lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <175033900601.115666.13177707398024542481.b4-ty@oracle.com>
Date: Thu, 19 Jun 2025 09:18:15 -0400
From: Chuck Lever <cel@...nel.org>
To: NeilBrown <neil@...wn.name>,
	Olga Kornievskaia <okorniev@...hat.com>,
	Dai Ngo <Dai.Ngo@...cle.com>,
	Tom Talpey <tom@...pey.com>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>,
	Paolo Abeni <pabeni@...hat.com>,
	Simon Horman <horms@...nel.org>,
	Jeff Layton <jlayton@...nel.org>
Cc: Chuck Lever <chuck.lever@...cle.com>,
	tianshuo han <hantianshuo233@...il.com>,
	Linus Torvalds <torvalds@...uxfoundation.org>,
	security@...nel.org,
	yuxuanzhe@...look.com,
	Jiri Slaby <jirislaby@...nel.org>,
	Trond Myklebust <trondmy@...nel.org>,
	Anna Schumaker <anna@...nel.org>,
	linux-nfs@...r.kernel.org,
	netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	stable@...r.kernel.org
Subject: Re: [PATCH] sunrpc: handle SVC_GARBAGE during svc auth processing as auth error

From: Chuck Lever <chuck.lever@...cle.com>

On Thu, 19 Jun 2025 06:01:55 -0400, Jeff Layton wrote:
> tianshuo han reported a remotely-triggerable crash if the client sends a
> kernel RPC server a specially crafted packet. If decoding the RPC reply
> fails in such a way that SVC_GARBAGE is returned without setting the
> rq_accept_statp pointer, then that pointer can be dereferenced and a
> value stored there.
> 
> If it's the first time the thread has processed an RPC, then that
> pointer will be set to NULL and the kernel will crash. In other cases,
> it could create a memory scribble.
> 
> [...]

Yesterday's version passed overnight CI testing.

Applied to nfsd-fixes, thanks!

[1/1] sunrpc: handle SVC_GARBAGE during svc auth processing as auth error
      commit: 92c2969bcd57272698d5aae037f55481dcb11f2d

--
Chuck Lever

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ