lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Tue, 27 Nov 2012 11:31:11 -0500
From:	Sasha Levin <sasha.levin@...cle.com>
To:	bfields@...ldses.org
Cc:	linux-nfs@...r.kernel.org, linux-kernel@...r.kernel.org,
	Sasha Levin <sasha.levin@...cle.com>
Subject: [PATCH] nfsd: prevent NULL ptr derefs on fault injection

A recent patch series has moved hashtable initialization to when the net
struct is initialized.

When injecting faults, we tried accessing the hashtables even if the struct
wasn't really initialized (nfsd wasn't in use) - this caused a NULL ptr
deref.

A simple test would be:

	echo 1 > /sys/kernel/debug/nfsd/forget_locks

Signed-off-by: Sasha Levin <sasha.levin@...cle.com>
---
 fs/nfsd/netns.h     | 3 +++
 fs/nfsd/nfs4state.c | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/fs/nfsd/netns.h b/fs/nfsd/netns.h
index 227b93e..c5806a57 100644
--- a/fs/nfsd/netns.h
+++ b/fs/nfsd/netns.h
@@ -83,5 +83,8 @@ struct nfsd_net {
 	struct delayed_work laundromat_work;
 };
 
+/* Simple check to find out if a given net was properly initialized */
+#define nfsd_netns_ready(nn) ((nn)->sessionid_hashtbl)
+
 extern int nfsd_net_id;
 #endif /* __NFSD_NETNS_H__ */
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index e75872f..0e7428c 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -4598,6 +4598,9 @@ void nfsd_forget_clients(u64 num)
 	int count = 0;
 	struct nfsd_net *nn = net_generic(current->nsproxy->net_ns, nfsd_net_id);
 
+	if (!nfsd_netns_ready(nn))
+		return;
+
 	nfs4_lock_state();
 	list_for_each_entry_safe(clp, next, &nn->client_lru, cl_lru) {
 		expire_client(clp);
@@ -4643,6 +4646,9 @@ void nfsd_forget_locks(u64 num)
 	int count;
 	struct nfsd_net *nn = net_generic(&init_net, nfsd_net_id);
 
+	if (!nfsd_netns_ready(nn))
+		return;
+
 	nfs4_lock_state();
 	count = nfsd_release_n_owners(num, false, release_lockowner_sop, nn);
 	nfs4_unlock_state();
@@ -4655,6 +4661,9 @@ void nfsd_forget_openowners(u64 num)
 	int count;
 	struct nfsd_net *nn = net_generic(&init_net, nfsd_net_id);
 
+	if (!nfsd_netns_ready(nn))
+		return;
+
 	nfs4_lock_state();
 	count = nfsd_release_n_owners(num, true, release_openowner_sop, nn);
 	nfs4_unlock_state();
-- 
1.8.0

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists