NFS v4 client can dereference uninitialized pointer if server includes unrequested mdsthreshold attr

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I think nfs_fattr_init() ought to set fattr->mdsthreshold to NULL. If
the kmalloc()'d attr memory doesn't happen to be zero at
fattr->mdsthreshold, and the server returns an unrequested mdsthreshold
attribute, then decode_getfattr_attrs() will try to store via the
uninitialized pointer in decode_first_threshold_item4().

I've attached a demo program, which I run with slub_debug=FZP:

# uname -a
Linux (none) 5.15.0-rc7-dirty #78 SMP Mon Nov 15 15:49:15 UTC 2021 riscv64 riscv64 riscv64 GNU/Linux
# cc nfs_15.c
# ./nfs_15
...
[   27.950132] decode_attr_mdsthreshold: Warning: Multiple pNFS layout drivers per filesystem not supported
[   27.969630] Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b6f
[   28.058092] epc : ffffffff8023dee0 ra : ffffffff8023deb2 sp : ffffffd00055b500
[   28.231013] status: 0000000200000121 badaddr: 6b6b6b6b6b6b6b6f cause: 000000000000000f
[   28.246069] [<ffffffff8023dee0>] decode_getfattr_attrs+0xdae/0x11fe
[   28.259758] [<ffffffff8023e44e>] decode_getfattr_generic.constprop.0+0x11e/0x1b2
[   28.275547] [<ffffffff8023ec86>] nfs4_xdr_dec_lookup+0xa2/0xac
[   28.289208] [<ffffffff80754750>] rpcauth_unwrap_resp_decode+0x12/0x1a
[   28.302635] [<ffffffff8075540c>] rpcauth_unwrap_resp+0x12/0x1a
[   28.316324] [<ffffffff8074b7a8>] call_decode+0x112/0x176
[   28.327634] [<ffffffff80753c8c>] __rpc_execute+0x76/0x216
[   28.338932] [<ffffffff807542aa>] rpc_execute+0x58/0x7e
[   28.350241] [<ffffffff8074cb34>] rpc_run_task+0x12c/0x16c
[   28.361567] [<ffffffff8022271e>] nfs4_call_sync_custom+0x12/0x32
[   28.375315] [<ffffffff802227ae>] nfs4_do_call_sync+0x70/0x8c
[   28.389058] [<ffffffff802233ba>] _nfs4_proc_lookup+0xf2/0x11a
[   28.402819] [<ffffffff8022e7ea>] nfs4_proc_lookup_common+0x7c/0x2a2
[   28.416516] [<ffffffff8022eace>] nfs4_proc_lookup+0x42/0x9e
[   28.427830] [<ffffffff80209c02>] nfs_lookup+0xa6/0x122
[   28.439138] [<ffffffff80209f18>] nfs_atomic_open+0x29a/0x342
[   28.452815] [<ffffffff8013756e>] path_openat+0x5ca/0xaf6
[   28.464063] [<ffffffff80138468>] do_filp_open+0x70/0xd0
[   28.475375] [<ffffffff801276de>] do_sys_openat2+0x1fc/0x298
[   28.486697] [<ffffffff80128870>] do_sys_open+0x3c/0x78
[   28.497986] [<ffffffff801288ee>] sys_openat+0x18/0x20
[   28.509270] [<ffffffff80003046>] ret_from_syscall+0x0/0x2

Attachment: nfs_15.c
Description: Binary data

[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux