lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110314193501.GE25442@fieldses.org>
Date:	Mon, 14 Mar 2011 15:35:01 -0400
From:	"J. Bruce Fields" <bfields@...ldses.org>
To:	Mi Jinlong <mijinlong@...fujitsu.com>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	roel <roel.kluin@...il.com>, Neil Brown <neilb@...e.de>,
	linux-nfs@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] nfsd: wrong index used in inner loop

On Fri, Mar 11, 2011 at 11:52:14AM +0800, Mi Jinlong wrote:
> 
> 
> J. Bruce Fields:
> > On Wed, Mar 09, 2011 at 03:42:30PM -0800, Andrew Morton wrote:
> >> On Tue, 08 Mar 2011 22:32:26 +0100
> >> roel <roel.kluin@...il.com> wrote:
> >>
> >>> Index i was already used in the outer loop
> >>>
> >>> Signed-off-by: Roel Kluin <roel.kluin@...il.com>
> >>> ---
> >>>  fs/nfsd/nfs4xdr.c |    4 ++--
> >>>  1 files changed, 2 insertions(+), 2 deletions(-)
> >>>
> >>> Not 100% sure this one is needed but it looks suspicious.
> >>>
> >>> diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
> >>> index 1275b86..615f0a9 100644
> >>> --- a/fs/nfsd/nfs4xdr.c
> >>> +++ b/fs/nfsd/nfs4xdr.c
> >>> @@ -1142,7 +1142,7 @@ nfsd4_decode_create_session(struct nfsd4_compoundargs *argp,
> >>>  
> >>>  	u32 dummy;
> >>>  	char *machine_name;
> >>> -	int i;
> >>> +	int i, j;
> >>>  	int nr_secflavs;
> >>>  
> >>>  	READ_BUF(16);
> >>> @@ -1215,7 +1215,7 @@ nfsd4_decode_create_session(struct nfsd4_compoundargs *argp,
> >>>  			READ_BUF(4);
> >>>  			READ32(dummy);
> >>>  			READ_BUF(dummy * 4);
> >>> -			for (i = 0; i < dummy; ++i)
> >>> +			for (j = 0; j < dummy; ++j)
> >>>  				READ32(dummy);
> >>>  			break;
> >>>  		case RPC_AUTH_GSS:
> >> ooh, big bug.
> >>
> >> I wonder why it was not previously detected at runtime.  Perhaps
> >> nr_secflavs is always 1.
> > 
> > Yeah, no client uses this calback security information yet.
> > 
> > Mi Jinlong, do you think this is something we could have caught with
> > another pynfs test?
> 
>   Yes, we must test it.
> 
>   After testing, the following test case is OK.

I've pushed out a tree with your additional tests to

	git://linux-nfs.org/~bfields/pynfs41.git

Let me know what I'm missing.

Thanks again.--b.

> 
> --
> thanks,
> Mi Jinlong
> 
> 
> >From 1afac3444b37bac66970f19c409660a304a53fb4 Mon Sep 17 00:00:00 2001
> From: Mi Jinlong <mijinlong@...fujitsu.com>
> Date: Sun, 11 Mar 2011 09:05:22 +0800
> Subject: [PATCH] CLNT: test a decode problem which use wrong index
> 
> Signed-off-by: Mi Jinlong <mijinlong@...fujitsu.com>
> ---
>  nfs4.1/server41tests/st_create_session.py |   16 ++++++++++++++++
>  1 files changed, 16 insertions(+), 0 deletions(-)
> 
> diff --git a/nfs4.1/server41tests/st_create_session.py b/nfs4.1/server41tests/st_create_session.py
> index ff55d10..e3a8421 100644
> --- a/nfs4.1/server41tests/st_create_session.py
> +++ b/nfs4.1/server41tests/st_create_session.py
> @@ -252,6 +252,22 @@ def testCbSecParms(t, env):
>      c1 = env.c1.new_client(env.testname(t))
>      sess1 = c1.create_session(sec=sec)
>  
> +def testCbSecParmsDec(t, env):
> +    """A decode problem was found at NFS server that 
> +       wrong index used in inner loop, 
> +       http://marc.info/?l=linux-kernel&m=129961996327640&w=2
> +
> +    FLAGS: create_session all
> +    CODE: CSESS16a
> +    """
> +    sec = [callback_sec_parms4(AUTH_NONE),
> +           callback_sec_parms4(RPCSEC_GSS, cbsp_gss_handles=gss_cb_handles4(RPC_GSS_SVC_PRIVACY, "Handle from server", "Client handle")),
> +           callback_sec_parms4(AUTH_SYS, cbsp_sys_cred=authsys_parms(5, "Random machine name", 7, 11, [])),
> +           ]
> +                               
> +    c1 = env.c1.new_client(env.testname(t))
> +    sess1 = c1.create_session(sec=sec)
> +
>  def testRdmaArray0(t, env):
>      """Test 0 length rdma arrays
>  
> -- 
> 1.7.4.1
> 
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ