mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-12 13:55:32 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs/nfs
History
Dave Wysochanski d68894800e NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message 
In nfs_idmap_read_and_verify_message there is an incorrect sprintf '%d'
that converts the __u32 'im_id' from struct idmap_msg to 'id_str', which
is a stack char array variable of length NFS_UINT_MAXLEN == 11.
If a uid or gid value is > 2147483647 = 0x7fffffff, the conversion
overflows into a negative value, for example:
crash> p (unsigned) (0x80000000)
$1 = 2147483648
crash> p (signed) (0x80000000)
$2 = -2147483648
The '-' sign is written to the buffer and this causes a 1 byte overflow
when the NULL byte is written, which corrupts kernel stack memory.  If
CONFIG_CC_STACKPROTECTOR_STRONG is set we see a stack-protector panic:

[11558053.616565] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa05b8a8c
[11558053.639063] CPU: 6 PID: 9423 Comm: rpc.idmapd Tainted: G        W      ------------ T 3.10.0-514.el7.x86_64 #1
[11558053.641990] Hardware name: Red Hat OpenStack Compute, BIOS 1.10.2-3.el7_4.1 04/01/2014
[11558053.644462]  ffffffff818c7bc0 00000000b1f3aec1 ffff880de0f9bd48 ffffffff81685eac
[11558053.646430]  ffff880de0f9bdc8 ffffffff8167f2b3 ffffffff00000010 ffff880de0f9bdd8
[11558053.648313]  ffff880de0f9bd78 00000000b1f3aec1 ffffffff811dcb03 ffffffffa05b8a8c
[11558053.650107] Call Trace:
[11558053.651347]  [<ffffffff81685eac>] dump_stack+0x19/0x1b
[11558053.653013]  [<ffffffff8167f2b3>] panic+0xe3/0x1f2
[11558053.666240]  [<ffffffff811dcb03>] ? kfree+0x103/0x140
[11558053.682589]  [<ffffffffa05b8a8c>] ? idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
[11558053.689710]  [<ffffffff810855db>] __stack_chk_fail+0x1b/0x30
[11558053.691619]  [<ffffffffa05b8a8c>] idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
[11558053.693867]  [<ffffffffa00209d6>] rpc_pipe_write+0x56/0x70 [sunrpc]
[11558053.695763]  [<ffffffff811fe12d>] vfs_write+0xbd/0x1e0
[11558053.702236]  [<ffffffff810acccc>] ? task_work_run+0xac/0xe0
[11558053.704215]  [<ffffffff811fec4f>] SyS_write+0x7f/0xe0
[11558053.709674]  [<ffffffff816964c9>] system_call_fastpath+0x16/0x1b

Fix this by calling the internally defined nfs_map_numeric_to_string()
function which properly uses '%u' to convert this __u32.  For consistency,
also replace the one other place where snprintf is called.

Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
Reported-by: Stephen Johnston <sjohnsto@redhat.com>
Fixes: cf4ab538f1 ("NFSv4: Fix the string length returned by the idmapper")
Cc: stable@vger.kernel.org # v3.4+
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2018-05-31 15:02:16 -04:00
..
blocklayout pnfs/blocklayout: Ensure disk address in block device map 2018-01-25 16:42:35 -05:00
filelayout nfs41: do not return ENOMEM on LAYOUTUNAVAILABLE 2018-01-18 12:51:31 -05:00
flexfilelayout NFS client updates for Linux 4.15 2017-11-17 14:18:00 -08:00
cache_lib.c NFS client updates for Linux 4.15 2017-11-17 14:18:00 -08:00
cache_lib.h NFS client updates for Linux 4.15 2017-11-17 14:18:00 -08:00
callback.c NFS client updates for Linux 4.15 2017-11-17 14:18:00 -08:00
callback.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
callback_proc.c NFSv4: Fix broken cast in nfs4_callback_recallany() 2018-02-21 16:35:50 -05:00
callback_xdr.c NFSv4: Clean up CB_GETATTR encoding 2018-04-10 16:06:22 -04:00
client.c nfs: fix a deadlock in nfs client initialization 2017-12-15 14:31:49 -05:00
delegation.c NFS: Avoid quadratic search when freeing delegations. 2018-05-31 15:02:14 -04:00
delegation.h NFSv4: Fix the nfs_inode_set_delegation() arguments 2018-04-10 16:06:22 -04:00
dir.c NFS: Ensure we revalidate the inode correctly after remove or rename 2018-05-31 15:02:16 -04:00
direct.c NFS: Fix an incorrect type in struct nfs_direct_req 2018-03-08 12:56:31 -05:00
dns_resolve.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dns_resolve.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
export.c nfs: remove unused label in nfs_encode_fh() 2018-01-16 10:12:49 -05:00
file.c NFS: Revert "NFS: Move the flock open mode check into nfs_flock()" 2017-11-17 16:43:52 -05:00
fscache-index.c fscache: Pass object size in rather than calling back for it 2018-04-06 14:05:14 +01:00
fscache.c fscache: Pass object size in rather than calling back for it 2018-04-06 14:05:14 +01:00
fscache.h fscache: Pass object size in rather than calling back for it 2018-04-06 14:05:14 +01:00
getroot.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
inode.c NFS: Fix up nfs_post_op_update_inode() to force ctime updates 2018-05-31 15:02:16 -04:00
internal.h Rename superblock flags (MS_xyz -> SB_xyz) 2017-11-27 13:05:09 -08:00
io.c NFS: Fix a race between mmap() and O_DIRECT 2018-01-28 22:00:15 -05:00
iostat.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
Kconfig pnfs/blocklayout: require 64-bit sector_t 2017-08-11 14:10:13 -04:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mount_clnt.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
namespace.c NFS: Use ERR_CAST() to avoid cross-structure cast 2017-05-28 10:11:47 -07:00
netns.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nfs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nfs2super.c
nfs2xdr.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nfs3_fs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nfs3acl.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nfs3client.c NFS: Remove unused authflavour parameter from nfs_get_client() 2016-12-01 17:46:32 -05:00
nfs3proc.c NFSv4: Fix sillyrename to return the delegation when appropriate 2018-05-31 15:02:16 -04:00
nfs3super.c
nfs3xdr.c NFS: advance nfs_entry cookie only after decoding completes successfully 2018-04-10 16:06:22 -04:00
nfs4_fs.h NFS: Pass "privileged" value to nfs4_init_sequence() 2018-05-31 15:02:16 -04:00
nfs4client.c nfs: system crashes after NFS4ERR_MOVED recovery 2018-02-22 12:17:42 -05:00
nfs4file.c nfs4file: get rid of pointless include of btrfs.h 2017-12-30 00:03:39 -05:00
nfs4getroot.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nfs4idmap.c NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message 2018-05-31 15:02:16 -04:00
nfs4idmap.h
nfs4namespace.c nfs: Referrals should use the same proto setting as their parent 2018-01-14 23:06:30 -05:00
nfs4proc.c NFS: Ensure we revalidate the inode correctly after setacl 2018-05-31 15:02:16 -04:00
nfs4renewd.c NFSv4: Set the connection timeout to match the lease period 2017-02-09 14:15:16 -05:00
nfs4session.c NFSv4.1: Fix regression in callback retry handling 2016-12-01 17:21:38 -05:00
nfs4session.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nfs4state.c nfs: Use ida_simple API 2018-04-10 16:06:22 -04:00
nfs4super.c
nfs4sysctl.c nfs: Do not convert nfs_idmap_cache_timeout to jiffies 2018-01-18 15:10:47 -05:00
nfs4trace.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nfs4trace.h NFS client updates for Linux 4.15 2017-11-17 14:18:00 -08:00
nfs4xdr.c NFS client updates for Linux 4.17 2018-04-12 12:55:50 -07:00
nfs42.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nfs42proc.c NFS: Pass "privileged" value to nfs4_init_sequence() 2018-05-31 15:02:16 -04:00
nfs42xdr.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nfsroot.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nfstrace.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nfstrace.h NFS client updates for Linux 4.16 2018-01-30 19:03:48 -08:00
pagelist.c sched/wait, fs/nfs: Convert wait_on_atomic_t() usage to the new wait_var_event() API 2018-03-20 08:23:21 +01:00
pnfs.c pNFS: Prevent the layout header refcount going to zero in pnfs_roc() 2018-03-08 12:56:31 -05:00
pnfs.h pnfs/blocklayout: handle transient devices 2018-01-14 23:06:29 -05:00
pnfs_dev.c pnfs/blocklayout: handle transient devices 2018-01-14 23:06:29 -05:00
pnfs_nfs.c sched/wait, fs/nfs: Convert wait_on_atomic_t() usage to the new wait_var_event() API 2018-03-20 08:23:21 +01:00
proc.c NFSv4: Fix sillyrename to return the delegation when appropriate 2018-05-31 15:02:16 -04:00
read.c NFS: Add static NFS I/O tracepoints 2017-09-11 22:20:38 -04:00
super.c fs: Teach path_connected to handle nfs filesystems with multiple roots. 2018-03-15 18:48:38 -04:00
symlink.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sysctl.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
unlink.c NFS: Fix up sillyrename() 2018-05-31 15:02:16 -04:00
write.c NFS: Move call to nfs4_state_protect() to nfs4_commit_setup() 2018-05-31 15:02:16 -04:00