Hello,
Our UC-KLEE tool found a kfree() of an uninitialized pointer in decode_cb_sequence_args (fs/nfs/callback_xdr.c) that may be remotely exploitable. The bug affects Linux kernel 3.16.3, but it appears to date back to commit 4aece6a19cf7f474f15eb861ba74db4479884ce3 (4/1/2009), which first implemented the CB_SEQUENCE operation from NFS 4.1.
Here is some of the relevant code:
458 if (args->csa_nrclists) {
459 args->csa_rclists = kmalloc_array(args->csa_nrclists,
460 sizeof(*args->csa_rclists),
461 GFP_KERNEL);
...
465 for (i = 0; i < args->csa_nrclists; i++) {
466 status = decode_rc_list(xdr, &args->csa_rclists[i]);
467 if (status)
468 goto out_free;
469 }
470 }
…
487out_free:
488 for (i = 0; i < args->csa_nrclists; i++)
489 kfree(args->csa_rclists[i].rcl_refcalls);
If a call to decode_rc_list() on line 466 returns non-zero during iteration ‘i', the kfree() call at line 489 will attempt to free uninitialized (heap garbage) pointers for all indices in [i, args->csa_nrclists).
I’m not familiar enough with the NFS internals to understand whether an attacker can cause decode_rc_list() to fail (i.e., by causing read_buf() to fail), but it seems plausible?
Thanks,
-David
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
