From: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
To: Trond Myklebust <trond.myklebust@hammerspace.com>,
Anna Schumaker <anna.schumaker@netapp.com>
Cc: linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org,
Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
Subject: [PATCH] nfs: Fix getxattr kernel panic and memory overflow
Date: Wed, 5 Aug 2020 12:23:18 -0500 [thread overview]
Message-ID: <20200805172319.12633-1-jeffrey.mitchell@starlab.io> (raw)
_nfs4_get_security_label() and decode_attr_security_label() run severe
risks with memory management and do not fully implement their
functionality. In the case that the buffer and length are both NULL, which
according to the getxattr man page should simply return the length of the
attribute, decode_attr_security_label() will kernel panic trying to write
to the null pointer. If the buffer length is nonzero but below the size of
the attribute, decode_attr_security_label() will write the data anyway,
overflowing the buffer, and it isn't until later in
_nfs4_get_security_label() that -ERANGE gets returned.
Here is some of the kernel panic output that I reproduced:
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
RIP: 0010:__memcpy+0x12/0x20
[...]
Call Trace:
decode_getfattr_attrs+0xb1f/0xdc0
? set_next_entity+0x8e/0x180
decode_getfattr_generic.constprop.0+0x10f/0x210
? rpc_decode_header+0x570/0x570
nfs4_xdr_dec_getattr+0x94/0xa0
[...]
_nfs4_get_security_label+0x134/0x180
? _cond_resched+0x10/0x20
? __kmalloc+0x1f6/0x200
nfs4_xattr_get_nfs4_label+0x89/0x120
__vfs_getxattr+0x4e/0x70
ecryptfs_getxattr_lower+0x4a/0x70
ecryptfs_xattr_get+0x23/0x24
__vfs_getxattr+0x4e/0x70
sb_finish_set_opts+0x12c/0x240
selinux_set_mnt_opts+0x288/0x6a0
security_sb_set_mnt_opts+0x40/0x60
vfs_get_tree+0x57/0xb0
do_mount+0x742/0x9b0
__x64_sys_mount+0x89/0xc0
do_syscall_64+0x3e/0x70
- Jeffrey
Jeffrey Mitchell (1):
nfs: Fix getxattr kernel panic and memory overflow
fs/nfs/nfs4proc.c | 2 --
fs/nfs/nfs4xdr.c | 5 ++++-
2 files changed, 4 insertions(+), 3 deletions(-)
--
2.25.1
next reply other threads:[~2020-08-05 19:25 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-05 17:23 Jeffrey Mitchell [this message]
2020-08-05 17:23 ` [PATCH] nfs: Fix getxattr kernel panic and memory overflow Jeffrey Mitchell
2020-08-11 14:08 ` Trond Myklebust
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200805172319.12633-1-jeffrey.mitchell@starlab.io \
--to=jeffrey.mitchell@starlab.io \
--cc=anna.schumaker@netapp.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=trond.myklebust@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.