From: Bernd Schubert <bernd.schubert@fastmail.fm>
To: linux-nfs@vger.kernel.org
Subject: [PATCH] nfsd: nfsd4_decode_create: Fix a possible NULL pointer dereference
Date: Fri, 18 Apr 2014 22:06:43 +0200 [thread overview]
Message-ID: <lis0kj$kaj$1@ger.gmane.org> (raw)
While running FhGFS-to-NFS stress tests, I noticed this bug (with a
RHEL 6.5 kernel, but I think it also in linux-git).
[ 3428.087489] BUG: unable to handle kernel paging request at ffff880735fb8000
[ 3428.094821] IP: [<ffffffffa038066e>] nfsd4_create+0x27e/0x380 [nfsd]
gdb resolves this to
(gdb) l *(nfsd4_create+0x27e)
0x1469e is in nfsd4_create (fs/nfsd/nfs4proc.c:527).
522 * null-terminate by brute force, since at worst we
523 * will overwrite the first byte of the create namelen
524 * in the XDR buffer, which has already been extracted
525 * during XDR decode.
526 */
527 create->cr_linkname[create->cr_linklen] = 0;
528
529 status = nfsd_symlink(rqstp, &cstate->current_fh,
530 create->cr_name, create->cr_namelen,
531 create->cr_linkname, create->cr_linklen,
create->cr_linkname is set in nfsd4_decode_create and
even current .git does not check for the result of savemem
there.
--
nfsd: nfsd4_decode_create: Fix a possible NULL pointer dereference
From: Bernd Schubert <bernd.schubert@itwm.fraunhofer.de>
create->cr_linkname was later used without any check if savemem()
succeeded.
Signed-off-by: Bernd Schubert <bernd.schubert@fastmail.fm>
---
fs/nfsd/nfs4xdr.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 2723c1b..eb65d1e 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -603,6 +603,10 @@ nfsd4_decode_create(struct nfsd4_compoundargs *argp, struct nfsd4_create *create
READ32(create->cr_linklen);
READ_BUF(create->cr_linklen);
SAVEMEM(create->cr_linkname, create->cr_linklen);
+ status = check_filename(create->cr_linkname,
+ create->cr_linklen);
+ if (status)
+ return status;
break;
case NF4BLK:
case NF4CHR:
next reply other threads:[~2014-04-18 20:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-18 20:06 Bernd Schubert [this message]
2014-04-21 3:22 ` [PATCH] nfsd: nfsd4_decode_create: Fix a possible NULL pointer dereference Kinglong Mee
2014-04-22 10:06 ` Bernd Schubert
2014-05-24 0:42 ` Kinglong Mee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='lis0kj$kaj$1@ger.gmane.org' \
--to=bernd.schubert@fastmail.fm \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).