myklebust 2018-05-15 15:44 ` David Wysochanski 0 siblings, 1 reply; 5+ messages in thread From: Trond Myklebust @ 2018-05-15 13:59 UTC (permalink / raw) To: linux-nfs@vger.kernel.org, dwysocha@redhat.com T24gVHVlLCAyMDE4LTA1LTE1IGF0IDA5OjA2IC0wNDAwLCBEYXZpZCBXeXNvY2hhbnNraSB3cm90 ZToNCj4gT24gVHVlLCAyMDE4LTA0LTE3IGF0IDE2OjExIC0wNDAwLCBEYXZlIFd5c29jaGFuc2tp IHdyb3RlOg0KPiA+IEluIG5mc19pZG1hcF9yZWFkX2FuZF92ZXJpZnlfbWVzc2FnZSB0aGVyZSBp cyBhbiB1bnByb3RlY3RlZA0KPiA+IHNwcmludGYNCj4gPiB0aGF0IGNvbnZlcnRzIHRoZSBfX3Uz MiAnaW1faWQnIGZyb20gc3RydWN0IGlkbWFwX21zZyB0byAnaWRfc3RyJw0KPiA+IHRoYXQgaXMg YSBzdGFjayB2YXJpYWJsZSBvZiAnTkZTX1VJTlRfTUFYTEVOJyAoZGVmaW5lZCBhcyAxMSkuDQo+ ID4gSWYgYSB1aWQgb3IgZ2lkIHZhbHVlIGlzID4gMjE0NzQ4MzY0NyA9IDB4N2ZmZmZmZmYgd2Ug Y29ycnVwdA0KPiA+IGtlcm5lbCBtZW1vcnkgYnkgb25lIGJ5dGUgYW5kIGlmIENPTkZJR19DQ19T VEFDS1BST1RFQ1RPUl9TVFJPTkcNCj4gPiBpcyBzZXQgd2Ugc2VlIGEgc3RhY2stcHJvdGVjdG9y IHBhbmljIGFzIGZvbGxvd3M6DQo+ID4gDQo+ID4gWzExNTU4MDUzLjYxNjU2NV0gS2VybmVsIHBh bmljIC0gbm90IHN5bmNpbmc6IHN0YWNrLXByb3RlY3RvcjoNCj4gPiBLZXJuZWwgc3RhY2sgaXMg Y29ycnVwdGVkIGluOiBmZmZmZmZmZmEwNWI4YThjDQo+ID4gDQo+ID4gWzExNTU4MDUzLjYzOTA2 M10gQ1BVOiA2IFBJRDogOTQyMyBDb21tOiBycGMuaWRtYXBkIFRhaW50ZWQ6DQo+ID4gRyAgICAg ICAgVyAgICAgIC0tLS0tLS0tLS0tLSBUIDMuMTAuMC01MTQuZWw3Lng4Nl82NCAjMQ0KPiA+IFsx MTU1ODA1My42NDE5OTBdIEhhcmR3YXJlIG5hbWU6IFJlZCBIYXQgT3BlblN0YWNrIENvbXB1dGUs IEJJT1MNCj4gPiAxLjEwLjItMy5lbDdfNC4xIDA0LzAxLzIwMTQNCj4gPiBbMTE1NTgwNTMuNjQ0 NDYyXSAgZmZmZmZmZmY4MThjN2JjMCAwMDAwMDAwMGIxZjNhZWMxDQo+ID4gZmZmZjg4MGRlMGY5 YmQ0OCBmZmZmZmZmZjgxNjg1ZWFjDQo+ID4gWzExNTU4MDUzLjY0NjQzMF0gIGZmZmY4ODBkZTBm OWJkYzggZmZmZmZmZmY4MTY3ZjJiMw0KPiA+IGZmZmZmZmZmMDAwMDAwMTAgZmZmZjg4MGRlMGY5 YmRkOA0KPiA+IFsxMTU1ODA1My42NDgzMTNdICBmZmZmODgwZGUwZjliZDc4IDAwMDAwMDAwYjFm M2FlYzENCj4gPiBmZmZmZmZmZjgxMWRjYjAzIGZmZmZmZmZmYTA1YjhhOGMNCj4gPiBbMTE1NTgw NTMuNjUwMTA3XSBDYWxsIFRyYWNlOg0KPiA+IFsxMTU1ODA1My42NTEzNDddICBbPGZmZmZmZmZm ODE2ODVlYWM+XSBkdW1wX3N0YWNrKzB4MTkvMHgxYg0KPiA+IFsxMTU1ODA1My42NTMwMTNdICBb PGZmZmZmZmZmODE2N2YyYjM+XSBwYW5pYysweGUzLzB4MWYyDQo+ID4gWzExNTU4MDUzLjY2NjI0 MF0gIFs8ZmZmZmZmZmY4MTFkY2IwMz5dID8ga2ZyZWUrMHgxMDMvMHgxNDANCj4gPiBbMTE1NTgw NTMuNjgyNTg5XSAgWzxmZmZmZmZmZmEwNWI4YThjPl0gPw0KPiA+IGlkbWFwX3BpcGVfZG93bmNh bGwrMHgxY2MvMHgxZTAgW25mc3Y0XQ0KPiA+IFsxMTU1ODA1My42ODk3MTBdICBbPGZmZmZmZmZm ODEwODU1ZGI+XSBfX3N0YWNrX2Noa19mYWlsKzB4MWIvMHgzMA0KPiA+IFsxMTU1ODA1My42OTE2 MTldICBbPGZmZmZmZmZmYTA1YjhhOGM+XQ0KPiA+IGlkbWFwX3BpcGVfZG93bmNhbGwrMHgxY2Mv MHgxZTAgW25mc3Y0XQ0KPiA+IFsxMTU1ODA1My42OTM4NjddICBbPGZmZmZmZmZmYTAwMjA5ZDY+ XSBycGNfcGlwZV93cml0ZSsweDU2LzB4NzANCj4gPiBbc3VucnBjXQ0KPiA+IFsxMTU1ODA1My42 OTU3NjNdICBbPGZmZmZmZmZmODExZmUxMmQ+XSB2ZnNfd3JpdGUrMHhiZC8weDFlMA0KPiA+IFsx MTU1ODA1My43MDIyMzZdICBbPGZmZmZmZmZmODEwYWNjY2M+XSA/IHRhc2tfd29ya19ydW4rMHhh Yy8weGUwDQo+ID4gWzExNTU4MDUzLjcwNDIxNV0gIFs8ZmZmZmZmZmY4MTFmZWM0Zj5dIFN5U193 cml0ZSsweDdmLzB4ZTANCj4gPiBbMTE1NTgwNTMuNzA5Njc0XSAgWzxmZmZmZmZmZjgxNjk2NGM5 Pl0NCj4gPiBzeXN0ZW1fY2FsbF9mYXN0cGF0aCsweDE2LzB4MWINCj4gPiANCj4gPiBGaXggdGhp cyBieSBzbnByaW50ZiBhbmQgYSBzYWZlIGxlbmd0aCBiYXNlZCBvbiBzaXplb2YoaWRfc3RyKS4N Cj4gPiANCj4gPiBTaWduZWQtb2ZmLWJ5OiBEYXZlIFd5c29jaGFuc2tpIDxkd3lzb2NoYUByZWRo YXQuY29tPg0KPiA+IFJlcG9ydGVkLWJ5OiBTdGVwaGVuIEpvaG5zdG9uIDxzam9obnN0b0ByZWRo YXQuY29tPg0KPiA+IC0tLQ0KPiA+ICBmcy9uZnMvbmZzNGlkbWFwLmMgfCAyICstDQo+ID4gIDEg ZmlsZSBjaGFuZ2VkLCAxIGluc2VydGlvbigrKSwgMSBkZWxldGlvbigtKQ0KPiA+IA0KPiA+IGRp ZmYgLS1naXQgYS9mcy9uZnMvbmZzNGlkbWFwLmMgYi9mcy9uZnMvbmZzNGlkbWFwLmMNCj4gPiBp bmRleCAyMmRjMzBhNjc5YTAuLmE4YzY2M2Y4ZGQ5OSAxMDA2NDQNCj4gPiAtLS0gYS9mcy9uZnMv bmZzNGlkbWFwLmMNCj4gPiArKysgYi9mcy9uZnMvbmZzNGlkbWFwLmMNCj4gPiBAQCAtNjI3LDcg KzYyNyw3IEBAIHN0YXRpYyBpbnQNCj4gPiBuZnNfaWRtYXBfcmVhZF9hbmRfdmVyaWZ5X21lc3Nh Z2Uoc3RydWN0IGlkbWFwX21zZyAqaW0sDQo+ID4gIAkJaWYgKHN0cmNtcCh1cGNhbGwtPmltX25h bWUsIGltLT5pbV9uYW1lKSAhPSAwKQ0KPiA+ICAJCQlicmVhazsNCj4gPiAgCQkvKiBOb3RlOiBo ZXJlIHdlIHN0b3JlIHRoZSBOVUwgdGVybWluYXRvciB0b28gKi8NCj4gPiAtCQlsZW4gPSBzcHJp bnRmKGlkX3N0ciwgIiVkIiwgaW0tPmltX2lkKSArIDE7DQo+ID4gKwkJbGVuID0gc25wcmludGYo aWRfc3RyLCBzaXplb2YoaWRfc3RyKSwgIiV1IiwgaW0tDQo+ID4gPmltX2lkKSArIDE7DQo+ID4g IAkJcmV0ID0gbmZzX2lkbWFwX2luc3RhbnRpYXRlKGtleSwgYXV0aGtleSwgaWRfc3RyLA0KPiA+ IGxlbik7DQo+ID4gIAkJYnJlYWs7DQo+ID4gIAljYXNlIElETUFQX0NPTlZfSURUT05BTUU6DQo+ IA0KPiANCj4gSSBkaWQgbm90IHNlZSBhbnkgcmVwbHkgdG8gdGhpcyBhbmQgd2UgZGlkIGhhdmUg b25lIGN1c3RvbWVyIGhpdCB0aGlzDQo+IHdoaWNoIGNhdXNlZCBhIGNvbnNpZGVyYWJsZSBvdXRh Z2Ugb2YgbWFueSBtYWNoaW5lcy4gIEluIGVzc2VuY2Ugb25jZQ0KPiB0aGlzIGhhcHBlbmVkLCBp dCBiZWNhbWUgYSBEb1Mgb24gYWxsIG1hY2hpbmVzIHVzaW5nIGlkbWFwcGluZyBhbmQNCj4gdGhl eQ0KPiBpbXBsZW1lbnRlZCBhIHRlbXBvcmFyeSB3b3JrYXJvdW5kLg0KPiANCj4gQW5uYSAvIFRy b25kIC0gaWYgeW91IG5lZWQgbWUgdG8gaW1wcm92ZSB0aGUgcGF0Y2ggaGVhZGVyIG9yIHdhbnQN Cj4gY2xhcmlmaWNhdGlvbiBvciBzZWUgYSBwcm9ibGVtIHdpdGggaXQsIHBsZWFzZSBsZXQgbWUg a25vdy4NCj4gDQoNCklmIHRoZSB2YWx1ZSBvZiBORlNfVUlOVF9NQVhMRU4gaXMgdG9vIHNtYWxs LCB0aGVuIHNob3VsZG4ndCB3ZSBiZQ0KaW5jcmVhc2luZyBpdD8gVGhhdCB3b3VsZCBhcHBlYXIg dG8gYmUgdGhlIHJlYWwgYnVnIGhlcmUuDQoNCkkgZG8gYWdyZWUgdGhhdCB0aGUgIiVkIiBzaG91 bGQgYmUgY2hhbmdlZCB0byAiJXUiLCB0aG91Z2guIElzbid0IHRoYXQNCnN1ZmZpY2llbnQgdG8g bWFrZSB0aGUgYnVmZmVyIGxhcmdlIGVub3VnaD8NCg0KQ2hlZXJzDQogVHJvbmQNCg0KLS0gDQpU cm9uZCBNeWtsZWJ1c3QNCkNUTywgSGFtbWVyc3BhY2UgSW5jDQo0MzAwIEVsIENhbWlubyBSZWFs LCBTdWl0ZSAxMDUNCkxvcyBBbHRvcywgQ0EgOTQwMjINCnd3dy5oYW1tZXIuc3BhY2UgaWQ9Ii14 LWV2by1zZWxlY3Rpb24tZW5kLW1hcmtlciI+ ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Fix possible stack smash in nfs_idmap_read_and_verify_message 2018-05-15 13:59 ` Trond Myklebust @ 2018-05-15 15:44 ` David Wysochanski 2018-05-29 13:57 ` Trond Myklebust 0 siblings, 1 reply; 5+ messages in thread From: David Wysochanski @ 2018-05-15 15:44 UTC (permalink / raw) To: Trond Myklebust, linux-nfs@vger.kernel.org On Tue, 2018-05-15 at 13:59 +0000, Trond Myklebust wrote: > On Tue, 2018-05-15 at 09:06 -0400, David Wysochanski wrote: > > On Tue, 2018-04-17 at 16:11 -0400, Dave Wysochanski wrote: > > > In nfs_idmap_read_and_verify_message there is an unprotected > > > sprintf > > > that converts the __u32 'im_id' from struct idmap_msg to 'id_str' > > > that is a stack variable of 'NFS_UINT_MAXLEN' (defined as 11). > > > If a uid or gid value is > 2147483647 = 0x7fffffff we corrupt > > > kernel memory by one byte and if CONFIG_CC_STACKPROTECTOR_STRONG > > > is set we see a stack-protector panic as follows: > > > > > > [11558053.616565] Kernel panic - not syncing: stack-protector: > > > Kernel stack is corrupted in: ffffffffa05b8a8c > > > > > > [11558053.639063] CPU: 6 PID: 9423 Comm: rpc.idmapd Tainted: > > > G W ------------ T 3.10.0-514.el7.x86_64 #1 > > > [11558053.641990] Hardware name: Red Hat OpenStack Compute, BIOS > > > 1.10.2-3.el7_4.1 04/01/2014 > > > [11558053.644462] ffffffff818c7bc0 00000000b1f3aec1 > > > ffff880de0f9bd48 ffffffff81685eac > > > [11558053.646430] ffff880de0f9bdc8 ffffffff8167f2b3 > > > ffffffff00000010 ffff880de0f9bdd8 > > > [11558053.648313] ffff880de0f9bd78 00000000b1f3aec1 > > > ffffffff811dcb03 ffffffffa05b8a8c > > > [11558053.650107] Call Trace: > > > [11558053.651347] [<ffffffff81685eac>] dump_stack+0x19/0x1b > > > [11558053.653013] [<ffffffff8167f2b3>] panic+0xe3/0x1f2 > > > [11558053.666240] [<ffffffff811dcb03>] ? kfree+0x103/0x140 > > > [11558053.682589] [<ffffffffa05b8a8c>] ? > > > idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4] > > > [11558053.689710] [<ffffffff810855db>] __stack_chk_fail+0x1b/0x30 > > > [11558053.691619] [<ffffffffa05b8a8c>] > > > idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4] > > > [11558053.693867] [<ffffffffa00209d6>] rpc_pipe_write+0x56/0x70 > > > [sunrpc] > > > [11558053.695763] [<ffffffff811fe12d>] vfs_write+0xbd/0x1e0 > > > [11558053.702236] [<ffffffff810acccc>] ? task_work_run+0xac/0xe0 > > > [11558053.704215] [<ffffffff811fec4f>] SyS_write+0x7f/0xe0 > > > [11558053.709674] [<ffffffff816964c9>] > > > system_call_fastpath+0x16/0x1b > > > > > > Fix this by snprintf and a safe length based on sizeof(id_str). > > > > > > Signed-off-by: Dave Wysochanski <dwysocha@redhat.com> > > > Reported-by: Stephen Johnston <sjohnsto@redhat.com> > > > --- > > > fs/nfs/nfs4idmap.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c > > > index 22dc30a679a0..a8c663f8dd99 100644 > > > --- a/fs/nfs/nfs4idmap.c > > > +++ b/fs/nfs/nfs4idmap.c > > > @@ -627,7 +627,7 @@ static int > > > nfs_idmap_read_and_verify_message(struct idmap_msg *im, > > > if (strcmp(upcall->im_name, im->im_name) != 0) > > > break; > > > /* Note: here we store the NUL terminator too */ > > > - len = sprintf(id_str, "%d", im->im_id) + 1; > > > + len = snprintf(id_str, sizeof(id_str), "%u", im- > > > > im_id) + 1; > > > > > > ret = nfs_idmap_instantiate(key, authkey, id_str, > > > len); > > > break; > > > case IDMAP_CONV_IDTONAME: > > > > > > I did not see any reply to this and we did have one customer hit this > > which caused a considerable outage of many machines. In essence once > > this happened, it became a DoS on all machines using idmapping and > > they > > implemented a temporary workaround. > > > > Anna / Trond - if you need me to improve the patch header or want > > clarification or see a problem with it, please let me know. > > > > If the value of NFS_UINT_MAXLEN is too small, then shouldn't we be > increasing it? That would appear to be the real bug here. > Sorry the patch header doesn't explain it well. The %d usage with a __u32 is the problem. If we get a large enough value, the '-' sign makes it a buffer overflow and the NULL overwrites one byte on the stack. Examples crash> p (unsigned) (0x80000000) $1 = 2147483648 crash> p (signed) (0x80000000) $2 = -2147483648 So the unsigned max value uses 10 bytes plus a NULL, hence NFS_UINT_MAXLEN of 11. > I do agree that the "%d" should be changed to "%u", though. Isn't that > sufficient to make the buffer large enough? > > Yes you could just change the %d to %u in the sprintf, but the rest of the code uses snprintf so that's why I chose it. I'll also note there is nfs_map_numeric_to_string() that is called from other locations, and we could call from here as well for consistency: static int nfs_map_numeric_to_string(__u32 id, char *buf, size_t buflen) { return snprintf(buf, buflen, "%u", id); } If you want, I could submit a v2 patch with an improved header and this: diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c index 22dc30a..779411e0 100644 --- a/fs/nfs/nfs4idmap.c +++ b/fs/nfs/nfs4idmap.c @@ -343,7 +343,7 @@ static ssize_t nfs_idmap_lookup_name(__u32 id, const char *type, char *buf, int id_len; ssize_t ret; - id_len = snprintf(id_str, sizeof(id_str), "%u", id); + id_len = nfs_map_numeric_to_string(id, id_str, sizeof(id_str)); ret = nfs_idmap_get_key(id_str, id_len, type, buf, buflen, idmap); if (ret < 0) return -EINVAL; @@ -627,7 +627,7 @@ static int nfs_idmap_read_and_verify_message(struct idmap_msg *im, if (strcmp(upcall->im_name, im->im_name) != 0) break; /* Note: here we store the NUL terminator too */ - len = sprintf(id_str, "%d", im->im_id) + 1; + len = nfs_map_numeric_to_string(im->im_id, id_str, sizeof(id_str)) + 1; ret = nfs_idmap_instantiate(key, authkey, id_str, len); break; case IDMAP_CONV_IDTONAME: ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] Fix possible stack smash in nfs_idmap_read_and_verify_message 2018-05-15 15:44 ` David Wysochanski @ 2018-05-29 13:57 ` Trond Myklebust 0 siblings, 0 replies; 5+ messages in thread From: Trond Myklebust @ 2018-05-29 13:57 UTC (permalink / raw) To: linux-nfs@vger.kernel.org, dwysocha@redhat.com T24gVHVlLCAyMDE4LTA1LTE1IGF0IDExOjQ0IC0wNDAwLCBEYXZpZCBXeXNvY2hhbnNraSB3cm90 ZToNCj4gT24gVHVlLCAyMDE4LTA1LTE1IGF0IDEzOjU5ICswMDAwLCBUcm9uZCBNeWtsZWJ1c3Qg d3JvdGU6DQo+ID4gT24gVHVlLCAyMDE4LTA1LTE1IGF0IDA5OjA2IC0wNDAwLCBEYXZpZCBXeXNv Y2hhbnNraSB3cm90ZToNCj4gPiA+IE9uIFR1ZSwgMjAxOC0wNC0xNyBhdCAxNjoxMSAtMDQwMCwg RGF2ZSBXeXNvY2hhbnNraSB3cm90ZToNCj4gPiA+ID4gSW4gbmZzX2lkbWFwX3JlYWRfYW5kX3Zl cmlmeV9tZXNzYWdlIHRoZXJlIGlzIGFuIHVucHJvdGVjdGVkDQo+ID4gPiA+IHNwcmludGYNCj4g PiA+ID4gdGhhdCBjb252ZXJ0cyB0aGUgX191MzIgJ2ltX2lkJyBmcm9tIHN0cnVjdCBpZG1hcF9t c2cgdG8NCj4gPiA+ID4gJ2lkX3N0cicNCj4gPiA+ID4gdGhhdCBpcyBhIHN0YWNrIHZhcmlhYmxl IG9mICdORlNfVUlOVF9NQVhMRU4nIChkZWZpbmVkIGFzIDExKS4NCj4gPiA+ID4gSWYgYSB1aWQg b3IgZ2lkIHZhbHVlIGlzID4gMjE0NzQ4MzY0NyA9IDB4N2ZmZmZmZmYgd2UgY29ycnVwdA0KPiA+ ID4gPiBrZXJuZWwgbWVtb3J5IGJ5IG9uZSBieXRlIGFuZCBpZg0KPiA+ID4gPiBDT05GSUdfQ0Nf U1RBQ0tQUk9URUNUT1JfU1RST05HDQo+ID4gPiA+IGlzIHNldCB3ZSBzZWUgYSBzdGFjay1wcm90 ZWN0b3IgcGFuaWMgYXMgZm9sbG93czoNCj4gPiA+ID4gDQo+ID4gPiA+IFsxMTU1ODA1My42MTY1 NjVdIEtlcm5lbCBwYW5pYyAtIG5vdCBzeW5jaW5nOiBzdGFjay1wcm90ZWN0b3I6DQo+ID4gPiA+ IEtlcm5lbCBzdGFjayBpcyBjb3JydXB0ZWQgaW46IGZmZmZmZmZmYTA1YjhhOGMNCj4gPiA+ID4g DQo+ID4gPiA+IFsxMTU1ODA1My42MzkwNjNdIENQVTogNiBQSUQ6IDk0MjMgQ29tbTogcnBjLmlk bWFwZCBUYWludGVkOg0KPiA+ID4gPiBHICAgICAgICBXICAgICAgLS0tLS0tLS0tLS0tIFQgMy4x MC4wLTUxNC5lbDcueDg2XzY0ICMxDQo+ID4gPiA+IFsxMTU1ODA1My42NDE5OTBdIEhhcmR3YXJl IG5hbWU6IFJlZCBIYXQgT3BlblN0YWNrIENvbXB1dGUsDQo+ID4gPiA+IEJJT1MNCj4gPiA+ID4g MS4xMC4yLTMuZWw3XzQuMSAwNC8wMS8yMDE0DQo+ID4gPiA+IFsxMTU1ODA1My42NDQ0NjJdICBm ZmZmZmZmZjgxOGM3YmMwIDAwMDAwMDAwYjFmM2FlYzENCj4gPiA+ID4gZmZmZjg4MGRlMGY5YmQ0 OCBmZmZmZmZmZjgxNjg1ZWFjDQo+ID4gPiA+IFsxMTU1ODA1My42NDY0MzBdICBmZmZmODgwZGUw ZjliZGM4IGZmZmZmZmZmODE2N2YyYjMNCj4gPiA+ID4gZmZmZmZmZmYwMDAwMDAxMCBmZmZmODgw ZGUwZjliZGQ4DQo+ID4gPiA+IFsxMTU1ODA1My42NDgzMTNdICBmZmZmODgwZGUwZjliZDc4IDAw MDAwMDAwYjFmM2FlYzENCj4gPiA+ID4gZmZmZmZmZmY4MTFkY2IwMyBmZmZmZmZmZmEwNWI4YThj DQo+ID4gPiA+IFsxMTU1ODA1My42NTAxMDddIENhbGwgVHJhY2U6DQo+ID4gPiA+IFsxMTU1ODA1 My42NTEzNDddICBbPGZmZmZmZmZmODE2ODVlYWM+XSBkdW1wX3N0YWNrKzB4MTkvMHgxYg0KPiA+ ID4gPiBbMTE1NTgwNTMuNjUzMDEzXSAgWzxmZmZmZmZmZjgxNjdmMmIzPl0gcGFuaWMrMHhlMy8w eDFmMg0KPiA+ID4gPiBbMTE1NTgwNTMuNjY2MjQwXSAgWzxmZmZmZmZmZjgxMWRjYjAzPl0gPyBr ZnJlZSsweDEwMy8weDE0MA0KPiA+ID4gPiBbMTE1NTgwNTMuNjgyNTg5XSAgWzxmZmZmZmZmZmEw NWI4YThjPl0gPw0KPiA+ID4gPiBpZG1hcF9waXBlX2Rvd25jYWxsKzB4MWNjLzB4MWUwIFtuZnN2 NF0NCj4gPiA+ID4gWzExNTU4MDUzLjY4OTcxMF0gIFs8ZmZmZmZmZmY4MTA4NTVkYj5dDQo+ID4g PiA+IF9fc3RhY2tfY2hrX2ZhaWwrMHgxYi8weDMwDQo+ID4gPiA+IFsxMTU1ODA1My42OTE2MTld ICBbPGZmZmZmZmZmYTA1YjhhOGM+XQ0KPiA+ID4gPiBpZG1hcF9waXBlX2Rvd25jYWxsKzB4MWNj LzB4MWUwIFtuZnN2NF0NCj4gPiA+ID4gWzExNTU4MDUzLjY5Mzg2N10gIFs8ZmZmZmZmZmZhMDAy MDlkNj5dDQo+ID4gPiA+IHJwY19waXBlX3dyaXRlKzB4NTYvMHg3MA0KPiA+ID4gPiBbc3VucnBj XQ0KPiA+ID4gPiBbMTE1NTgwNTMuNjk1NzYzXSAgWzxmZmZmZmZmZjgxMWZlMTJkPl0gdmZzX3dy aXRlKzB4YmQvMHgxZTANCj4gPiA+ID4gWzExNTU4MDUzLjcwMjIzNl0gIFs8ZmZmZmZmZmY4MTBh Y2NjYz5dID8NCj4gPiA+ID4gdGFza193b3JrX3J1bisweGFjLzB4ZTANCj4gPiA+ID4gWzExNTU4 MDUzLjcwNDIxNV0gIFs8ZmZmZmZmZmY4MTFmZWM0Zj5dIFN5U193cml0ZSsweDdmLzB4ZTANCj4g PiA+ID4gWzExNTU4MDUzLjcwOTY3NF0gIFs8ZmZmZmZmZmY4MTY5NjRjOT5dDQo+ID4gPiA+IHN5 c3RlbV9jYWxsX2Zhc3RwYXRoKzB4MTYvMHgxYg0KPiA+ID4gPiANCj4gPiA+ID4gRml4IHRoaXMg Ynkgc25wcmludGYgYW5kIGEgc2FmZSBsZW5ndGggYmFzZWQgb24gc2l6ZW9mKGlkX3N0cikuDQo+ ID4gPiA+IA0KPiA+ID4gPiBTaWduZWQtb2ZmLWJ5OiBEYXZlIFd5c29jaGFuc2tpIDxkd3lzb2No YUByZWRoYXQuY29tPg0KPiA+ID4gPiBSZXBvcnRlZC1ieTogU3RlcGhlbiBKb2huc3RvbiA8c2pv aG5zdG9AcmVkaGF0LmNvbT4NCj4gPiA+ID4gLS0tDQo+ID4gPiA+ICBmcy9uZnMvbmZzNGlkbWFw LmMgfCAyICstDQo+ID4gPiA+ICAxIGZpbGUgY2hhbmdlZCwgMSBpbnNlcnRpb24oKyksIDEgZGVs ZXRpb24oLSkNCj4gPiA+ID4gDQo+ID4gPiA+IGRpZmYgLS1naXQgYS9mcy9uZnMvbmZzNGlkbWFw LmMgYi9mcy9uZnMvbmZzNGlkbWFwLmMNCj4gPiA+ID4gaW5kZXggMjJkYzMwYTY3OWEwLi5hOGM2 NjNmOGRkOTkgMTAwNjQ0DQo+ID4gPiA+IC0tLSBhL2ZzL25mcy9uZnM0aWRtYXAuYw0KPiA+ID4g PiArKysgYi9mcy9uZnMvbmZzNGlkbWFwLmMNCj4gPiA+ID4gQEAgLTYyNyw3ICs2MjcsNyBAQCBz dGF0aWMgaW50DQo+ID4gPiA+IG5mc19pZG1hcF9yZWFkX2FuZF92ZXJpZnlfbWVzc2FnZShzdHJ1 Y3QgaWRtYXBfbXNnICppbSwNCj4gPiA+ID4gIAkJaWYgKHN0cmNtcCh1cGNhbGwtPmltX25hbWUs IGltLT5pbV9uYW1lKSAhPSAwKQ0KPiA+ID4gPiAgCQkJYnJlYWs7DQo+ID4gPiA+ICAJCS8qIE5v dGU6IGhlcmUgd2Ugc3RvcmUgdGhlIE5VTCB0ZXJtaW5hdG9yIHRvbw0KPiA+ID4gPiAqLw0KPiA+ ID4gPiAtCQlsZW4gPSBzcHJpbnRmKGlkX3N0ciwgIiVkIiwgaW0tPmltX2lkKSArIDE7DQo+ID4g PiA+ICsJCWxlbiA9IHNucHJpbnRmKGlkX3N0ciwgc2l6ZW9mKGlkX3N0ciksICIldSIsDQo+ID4g PiA+IGltLQ0KPiA+ID4gPiA+IGltX2lkKSArIDE7DQo+ID4gPiA+IA0KPiA+ID4gPiAgCQlyZXQg PSBuZnNfaWRtYXBfaW5zdGFudGlhdGUoa2V5LCBhdXRoa2V5LA0KPiA+ID4gPiBpZF9zdHIsDQo+ ID4gPiA+IGxlbik7DQo+ID4gPiA+ICAJCWJyZWFrOw0KPiA+ID4gPiAgCWNhc2UgSURNQVBfQ09O Vl9JRFRPTkFNRToNCj4gPiA+IA0KPiA+ID4gDQo+ID4gPiBJIGRpZCBub3Qgc2VlIGFueSByZXBs eSB0byB0aGlzIGFuZCB3ZSBkaWQgaGF2ZSBvbmUgY3VzdG9tZXIgaGl0DQo+ID4gPiB0aGlzDQo+ ID4gPiB3aGljaCBjYXVzZWQgYSBjb25zaWRlcmFibGUgb3V0YWdlIG9mIG1hbnkgbWFjaGluZXMu ICBJbiBlc3NlbmNlDQo+ID4gPiBvbmNlDQo+ID4gPiB0aGlzIGhhcHBlbmVkLCBpdCBiZWNhbWUg YSBEb1Mgb24gYWxsIG1hY2hpbmVzIHVzaW5nIGlkbWFwcGluZw0KPiA+ID4gYW5kDQo+ID4gPiB0 aGV5DQo+ID4gPiBpbXBsZW1lbnRlZCBhIHRlbXBvcmFyeSB3b3JrYXJvdW5kLg0KPiA+ID4gDQo+ ID4gPiBBbm5hIC8gVHJvbmQgLSBpZiB5b3UgbmVlZCBtZSB0byBpbXByb3ZlIHRoZSBwYXRjaCBo ZWFkZXIgb3Igd2FudA0KPiA+ID4gY2xhcmlmaWNhdGlvbiBvciBzZWUgYSBwcm9ibGVtIHdpdGgg aXQsIHBsZWFzZSBsZXQgbWUga25vdy4NCj4gPiA+IA0KPiA+IA0KPiA+IElmIHRoZSB2YWx1ZSBv ZiBORlNfVUlOVF9NQVhMRU4gaXMgdG9vIHNtYWxsLCB0aGVuIHNob3VsZG4ndCB3ZSBiZQ0KPiA+ IGluY3JlYXNpbmcgaXQ/IFRoYXQgd291bGQgYXBwZWFyIHRvIGJlIHRoZSByZWFsIGJ1ZyBoZXJl Lg0KPiA+IA0KPiANCj4gU29ycnkgdGhlIHBhdGNoIGhlYWRlciBkb2Vzbid0IGV4cGxhaW4gaXQg d2VsbC4gIFRoZSAlZCB1c2FnZSB3aXRoIGENCj4gX191MzIgaXMgdGhlIHByb2JsZW0uICBJZiB3 ZSBnZXQgYSBsYXJnZSBlbm91Z2ggdmFsdWUsIHRoZSAnLScgc2lnbg0KPiBtYWtlcyBpdCBhIGJ1 ZmZlciBvdmVyZmxvdyBhbmQgdGhlIE5VTEwgb3ZlcndyaXRlcyBvbmUgYnl0ZSBvbiB0aGUNCj4g c3RhY2suDQo+IA0KPiBFeGFtcGxlcw0KPiBjcmFzaD4gcCAodW5zaWduZWQpICgweDgwMDAwMDAw KQ0KPiAkMSA9IDIxNDc0ODM2NDgNCj4gY3Jhc2g+IHAgKHNpZ25lZCkgKDB4ODAwMDAwMDApDQo+ ICQyID0gLTIxNDc0ODM2NDgNCj4gDQo+IFNvIHRoZSB1bnNpZ25lZCBtYXggdmFsdWUgdXNlcyAx MCBieXRlcyBwbHVzIGEgTlVMTCwgaGVuY2UNCj4gTkZTX1VJTlRfTUFYTEVOIG9mIDExLg0KPiAN Cj4gDQo+ID4gSSBkbyBhZ3JlZSB0aGF0IHRoZSAiJWQiIHNob3VsZCBiZSBjaGFuZ2VkIHRvICIl dSIsIHRob3VnaC4gSXNuJ3QNCj4gPiB0aGF0DQo+ID4gc3VmZmljaWVudCB0byBtYWtlIHRoZSBi dWZmZXIgbGFyZ2UgZW5vdWdoPw0KPiA+IA0KPiA+IA0KPiANCj4gWWVzIHlvdSBjb3VsZCBqdXN0 IGNoYW5nZSB0aGUgJWQgdG8gJXUgaW4gdGhlIHNwcmludGYsIGJ1dCB0aGUgcmVzdA0KPiBvZg0K PiB0aGUgY29kZSB1c2VzIHNucHJpbnRmIHNvIHRoYXQncyB3aHkgSSBjaG9zZSBpdC4NCj4gDQo+ IEknbGwgYWxzbyBub3RlIHRoZXJlIGlzIG5mc19tYXBfbnVtZXJpY190b19zdHJpbmcoKSB0aGF0 IGlzIGNhbGxlZA0KPiBmcm9tDQo+IG90aGVyIGxvY2F0aW9ucywgYW5kIHdlIGNvdWxkIGNhbGwg ZnJvbSBoZXJlIGFzIHdlbGwgZm9yIGNvbnNpc3RlbmN5Og0KPiBzdGF0aWMgaW50IG5mc19tYXBf bnVtZXJpY190b19zdHJpbmcoX191MzIgaWQsIGNoYXIgKmJ1Ziwgc2l6ZV90DQo+IGJ1ZmxlbikN Cj4gew0KPiAJcmV0dXJuIHNucHJpbnRmKGJ1ZiwgYnVmbGVuLCAiJXUiLCBpZCk7DQo+IH0NCj4g DQo+IA0KPiBJZiB5b3Ugd2FudCwgSSBjb3VsZCBzdWJtaXQgYSB2MiBwYXRjaCB3aXRoIGFuIGlt cHJvdmVkIGhlYWRlciBhbmQNCj4gdGhpczoNCj4gDQo+IGRpZmYgLS1naXQgYS9mcy9uZnMvbmZz NGlkbWFwLmMgYi9mcy9uZnMvbmZzNGlkbWFwLmMNCj4gaW5kZXggMjJkYzMwYS4uNzc5NDExZTAg MTAwNjQ0DQo+IC0tLSBhL2ZzL25mcy9uZnM0aWRtYXAuYw0KPiArKysgYi9mcy9uZnMvbmZzNGlk bWFwLmMNCj4gQEAgLTM0Myw3ICszNDMsNyBAQCBzdGF0aWMgc3NpemVfdCBuZnNfaWRtYXBfbG9v a3VwX25hbWUoX191MzIgaWQsDQo+IGNvbnN0IGNoYXIgKnR5cGUsIGNoYXIgKmJ1ZiwNCj4gICAg ICAgICBpbnQgaWRfbGVuOw0KPiAgICAgICAgIHNzaXplX3QgcmV0Ow0KPiAgDQo+IC0gICAgICAg aWRfbGVuID0gc25wcmludGYoaWRfc3RyLCBzaXplb2YoaWRfc3RyKSwgIiV1IiwgaWQpOw0KPiAr ICAgICAgIGlkX2xlbiA9IG5mc19tYXBfbnVtZXJpY190b19zdHJpbmcoaWQsIGlkX3N0ciwNCj4g c2l6ZW9mKGlkX3N0cikpOw0KPiAgICAgICAgIHJldCA9IG5mc19pZG1hcF9nZXRfa2V5KGlkX3N0 ciwgaWRfbGVuLCB0eXBlLCBidWYsIGJ1ZmxlbiwNCj4gaWRtYXApOw0KPiAgICAgICAgIGlmIChy ZXQgPCAwKQ0KPiAgICAgICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7DQo+IEBAIC02MjcsNyAr NjI3LDcgQEAgc3RhdGljIGludA0KPiBuZnNfaWRtYXBfcmVhZF9hbmRfdmVyaWZ5X21lc3NhZ2Uo c3RydWN0IGlkbWFwX21zZyAqaW0sDQo+ICAgICAgICAgICAgICAgICBpZiAoc3RyY21wKHVwY2Fs bC0+aW1fbmFtZSwgaW0tPmltX25hbWUpICE9IDApDQo+ICAgICAgICAgICAgICAgICAgICAgICAg IGJyZWFrOw0KPiAgICAgICAgICAgICAgICAgLyogTm90ZTogaGVyZSB3ZSBzdG9yZSB0aGUgTlVM IHRlcm1pbmF0b3IgdG9vICovDQo+IC0gICAgICAgICAgICAgICBsZW4gPSBzcHJpbnRmKGlkX3N0 ciwgIiVkIiwgaW0tPmltX2lkKSArIDE7DQo+ICsgICAgICAgICAgICAgICBsZW4gPSBuZnNfbWFw X251bWVyaWNfdG9fc3RyaW5nKGltLT5pbV9pZCwgaWRfc3RyLA0KPiBzaXplb2YoaWRfc3RyKSkg KyAxOw0KPiANCg0KWWVzLCBJIHRoaW5rIHRoaXMgbWFrZXMgbW9yZSBzZW5zZS4gQ2FuIHlvdSBw bGVhc2Ugc2VuZCBtZSBhIHYyIHdpdGgNCnRoaXMgZml4dXAuDQoNClRoYW5rcyENCiAgVHJvbmQN Cg0KLS0gDQpUcm9uZCBNeWtsZWJ1c3QNCkNUTywgSGFtbWVyc3BhY2UgSW5jDQo0MzAwIEVsIENh bWlubyBSZWFsLCBTdWl0ZSAxMDUNCkxvcyBBbHRvcywgQ0EgOTQwMjINCnd3dy5oYW1tZXIuc3Bh Y2UgaWQ9Ii14LWV2by1zZWxlY3Rpb24tZW5kLW1hcmtlciI+ ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-05-29 13:57 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-04-17 20:11 [PATCH] Fix possible stack smash in nfs_idmap_read_and_verify_message Dave Wysochanski 2018-05-15 13:06 ` David Wysochanski 2018-05-15 13:59 ` Trond Myklebust 2018-05-15 15:44 ` David Wysochanski 2018-05-29 13:57 ` Trond Myklebust
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).