lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20241022030317.324027-1-lilingfeng3@huawei.com>
Date: Tue, 22 Oct 2024 11:03:17 +0800
From: Li Lingfeng <lilingfeng3@...wei.com>
To: <trondmy@...nel.org>, <anna@...nel.org>
CC: <trond.myklebust@...merspace.com>, <jlayton@...nel.org>,
	<linux-nfs@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
	<yukuai1@...weicloud.com>, <houtao1@...wei.com>, <yi.zhang@...wei.com>,
	<yangerkun@...wei.com>, <lilingfeng@...weicloud.com>,
	<lilingfeng3@...wei.com>
Subject: [PATCH v2] nfs: maintain nfs_server in the reclaim process

In the reclaim process, there may be a situation where all files are
closed and the file system is unmounted, which will result in the
release of nfs_server.

This will trigger UAF in nfs4_put_open_state when the count of
nfs4_state is decremented to zero, because the freed nfs_server will be
accessed when evicting inode.

Maintaining the nfs_server throughout the entire reclaim process by
adding nfs_sb_active and nfs_sb_deactive to fix it.

Signed-off-by: Li Lingfeng <lilingfeng3@...wei.com>
---
v1->v2:
  Get reference counting inside the lock's protection.

 fs/nfs/nfs4state.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
index dafd61186557..acf608957f57 100644
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -1935,6 +1935,12 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
 				continue;
 			if (!atomic_inc_not_zero(&sp->so_count))
 				continue;
+			if (!(server->super && nfs_sb_active(server->super))) {
+				spin_unlock(&clp->cl_lock);
+				rcu_read_unlock();
+				nfs4_put_state_owner(sp);
+				goto restart;
+			}
 			spin_unlock(&clp->cl_lock);
 			rcu_read_unlock();
 
@@ -1947,10 +1953,12 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
 				nfs4_put_state_owner(sp);
 				status = nfs4_recovery_handle_error(clp, status);
 				nfs4_free_state_owners(&freeme);
+				nfs_sb_deactive(server->super);
 				return (status != 0) ? status : -EAGAIN;
 			}
 
 			nfs4_put_state_owner(sp);
+			nfs_sb_deactive(server->super);
 			goto restart;
 		}
 		spin_unlock(&clp->cl_lock);
-- 
2.31.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ