lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 16 Mar 2021 15:35:53 -0700
From:   Randy Dunlap <rdunlap@...radead.org>
To:     linux-kernel@...r.kernel.org
Cc:     syzbot+ba2e91df8f74809417fa@...kaller.appspotmail.com,
        syzbot+f3a0fa110fd630ab56c8@...kaller.appspotmail.com,
        Trond Myklebust <trond.myklebust@...merspace.com>,
        Anna Schumaker <anna.schumaker@...app.com>,
        linux-nfs@...r.kernel.org, David Howells <dhowells@...hat.com>,
        Al Viro <viro@...iv.linux.org.uk>, stable@...r.kernel.org
Subject: Re: [PATCH] NFS: fs_context: validate UDP retrans to prevent shift
 out-of-bounds

ping?

On 3/1/21 4:19 PM, Randy Dunlap wrote:
> Fix shift out-of-bounds in xprt_calc_majortimeo(). This is caused
> by a garbage timeout (retrans) mount option being passed to nfs mount,
> in this case from syzkaller.
> 
> If the protocol is XPRT_TRANSPORT_UDP, then 'retrans' is a shift
> value for a 64-bit long integer, so 'retrans' cannot be >= 64.
> If it is >= 64, fail the mount and return an error.
> 
> Fixes: 9954bf92c0cd ("NFS: Move mount parameterisation bits into their own file")
> Reported-by: syzbot+ba2e91df8f74809417fa@...kaller.appspotmail.com
> Reported-by: syzbot+f3a0fa110fd630ab56c8@...kaller.appspotmail.com
> Signed-off-by: Randy Dunlap <rdunlap@...radead.org>
> Cc: Trond Myklebust <trond.myklebust@...merspace.com>
> Cc: Anna Schumaker <anna.schumaker@...app.com>
> Cc: linux-nfs@...r.kernel.org
> Cc: David Howells <dhowells@...hat.com>
> Cc: Al Viro <viro@...iv.linux.org.uk>
> Cc: stable@...r.kernel.org
> ---
>  fs/nfs/fs_context.c |   12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> --- lnx-512-rc1.orig/fs/nfs/fs_context.c
> +++ lnx-512-rc1/fs/nfs/fs_context.c
> @@ -974,6 +974,15 @@ static int nfs23_parse_monolithic(struct
>  			       sizeof(mntfh->data) - mntfh->size);
>  
>  		/*
> +		 * for proto == XPRT_TRANSPORT_UDP, which is what uses
> +		 * to_exponential, implying shift: limit the shift value
> +		 * to BITS_PER_LONG (majortimeo is unsigned long)
> +		 */
> +		if (!(data->flags & NFS_MOUNT_TCP)) /* this will be UDP */
> +			if (data->retrans >= 64) /* shift value is too large */
> +				goto out_invalid_data;
> +
> +		/*
>  		 * Translate to nfs_fs_context, which nfs_fill_super
>  		 * can deal with.
>  		 */
> @@ -1073,6 +1082,9 @@ out_no_address:
>  
>  out_invalid_fh:
>  	return nfs_invalf(fc, "NFS: invalid root filehandle");
> +
> +out_invalid_data:
> +	return nfs_invalf(fc, "NFS: invalid binary mount data");
>  }
>  
>  #if IS_ENABLED(CONFIG_NFS_V4)
> 


-- 
~Randy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ