-stable review patch. If anyone has any objections, please let us know.
------------------
This is CVE-2006-0555 and SGI bug 946529. A normal user can panic an
NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT.
Signed-off-by: Chris Wright <[email protected]>
---
fs/nfs/direct.c | 5 +++++
1 files changed, 5 insertions(+)
--- linux-2.6.15.4.orig/fs/nfs/direct.c
+++ linux-2.6.15.4/fs/nfs/direct.c
@@ -106,6 +106,11 @@ nfs_get_user_pages(int rw, unsigned long
result = get_user_pages(current, current->mm, user_addr,
page_count, (rw == READ), 0,
*pages, NULL);
+ if (result >= 0 && result < page_count) {
+ nfs_free_user_pages(*pages, result, 0);
+ *pages = NULL;
+ result = -EFAULT;
+ }
up_read(¤t->mm->mmap_sem);
}
return result;
--
On Mon, Feb 27, 2006 at 02:32:38PM -0800, Chris Wright wrote:
> -stable review patch. If anyone has any objections, please let us know.
> ------------------
>
> This is CVE-2006-0555 and SGI bug 946529. A normal user can panic an
> NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT.
>
> Signed-off-by: Chris Wright <[email protected]>
> ---
>
> fs/nfs/direct.c | 5 +++++
> 1 files changed, 5 insertions(+)
>
> --- linux-2.6.15.4.orig/fs/nfs/direct.c
> +++ linux-2.6.15.4/fs/nfs/direct.c
> @@ -106,6 +106,11 @@ nfs_get_user_pages(int rw, unsigned long
> result = get_user_pages(current, current->mm, user_addr,
> page_count, (rw == READ), 0,
> *pages, NULL);
> + if (result >= 0 && result < page_count) {
> + nfs_free_user_pages(*pages, result, 0);
> + *pages = NULL;
> + result = -EFAULT;
> + }
> up_read(¤t->mm->mmap_sem);
> }
> return result;
Also broken in 2.6.15.5 it seems :-/
fs/nfs/direct.c: In function 'nfs_get_user_pages':
fs/nfs/direct.c:110: warning: implicit declaration of function 'nfs_free_user_pages'
fs/nfs/direct.c: At top level:
fs/nfs/direct.c:127: warning: conflicting types for 'nfs_free_user_pages'
fs/nfs/direct.c:127: error: static declaration of 'nfs_free_user_pages' follows non-static declaration
fs/nfs/direct.c:110: error: previous implicit declaration of 'nfs_free_user_pages' was here
Some function juggling should do the trick.
Signed-off-by: Dave Jones <[email protected]>
--- linux-2.6.15/fs/nfs/direct.c~ 2006-03-01 23:31:37.000000000 -0500
+++ linux-2.6.15/fs/nfs/direct.c 2006-03-01 23:32:01.000000000 -0500
@@ -73,6 +73,23 @@ struct nfs_direct_req {
error; /* any reported error */
};
+/**
+ * nfs_free_user_pages - tear down page struct array
+ * @pages: array of page struct pointers underlying target buffer
+ * @npages: number of pages in the array
+ * @do_dirty: dirty the pages as we release them
+ */
+static void
+nfs_free_user_pages(struct page **pages, int npages, int do_dirty)
+{
+ int i;
+ for (i = 0; i < npages; i++) {
+ if (do_dirty)
+ set_page_dirty_lock(pages[i]);
+ page_cache_release(pages[i]);
+ }
+ kfree(pages);
+}
/**
* nfs_get_user_pages - find and set up pages underlying user's buffer
@@ -117,24 +134,6 @@ nfs_get_user_pages(int rw, unsigned long
}
/**
- * nfs_free_user_pages - tear down page struct array
- * @pages: array of page struct pointers underlying target buffer
- * @npages: number of pages in the array
- * @do_dirty: dirty the pages as we release them
- */
-static void
-nfs_free_user_pages(struct page **pages, int npages, int do_dirty)
-{
- int i;
- for (i = 0; i < npages; i++) {
- if (do_dirty)
- set_page_dirty_lock(pages[i]);
- page_cache_release(pages[i]);
- }
- kfree(pages);
-}
-
-/**
* nfs_direct_req_release - release nfs_direct_req structure for direct read
* @kref: kref object embedded in an nfs_direct_req structure
*
* Dave Jones ([email protected]) wrote:
> Also broken in 2.6.15.5 it seems :-/
Indeed, the diff below effectively replaces what's in 2.6.15.5 with
what Trond had sent me. Should fix the compile error and keep in sync
with what's going upstream.
--
Compile fix:
fs/nfs/direct.c: In function 'nfs_get_user_pages':
fs/nfs/direct.c:110: warning: implicit declaration of function 'nfs_free_user_pages'
fs/nfs/direct.c: At top level:
fs/nfs/direct.c:127: warning: conflicting types for 'nfs_free_user_pages'
fs/nfs/direct.c:127: error: static declaration of 'nfs_free_user_pages' follows non-static declaration
fs/nfs/direct.c:110: error: previous implicit declaration of 'nfs_free_user_pages' was here
This should now be the same as fix that's going upstream.
Signed-off-by: Chris Wright <[email protected]>
Cc: Trond Myklebust <[email protected]>
---
fs/nfs/direct.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletion(-)
--- linux-2.6.15.5.orig/fs/nfs/direct.c
+++ linux-2.6.15.5/fs/nfs/direct.c
@@ -57,6 +57,7 @@
#define NFSDBG_FACILITY NFSDBG_VFS
#define MAX_DIRECTIO_SIZE (4096UL << PAGE_SHIFT)
+static void nfs_free_user_pages(struct page **pages, int npages, int do_dirty);
static kmem_cache_t *nfs_direct_cachep;
/*
@@ -106,12 +107,16 @@ nfs_get_user_pages(int rw, unsigned long
result = get_user_pages(current, current->mm, user_addr,
page_count, (rw == READ), 0,
*pages, NULL);
+ up_read(¤t->mm->mmap_sem);
+ /*
+ * If we got fewer pages than expected from get_user_pages(),
+ * the user buffer runs off the end of a mapping; return EFAULT.
+ */
if (result >= 0 && result < page_count) {
nfs_free_user_pages(*pages, result, 0);
*pages = NULL;
result = -EFAULT;
}
- up_read(¤t->mm->mmap_sem);
}
return result;
}