All of lore.kernel.org
 help / color / mirror / Atom feed
From: "chenxiaosong (A)" <chenxiaosong2@huawei.com>
To: Lyu Tao <tao.lyu@epfl.ch>,
	Trond Myklebust <trond.myklebust@hammerspace.com>,
	"anna@kernel.org" <anna@kernel.org>,
	"bjschuma@netapp.com" <bjschuma@netapp.com>
Cc: "linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"liuyongqiang13@huawei.com" <liuyongqiang13@huawei.com>,
	"yi.zhang@huawei.com" <yi.zhang@huawei.com>,
	"zhangxiaoxu5@huawei.com" <zhangxiaoxu5@huawei.com>
Subject: Re: [PATCH -next 0/2] fix nfsv4 bugs of opening with O_ACCMODE flag
Date: Wed, 13 Apr 2022 21:42:39 +0800	[thread overview]
Message-ID: <0b6546f7-8a04-9d6e-50c3-483c8a1a6591@huawei.com> (raw)
In-Reply-To: <e0c2d7ec62b447cabddbc8a9274be955@epfl.ch>


在 2022/4/13 20:07, Lyu Tao 写道:
> 
> Hi Xiaosong,
> 
> 
> Thanks for keeping focusing on this bug.
> 
> 
> I applied this CVE for the NULL dereference bug at 
> nfs4_valid_open_stateid() and added the following description to this 
> CVE due to the NFS maintainers replied that to me.
> 
> "An issue was discovered in fs/nfs/dir.c in the Linux kernel before 
> 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a 
> regular file, nfs_atomic_open() performs a regular lookup. If a regular 
> file is found, ENOTDIR should occur, but the server instead returns 
> uninitialized data in the file descriptor.
> 
> 
> Actually I'm still confused with the root cause of this bug. In the 
> original PoC, there is no O_DIRECTORY flag but commit ac795161c936 
> mentioned.
> 
> Moreover, in your latest commit ab0fc21bc710, it said "After secondly 
> opening a file with O_ACCMODE|O_DIRECT flags, nfs4_valid_open_stateid() 
> will dereference NULL nfs4_state when lseek()." However, the original 
> PoC opens the file only with O_RDWR|O_CREAT for the first time.
> 
> 
> Original PoC:
> 
> fd = openat("./file1", o_RDWR|O_CREAT, 000);
> 
> open("./file1", 
> O_ACCMODE|O_CREAT|O_DIRECT|O_LARGEFILE|O_NOFOLLOW|O_NOATIME|O_CLOEXEC|FASYNC|0xb3000008, 
> 001);
> 
> lseek(fd, 9, SEEK_HOLE);
> 
> 
> I'll update this CVE's description after I figure out these.
> 
> 
> Best Regards,
> 
> Tao
> 

Hi Tao:

Yes, O_ACCEMODE is _not_ necessary when fistly open() file.

When open() the file secondly, O_ACCEMODE is necessary if we want to 
reproduce the bug.

Waiting for your modification of the CVE's description.

Best Regards.

  parent reply	other threads:[~2022-04-13 13:42 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-29 11:32 [PATCH -next 0/2] fix nfsv4 bugs of opening with O_ACCMODE flag ChenXiaoSong
2022-03-29 11:32 ` [PATCH -next 1/2] Revert "NFSv4: Handle the special Linux file open access mode" ChenXiaoSong
2022-03-29 11:32 ` [PATCH -next 2/2] NFSv4: fix open failure with O_ACCMODE flag ChenXiaoSong
2022-03-29 13:05   ` Trond Myklebust
2022-03-29 13:44     ` chenxiaosong (A)
2022-03-29 13:56       ` Trond Myklebust
2022-03-29 14:32 ` [PATCH -next 0/2] fix nfsv4 bugs of opening " chenxiaosong (A)
     [not found]   ` <e0c2d7ec62b447cabddbc8a9274be955@epfl.ch>
2022-04-13 13:42     ` chenxiaosong (A) [this message]
2022-04-13 14:05       ` chenxiaosong (A)
2022-04-13 14:34         ` chenxiaosong (A)
     [not found]         ` <3ee78045f18b4932b1651de776ee73c4@epfl.ch>
2022-04-13 14:42           ` chenxiaosong (A)
     [not found]             ` <55415e44b4b04bbfa66c42d5f2788384@epfl.ch>
2022-04-14  2:41               ` chenxiaosong (A)
2022-04-14  7:33                 ` Lyu Tao
2022-05-05  2:48                   ` chenxiaosong (A)
2022-05-06  7:40                     ` Lyu Tao
2022-05-31  6:40                       ` chenxiaosong (A)
2022-05-31  8:16                         ` Lyu Tao
2022-05-31  8:47                           ` chenxiaosong (A)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0b6546f7-8a04-9d6e-50c3-483c8a1a6591@huawei.com \
    --to=chenxiaosong2@huawei.com \
    --cc=anna@kernel.org \
    --cc=bjschuma@netapp.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=liuyongqiang13@huawei.com \
    --cc=tao.lyu@epfl.ch \
    --cc=trond.myklebust@hammerspace.com \
    --cc=yi.zhang@huawei.com \
    --cc=zhangxiaoxu5@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.