| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20260116-nfsd-fixes-v1-1-019689b72747@kernel.org>
Date: Fri, 16 Jan 2026 13:22:19 -0500
From: Jeff Layton <jlayton@...nel.org>
To: Chuck Lever <chuck.lever@...cle.com>, NeilBrown <neil@...wn.name>,
Olga Kornievskaia <okorniev@...hat.com>, Dai Ngo <Dai.Ngo@...cle.com>,
Tom Talpey <tom@...pey.com>
Cc: linux-nfs@...r.kernel.org, linux-kernel@...r.kernel.org,
Jeff Layton <jlayton@...nel.org>
Subject: [PATCH] nfsd: fix NULL pointer dereference in check_export()
Given the right export table, it's possible to trigger a NULL pointer
dereference when mountd sends a path that has no export operations.
Check that the export_ops are set and just return -EINVAL if not.
Signed-off-by: Jeff Layton <jlayton@...nel.org>
---
Triggering this required a rather pathological export table (I just
exported "/"). Given that, I'm on the fence as to whether we want to
send this to stable.
---
fs/nfsd/export.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
index 2a1499f2ad196a6033787260881e451146283bdc..4187c109d84985d33a69e19291edbf2b27b257d8 100644
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -405,6 +405,7 @@ static struct svc_export *svc_export_lookup(struct svc_export *);
static int check_export(const struct path *path, int *flags, unsigned char *uuid)
{
struct inode *inode = d_inode(path->dentry);
+ struct export_operations *export_op = inode->i_sb->s_export_op;
/*
* We currently export only dirs, regular files, and (for v4
@@ -422,14 +423,20 @@ static int check_export(const struct path *path, int *flags, unsigned char *uuid
if (*flags & NFSEXP_V4ROOT)
*flags |= NFSEXP_READONLY;
- /* There are two requirements on a filesystem to be exportable.
- * 1: We must be able to identify the filesystem from a number.
+ /* There are four requirements on a filesystem to be exportable:
+ * 1: It must define sb->s_export_op
+ * 2: We must be able to identify the filesystem from a number.
* either a device number (so FS_REQUIRES_DEV needed)
* or an FSID number (so NFSEXP_FSID or ->uuid is needed).
- * 2: We must be able to find an inode from a filehandle.
+ * 3: We must be able to find an inode from a filehandle.
* This means that s_export_op must be set.
- * 3: We must not currently be on an idmapped mount.
+ * 4: We must not currently be on an idmapped mount.
*/
+ if (!export_op) {
+ dprintk("%s: fs doesn't define export_operations!\n", __func__);
+ return -EINVAL;
+ }
+
if (!(inode->i_sb->s_type->fs_flags & FS_REQUIRES_DEV) &&
!(*flags & NFSEXP_FSID) &&
uuid == NULL) {
@@ -437,7 +444,7 @@ static int check_export(const struct path *path, int *flags, unsigned char *uuid
return -EINVAL;
}
- if (!exportfs_can_decode_fh(inode->i_sb->s_export_op)) {
+ if (!exportfs_can_decode_fh(export_op)) {
dprintk("exp_export: export of invalid fs type.\n");
return -EINVAL;
}
@@ -447,7 +454,7 @@ static int check_export(const struct path *path, int *flags, unsigned char *uuid
return -EINVAL;
}
- if (inode->i_sb->s_export_op->flags & EXPORT_OP_NOSUBTREECHK &&
+ if (export_op->flags & EXPORT_OP_NOSUBTREECHK &&
!(*flags & NFSEXP_NOSUBTREECHECK)) {
dprintk("%s: %s does not support subtree checking!\n",
__func__, inode->i_sb->s_type->name);
---
base-commit: 983d014aafb14ee5e4915465bf8948e8f3a723b5
change-id: 20260116-nfsd-fixes-8c02927271e6
Best regards,
--
Jeff Layton <jlayton@...nel.org>
Powered by blists - more mailing lists