Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-01-18 07:53:27 +0100
committerJiri Slaby <jslaby@suse.cz>2019-01-18 07:53:42 +0100
commit54fa491783fe43663a0e704b1abcd5c633024d65 (patch)
treeda0c3ecedee1cda32a2ba45025110a4ca0643e78
parent1d51dc815aef20659ac6f0e8fe3f21a7d5d508ae (diff)
sunrpc: use-after-free in svc_process_common() (bnc#1012628).
-rw-r--r--patches.kernel.org/4.20.3-054-sunrpc-use-after-free-in-svc_process_common.patch190
-rw-r--r--series.conf1
2 files changed, 191 insertions, 0 deletions
diff --git a/patches.kernel.org/4.20.3-054-sunrpc-use-after-free-in-svc_process_common.patch b/patches.kernel.org/4.20.3-054-sunrpc-use-after-free-in-svc_process_common.patch
new file mode 100644
index 0000000000..f5a7153141
--- /dev/null
+++ b/patches.kernel.org/4.20.3-054-sunrpc-use-after-free-in-svc_process_common.patch
@@ -0,0 +1,190 @@
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Mon, 24 Dec 2018 14:44:52 +0300
+Subject: [PATCH] sunrpc: use-after-free in svc_process_common()
+References: bnc#1012628
+Patch-mainline: 4.20.3
+Git-commit: d4b09acf924b84bae77cad090a9d108e70b43643
+
+commit d4b09acf924b84bae77cad090a9d108e70b43643 upstream.
+
+if node have NFSv41+ mounts inside several net namespaces
+it can lead to use-after-free in svc_process_common()
+
+svc_process_common()
+ /* Setup reply header */
+ rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr(rqstp); <<< HERE
+
+svc_process_common() can use incorrect rqstp->rq_xprt,
+its caller function bc_svc_process() takes it from serv->sv_bc_xprt.
+The problem is that serv is global structure but sv_bc_xprt
+is assigned per-netnamespace.
+
+According to Trond, the whole "let's set up rqstp->rq_xprt
+for the back channel" is nothing but a giant hack in order
+to work around the fact that svc_process_common() uses it
+to find the xpt_ops, and perform a couple of (meaningless
+for the back channel) tests of xpt_flags.
+
+All we really need in svc_process_common() is to be able to run
+rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr()
+
+Bruce J Fields points that this xpo_prep_reply_hdr() call
+is an awfully roundabout way just to do "svc_putnl(resv, 0);"
+in the tcp case.
+
+This patch does not initialiuze rqstp->rq_xprt in bc_svc_process(),
+now it calls svc_process_common() with rqstp->rq_xprt = NULL.
+
+To adjust reply header svc_process_common() just check
+rqstp->rq_prot and calls svc_tcp_prep_reply_hdr() for tcp case.
+
+To handle rqstp->rq_xprt = NULL case in functions called from
+svc_process_common() patch intruduces net namespace pointer
+svc_rqst->rq_bc_net and adjust SVC_NET() definition.
+Some other function was also adopted to properly handle described case.
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Cc: stable@vger.kernel.org
+Fixes: 23c20ecd4475 ("NFS: callback up - users counting cleanup")
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+v2: added lost extern svc_tcp_prep_reply_hdr()
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/linux/sunrpc/svc.h | 5 ++++-
+ include/trace/events/sunrpc.h | 6 ++++--
+ net/sunrpc/svc.c | 11 +++++++----
+ net/sunrpc/svc_xprt.c | 5 +++--
+ net/sunrpc/svcsock.c | 2 +-
+ 5 files changed, 19 insertions(+), 10 deletions(-)
+
+diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
+index 73e130a840ce..fdb6b317d974 100644
+--- a/include/linux/sunrpc/svc.h
++++ b/include/linux/sunrpc/svc.h
+@@ -295,9 +295,12 @@ struct svc_rqst {
+ struct svc_cacherep * rq_cacherep; /* cache info */
+ struct task_struct *rq_task; /* service thread */
+ spinlock_t rq_lock; /* per-request lock */
++ struct net *rq_bc_net; /* pointer to backchannel's
++ * net namespace
++ */
+ };
+
+-#define SVC_NET(svc_rqst) (svc_rqst->rq_xprt->xpt_net)
++#define SVC_NET(rqst) (rqst->rq_xprt ? rqst->rq_xprt->xpt_net : rqst->rq_bc_net)
+
+ /*
+ * Rigorous type checking on sockaddr type conversions
+diff --git a/include/trace/events/sunrpc.h b/include/trace/events/sunrpc.h
+index 28e384186c35..8617f4fd6b70 100644
+--- a/include/trace/events/sunrpc.h
++++ b/include/trace/events/sunrpc.h
+@@ -569,7 +569,8 @@ TRACE_EVENT(svc_process,
+ __field(u32, vers)
+ __field(u32, proc)
+ __string(service, name)
+- __string(addr, rqst->rq_xprt->xpt_remotebuf)
++ __string(addr, rqst->rq_xprt ?
++ rqst->rq_xprt->xpt_remotebuf : "(null)")
+ ),
+
+ TP_fast_assign(
+@@ -577,7 +578,8 @@ TRACE_EVENT(svc_process,
+ __entry->vers = rqst->rq_vers;
+ __entry->proc = rqst->rq_proc;
+ __assign_str(service, name);
+- __assign_str(addr, rqst->rq_xprt->xpt_remotebuf);
++ __assign_str(addr, rqst->rq_xprt ?
++ rqst->rq_xprt->xpt_remotebuf : "(null)");
+ ),
+
+ TP_printk("addr=%s xid=0x%08x service=%s vers=%u proc=%u",
+diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
+index d13e05f1a990..d65f8d35de87 100644
+--- a/net/sunrpc/svc.c
++++ b/net/sunrpc/svc.c
+@@ -1144,6 +1144,8 @@ void svc_printk(struct svc_rqst *rqstp, const char *fmt, ...)
+ static __printf(2,3) void svc_printk(struct svc_rqst *rqstp, const char *fmt, ...) {}
+ #endif
+
++extern void svc_tcp_prep_reply_hdr(struct svc_rqst *);
++
+ /*
+ * Common routine for processing the RPC request.
+ */
+@@ -1172,7 +1174,8 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv)
+ clear_bit(RQ_DROPME, &rqstp->rq_flags);
+
+ /* Setup reply header */
+- rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr(rqstp);
++ if (rqstp->rq_prot == IPPROTO_TCP)
++ svc_tcp_prep_reply_hdr(rqstp);
+
+ svc_putu32(resv, rqstp->rq_xid);
+
+@@ -1244,7 +1247,7 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv)
+ * for lower versions. RPC_PROG_MISMATCH seems to be the closest
+ * fit.
+ */
+- if (versp->vs_need_cong_ctrl &&
++ if (versp->vs_need_cong_ctrl && rqstp->rq_xprt &&
+ !test_bit(XPT_CONG_CTRL, &rqstp->rq_xprt->xpt_flags))
+ goto err_bad_vers;
+
+@@ -1336,7 +1339,7 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv)
+ return 0;
+
+ close:
+- if (test_bit(XPT_TEMP, &rqstp->rq_xprt->xpt_flags))
++ if (rqstp->rq_xprt && test_bit(XPT_TEMP, &rqstp->rq_xprt->xpt_flags))
+ svc_close_xprt(rqstp->rq_xprt);
+ dprintk("svc: svc_process close\n");
+ return 0;
+@@ -1459,10 +1462,10 @@ bc_svc_process(struct svc_serv *serv, struct rpc_rqst *req,
+ dprintk("svc: %s(%p)\n", __func__, req);
+
+ /* Build the svc_rqst used by the common processing routine */
+- rqstp->rq_xprt = serv->sv_bc_xprt;
+ rqstp->rq_xid = req->rq_xid;
+ rqstp->rq_prot = req->rq_xprt->prot;
+ rqstp->rq_server = serv;
++ rqstp->rq_bc_net = req->rq_xprt->xprt_net;
+
+ rqstp->rq_addrlen = sizeof(req->rq_xprt->addr);
+ memcpy(&rqstp->rq_addr, &req->rq_xprt->addr, rqstp->rq_addrlen);
+diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
+index 51d36230b6e3..bd42da287c26 100644
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -468,10 +468,11 @@ static struct svc_xprt *svc_xprt_dequeue(struct svc_pool *pool)
+ */
+ void svc_reserve(struct svc_rqst *rqstp, int space)
+ {
++ struct svc_xprt *xprt = rqstp->rq_xprt;
++
+ space += rqstp->rq_res.head[0].iov_len;
+
+- if (space < rqstp->rq_reserved) {
+- struct svc_xprt *xprt = rqstp->rq_xprt;
++ if (xprt && space < rqstp->rq_reserved) {
+ atomic_sub((rqstp->rq_reserved - space), &xprt->xpt_reserved);
+ rqstp->rq_reserved = space;
+
+diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
+index b7e67310ec37..b90492c43711 100644
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -1173,7 +1173,7 @@ static int svc_tcp_sendto(struct svc_rqst *rqstp)
+ /*
+ * Setup response header. TCP has a 4B record length field.
+ */
+-static void svc_tcp_prep_reply_hdr(struct svc_rqst *rqstp)
++void svc_tcp_prep_reply_hdr(struct svc_rqst *rqstp)
+ {
+ struct kvec *resv = &rqstp->rq_res.head[0];
+
+--
+2.20.1
+
diff --git a/series.conf b/series.conf
index 44134da2f9..82e6e643d0 100644
--- a/series.conf
+++ b/series.conf
@@ -291,6 +291,7 @@
patches.kernel.org/4.20.3-051-ext4-track-writeback-errors-using-the-generic-.patch
patches.kernel.org/4.20.3-052-ext4-fix-special-inode-number-checks-in-__ext4.patch
patches.kernel.org/4.20.3-053-mm-page_mapped-don-t-assume-compound-page-is-h.patch
+ patches.kernel.org/4.20.3-054-sunrpc-use-after-free-in-svc_process_common.patch
########################################################
# Build fixes that apply to the vanilla kernel too.