lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20240924024521.2898776-1-lilingfeng3@huawei.com>
Date: Tue, 24 Sep 2024 10:45:21 +0800
From: Li Lingfeng <lilingfeng3@...wei.com>
To: <trondmy@...nel.org>, <anna@...nel.org>
CC: <trond.myklebust@...merspace.com>, <jlayton@...nel.org>,
	<linux-nfs@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
	<yukuai1@...weicloud.com>, <houtao1@...wei.com>, <yi.zhang@...wei.com>,
	<yangerkun@...wei.com>, <lilingfeng@...weicloud.com>,
	<lilingfeng3@...wei.com>
Subject: [PATCH] nfs: maintain nfs_server in the reclaim process

In the reclaim process, there may be a situation where all files are
closed and the file system is unmounted, which will result in the release
of nfs_server.
This will trigger UAF in nfs4_put_open_state when the count of nfs4_state
is decremented to zero, because the freed nfs_server will be accessed
when evicting inode.

Maintaining the nfs_server throughout the entire reclaim process by adding
nfs_sb_active and nfs_sb_deactive to fix it.

Signed-off-by: Li Lingfeng <lilingfeng3@...wei.com>
---
 fs/nfs/nfs4state.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
index 877f682b45f2..f09f63b5a7c0 100644
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -1934,6 +1934,8 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
 restart:
 	rcu_read_lock();
 	list_for_each_entry_rcu(server, &clp->cl_superblocks, client_link) {
+		if (!(server->super && nfs_sb_active(server->super)))
+			continue;
 		nfs4_purge_state_owners(server, &freeme);
 		spin_lock(&clp->cl_lock);
 		for (pos = rb_first(&server->state_owners);
@@ -1942,10 +1944,14 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
 			sp = rb_entry(pos,
 				struct nfs4_state_owner, so_server_node);
 			if (!test_and_clear_bit(ops->owner_flag_bit,
-							&sp->so_flags))
+							&sp->so_flags)) {
+				nfs_sb_deactive(server->super);
 				continue;
-			if (!atomic_inc_not_zero(&sp->so_count))
+			}
+			if (!atomic_inc_not_zero(&sp->so_count)) {
+				nfs_sb_deactive(server->super);
 				continue;
+			}
 			spin_unlock(&clp->cl_lock);
 			rcu_read_unlock();
 
@@ -1961,9 +1967,11 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
 			}
 
 			nfs4_put_state_owner(sp);
+			nfs_sb_deactive(server->super);
 			goto restart;
 		}
 		spin_unlock(&clp->cl_lock);
+		nfs_sb_deactive(server->super);
 	}
 	rcu_read_unlock();
 	nfs4_free_state_owners(&freeme);
-- 
2.31.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ