| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c0f81eef4e8448818361772de4e22b6b6502ab73.camel@kernel.org>
Date: Fri, 16 Jan 2026 13:35:09 -0500
From: Jeff Layton <jlayton@...nel.org>
To: Chuck Lever <chuck.lever@...cle.com>, NeilBrown <neil@...wn.name>, Olga
Kornievskaia <okorniev@...hat.com>, Dai Ngo <Dai.Ngo@...cle.com>, Tom
Talpey <tom@...pey.com>
Cc: linux-nfs@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] nfsd: fix NULL pointer dereference in check_export()
On Fri, 2026-01-16 at 13:22 -0500, Jeff Layton wrote:
> Given the right export table, it's possible to trigger a NULL pointer
> dereference when mountd sends a path that has no export operations.
> Check that the export_ops are set and just return -EINVAL if not.
>
> Signed-off-by: Jeff Layton <jlayton@...nel.org>
> ---
> Triggering this required a rather pathological export table (I just
> exported "/"). Given that, I'm on the fence as to whether we want to
> send this to stable.
> ---
> fs/nfsd/export.c | 19 +++++++++++++------
> 1 file changed, 13 insertions(+), 6 deletions(-)
>
> diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
> index 2a1499f2ad196a6033787260881e451146283bdc..4187c109d84985d33a69e19291edbf2b27b257d8 100644
> --- a/fs/nfsd/export.c
> +++ b/fs/nfsd/export.c
> @@ -405,6 +405,7 @@ static struct svc_export *svc_export_lookup(struct svc_export *);
> static int check_export(const struct path *path, int *flags, unsigned char *uuid)
> {
> struct inode *inode = d_inode(path->dentry);
> + struct export_operations *export_op = inode->i_sb->s_export_op;
>
> /*
> * We currently export only dirs, regular files, and (for v4
> @@ -422,14 +423,20 @@ static int check_export(const struct path *path, int *flags, unsigned char *uuid
> if (*flags & NFSEXP_V4ROOT)
> *flags |= NFSEXP_READONLY;
>
> - /* There are two requirements on a filesystem to be exportable.
> - * 1: We must be able to identify the filesystem from a number.
> + /* There are four requirements on a filesystem to be exportable:
> + * 1: It must define sb->s_export_op
> + * 2: We must be able to identify the filesystem from a number.
> * either a device number (so FS_REQUIRES_DEV needed)
> * or an FSID number (so NFSEXP_FSID or ->uuid is needed).
> - * 2: We must be able to find an inode from a filehandle.
> + * 3: We must be able to find an inode from a filehandle.
> * This means that s_export_op must be set.
> - * 3: We must not currently be on an idmapped mount.
> + * 4: We must not currently be on an idmapped mount.
> */
> + if (!export_op) {
> + dprintk("%s: fs doesn't define export_operations!\n", __func__);
> + return -EINVAL;
> + }
> +
> if (!(inode->i_sb->s_type->fs_flags & FS_REQUIRES_DEV) &&
> !(*flags & NFSEXP_FSID) &&
> uuid == NULL) {
> @@ -437,7 +444,7 @@ static int check_export(const struct path *path, int *flags, unsigned char *uuid
> return -EINVAL;
> }
>
> - if (!exportfs_can_decode_fh(inode->i_sb->s_export_op)) {
> + if (!exportfs_can_decode_fh(export_op)) {
Hrm, actually exportfs_can_decode_fh() already checks this. You can
disregard this patch.
--
Jeff Layton <jlayton@...nel.org>
Powered by blists - more mailing lists