Re: server-to-server copy by default

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 11/1/21 12:33 PM, Bruce Fields wrote:
On Mon, Nov 01, 2021 at 10:37:11AM -0700, dai.ngo@xxxxxxxxxx wrote:
On 10/21/21 11:34 PM, dai.ngo@xxxxxxxxxx wrote:
On 10/21/21 7:02 AM, Bruce Fields wrote:
On Wed, Oct 20, 2021 at 10:00:41PM -0700, dai.ngo@xxxxxxxxxx wrote:
The attack can come from the replies of the source server or requests
>from the source server to the destination server via the back channel.
One of possible attack in the reply is BAD_STATEID which was handled
by the client code as mentioned by Olga.

Here is the list of NFS requests made from the destination to the
source server:

          EXCHANGE_ID
          CREATE_SESSION
          RECLAIM_COMLETE
          SEQUENCE
          PUTROOTFH
          PUTHF
          GETFH
          GETATTR
          READ/READ_PLUS
          DESTROY_SESSION
          DESTROY_CLIENTID

Do you think we should review all replies from these requests to make
sure error replies do not cause problems for the destination server?
That's the exactly the sort of analysis I was curious to see, yes.
I will go through these requests to see if is there is anything that
we need to do to ensure the destination does not react negatively
on the replies.
still need to be done.

(I doubt the PUTROOTFH, PUTFH, GETFH, and GETATTR are really necessary,
I wonder if there's any way we could just bypass them in our case.  I
don't know, maybe that's more trouble than it's worth.)
I'll take a look but I think we should avoid modifying the client
code if possible.

same for the back channel ops:

          OP_CB_GETATTR
          OP_CB_RECALL
          OP_CB_LAYOUTRECALL
          OP_CB_NOTIFY
          OP_CB_PUSH_DELEG
          OP_CB_RECALL_ANY
          OP_CB_RECALLABLE_OBJ_AVAIL
          OP_CB_RECALL_SLOT
          OP_CB_SEQUENCE
          OP_CB_WANTS_CANCELLED
          OP_CB_NOTIFY_LOCK
          OP_CB_NOTIFY_DEVICEID
          OP_CB_OFFLOAD
There shouldn't be any need for callbacks at all.  We might be able to
get away without even setting up a backchannel.  But, yes, if the server
tries to send one anyway, it'd be good to know we do something
reasonable.
or do not specify the back channel when creating the session somehow.
I will report back.
We can not disable the back channel of the SSC v4.2 mount since it might
share the same connection with a regular NFSv4.2 mount from the destination
to the source server.
Hm.

Well, now that I think of it, a backchannel is probably required for the
SSC case anyway.  (I think CB_RECALL_SLOT is mandatory to support?)

I think the back channel is not required. From Sec 13 of RFC 7862:

   The REQUIRED or OPTIONAL designation for callback operations sent by
   the server is for both the client and server.  Generally, the client
   has the option of creating the backchannel and sending the operations
   on the forechannel that will be a catalyst for the server sending
   callback operations.  A partial exception is CB_RECALL_SLOT; the only
   way the client can avoid supporting this operation is by not creating
   a backchannel.

I have not found a clean/simple way to not creating the back channel
for the SSC mount. The reasons is that the SSC mount can be using an
existing connection of a regular mount to the source server, or a
regular mount can happen after the SSC mount.

It seems that we should support back channel for SSC mount but do a
due diligent check to make sure the requests come from a trusted source
and also limit the number of ops supported on the SSC back channel.

-Dai


--b.



[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux