lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAN-5tyHws9bO5Yuj9FTn6EdcPcY5QGK0419aBbujU7Ugt4_6uQ@mail.gmail.com>
Date:   Wed, 29 May 2019 14:54:16 -0400
From:   Olga Kornievskaia <aglo@...ch.edu>
To:     Trond Myklebust <trondmy@...merspace.com>
Cc:     "nbowler@...conx.ca" <nbowler@...conx.ca>,
        "linux-nfs@...r.kernel.org" <linux-nfs@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "Olga.Kornievskaia@...app.com" <Olga.Kornievskaia@...app.com>
Subject: Re: PROBLEM: oops spew with Linux 5.1.5 (NFS regression?)

On Wed, May 29, 2019 at 1:14 PM Trond Myklebust <trondmy@...merspace.com> wrote:
>
> On Wed, 2019-05-29 at 11:10 -0400, Nick Bowler wrote:
> > Hi,
> >
> > I upgraded to Linux 5.1.5 on one machine yesterday, and this morning
> > I
> > happened noticed a large amount of backtraces in the log.  It appears
> > that the system oopsed 62 times over a period of about 5 minutes,
> > producing about half a megabyte of log messages, after which the
> > messages stopped.  No idea what action (if any) triggered these.
> >
> > However, other than the noise in the logs there is nothing obviously
> > broken, but I thought I should report the spews anyway.  I was
> > running
> > 5.0.9 previously and have not seen any similar errors.  The first
> > couple
> > spews are appended.  All 64 faults look very similar to these ones,
> > with
> > the same faulting address and the same rpc_check_timeout function at
> > the
> > top of the backtrace.
>
> OK, I think this is the same problem that Olga was seeing (Cced), and
> it looks like I missed the use-after-free issue when the server returns
> a credential error when she asked.

I think this is actually different than what I encountered for the
umount case but the trigger is the same -- failing validation.

I tried to reproduce Nick's oops on 5.2-rc but haven't been able to
(but I'm not confident I produced the right trigger conditions. will
try 5.1).


>
> I believe that the following patch should fix it:
>
> 8<------------------------------------------------------------------
> From 33905f5a7d1d200db8eeb3f4ea8670c9da4cb64d Mon Sep 17 00:00:00 2001
> From: Trond Myklebust <trond.myklebust@...merspace.com>
> Date: Wed, 29 May 2019 12:49:52 -0400
> Subject: [PATCH] SUNRPC: Fix a use after free when a server rejects the
>  RPCSEC_GSS credential
>
> The addition of rpc_check_timeout() to call_decode causes an Oops
> when the RPCSEC_GSS credential is rejected.
> The reason is that rpc_decode_header() will call xprt_release() in
> order to free task->tk_rqstp, which is needed by rpc_check_timeout()
> to check whether or not we should exit due to a soft timeout.
>
> The fix is to move the call to xprt_release() into call_decode() so
> we can perform it after rpc_check_timeout().
>
> Reported-by: Olga Kornievskaia <olga.kornievskaia@...il.com>
> Reported-by: Nick Bowler <nbowler@...conx.ca>
> Fixes: cea57789e408 ("SUNRPC: Clean up")
> Cc: stable@...r.kernel.org # v5.1+
> Signed-off-by: Trond Myklebust <trond.myklebust@...merspace.com>
> ---
>  net/sunrpc/clnt.c | 28 ++++++++++++++--------------
>  1 file changed, 14 insertions(+), 14 deletions(-)
>
> diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
> index d6e57da56c94..4c02c37fa774 100644
> --- a/net/sunrpc/clnt.c
> +++ b/net/sunrpc/clnt.c
> @@ -2426,17 +2426,21 @@ call_decode(struct rpc_task *task)
>                 return;
>         case -EAGAIN:
>                 task->tk_status = 0;
> -               /* Note: rpc_decode_header() may have freed the RPC slot */
> -               if (task->tk_rqstp == req) {
> -                       xdr_free_bvec(&req->rq_rcv_buf);
> -                       req->rq_reply_bytes_recvd = 0;
> -                       req->rq_rcv_buf.len = 0;
> -                       if (task->tk_client->cl_discrtry)
> -                               xprt_conditional_disconnect(req->rq_xprt,
> -                                                           req->rq_connect_cookie);
> -               }
> +               xdr_free_bvec(&req->rq_rcv_buf);
> +               req->rq_reply_bytes_recvd = 0;
> +               req->rq_rcv_buf.len = 0;
> +               if (task->tk_client->cl_discrtry)
> +                       xprt_conditional_disconnect(req->rq_xprt,
> +                                                   req->rq_connect_cookie);
>                 task->tk_action = call_encode;
>                 rpc_check_timeout(task);
> +               break;
> +       case -EKEYREJECTED:
> +               task->tk_action = call_reserve;
> +               rpc_check_timeout(task);
> +               rpcauth_invalcred(task);
> +               /* Ensure we obtain a new XID if we retry! */
> +               xprt_release(task);
>         }
>  }
>
> @@ -2572,11 +2576,7 @@ rpc_decode_header(struct rpc_task *task, struct xdr_stream *xdr)
>                         break;
>                 task->tk_cred_retry--;
>                 trace_rpc__stale_creds(task);
> -               rpcauth_invalcred(task);
> -               /* Ensure we obtain a new XID! */
> -               xprt_release(task);
> -               task->tk_action = call_reserve;
> -               return -EAGAIN;
> +               return -EKEYREJECTED;
>         case rpc_autherr_badcred:
>         case rpc_autherr_badverf:
>                 /* possibly garbled cred/verf? */
> --
> 2.21.0
>
> --
> Trond Myklebust
> Linux NFS client maintainer, Hammerspace
> trond.myklebust@...merspace.com
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ