From: Vasily Averin <vvs@virtuozzo.com>
To: Trond Myklebust <trondmy@hammerspace.com>,
"bfields@fieldses.org" <bfields@fieldses.org>
Cc: "anna.schumaker@netapp.com" <anna.schumaker@netapp.com>,
"khorenko@virtuozzo.com" <khorenko@virtuozzo.com>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
"eshatokhin@virtuozzo.com" <eshatokhin@virtuozzo.com>,
"chuck.lever@oracle.com" <chuck.lever@oracle.com>,
"jlayton@kernel.org" <jlayton@kernel.org>
Subject: Re: [PATCH 1/4] nfs: use-after-free in svc_process_common()
Date: Thu, 20 Dec 2018 04:39:03 +0300 [thread overview]
Message-ID: <2459cc18-3c14-fb68-def6-eb09fc096613@virtuozzo.com> (raw)
In-Reply-To: <d0b35e30-2eae-123e-19c6-fcd3cd93ab86@virtuozzo.com>
Dear Trond,
Red Hat security believes the problem is quite important security issue:
https://access.redhat.com/security/cve/cve-2018-16884
Fix should be backported to affected distributions.
Could you please approve my first patch and push it to stable@ ?
From my PoV it is correctly fixes the problem, it breaks nothing and easy for backports,
lightly modified it can be even live-patched.
Other patches including switch to using empty rqst->rq_xprt can wait.
Thank you,
Vasily Averin
On 12/19/18 2:25 PM, Vasily Averin wrote:
> On 12/18/18 11:43 PM, Trond Myklebust wrote:
>> On Tue, 2018-12-18 at 23:02 +0300, Vasily Averin wrote:
>>> On 12/18/18 5:55 PM, Trond Myklebust wrote:
>>>>>> It probably also requires us to store a pointer to struct net
>>>>>> in
>>>>>> the
>>>>>> struct svc_rqst so that nfs4_callback_compound() and
>>>>>> svcauth_gss_accept() can find it, but that should be OK since
>>>>>> the
>>>>>> transport already has that referenced.
>>>
>>> Ok, I can fix these functions and their sub-calls.
>>> However rqst->rq_xprt is used in other functions that seems can be
>>> called inside svc_process_common()
>>> - in trace_svc_process(rqstp, progp->pg_name);
>>> - in svc_reserve_auth(rqstp, ...) -> svc_reserve()
>>> - svc_authorise() -> svcauth_gss_release()
>>>
>>> It seems I should fix these places too, it isn't?
>>> could you please advise how to fix svc_reserve() ?
>>
>> We don't want svc_reserve() to run at all for the back channel, so I
>> guess that a test for rqstp->rq_xprt != NULL is appropriate there too.
>>
>> svcauth_gss_release() is just using rqstp->rq_xprt to find the net
>> namespace, so if you add a pointer rqstp->rq_net to fix
>> nfs4_callback_compound, then that will fix the gss case as well.
>>
>> For trace_svc_process(), maybe pull rqst->rq_xprt->xpt_remotebuf out of
>> the tracepoint definition in include/trace/events/sunrpc.h and make it
>> a tracepoint argument that is allowed to be NULL?
>
> This one seems works, could you please check it before formal submit ?
> NFSv4 callback-1644 [002] .... 4731.064372: svc_process: addr=(null) xid=0x0b0924e3 service=NFSv4 callback vers=1 proc=1
>
> Frankly speaking I'm afraid that I missed something,
> rqstp->rq_xprt is widely used and nobody expect that it can be NULL.
>
> And even I missed nothing -- it's quite tricky anyway.
> Future cahnges can add new calls or execute old non-empty-xprt-aware
> functions and trigger crash in some exotic configuration.
>
> Thank you,
> Vasily Averin
>
next prev parent reply other threads:[~2018-12-20 1:39 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-17 16:23 [PATCH 1/4] nfs: use-after-free in svc_process_common() Vasily Averin
2018-12-17 17:49 ` Jeff Layton
2018-12-17 21:50 ` J. Bruce Fields
2018-12-18 6:45 ` Vasily Averin
2018-12-18 12:49 ` Trond Myklebust
2018-12-18 14:35 ` Vasily Averin
2018-12-18 14:55 ` Trond Myklebust
2018-12-18 20:02 ` Vasily Averin
2018-12-18 20:43 ` Trond Myklebust
2018-12-19 11:25 ` Vasily Averin
2018-12-20 1:39 ` Vasily Averin [this message]
2018-12-20 1:58 ` Trond Myklebust
2018-12-20 9:30 ` Vasily Averin
2018-12-20 11:58 ` Trond Myklebust
2018-12-21 1:00 ` bfields
2018-12-21 11:30 ` Vasily Averin
2018-12-21 17:39 ` Vasily Averin
2018-12-22 17:46 ` Vasily Averin
2018-12-23 20:52 ` bfields
2018-12-23 21:03 ` Vasily Averin
2018-12-23 23:56 ` Trond Myklebust
2018-12-24 5:51 ` Vasily Averin
2018-12-24 6:05 ` Vasily Averin
2018-12-24 8:21 ` Trond Myklebust
2018-12-24 8:59 ` Vasily Averin
2018-12-24 9:53 ` Trond Myklebust
2018-12-24 11:48 ` Vasily Averin
2018-12-18 21:31 ` Vladis Dronov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2459cc18-3c14-fb68-def6-eb09fc096613@virtuozzo.com \
--to=vvs@virtuozzo.com \
--cc=anna.schumaker@netapp.com \
--cc=bfields@fieldses.org \
--cc=chuck.lever@oracle.com \
--cc=eshatokhin@virtuozzo.com \
--cc=jlayton@kernel.org \
--cc=khorenko@virtuozzo.com \
--cc=linux-nfs@vger.kernel.org \
--cc=trondmy@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox