2021-11-18 10:48:09

by rtm

[permalink] [raw]
Subject: NFS v4 client can dereference uninitialized pointer if server includes unrequested mdsthreshold attr

I think nfs_fattr_init() ought to set fattr->mdsthreshold to NULL. If
the kmalloc()'d attr memory doesn't happen to be zero at
fattr->mdsthreshold, and the server returns an unrequested mdsthreshold
attribute, then decode_getfattr_attrs() will try to store via the
uninitialized pointer in decode_first_threshold_item4().

I've attached a demo program, which I run with slub_debug=FZP:

# uname -a
Linux (none) 5.15.0-rc7-dirty #78 SMP Mon Nov 15 15:49:15 UTC 2021 riscv64 riscv64 riscv64 GNU/Linux
# cc nfs_15.c
# ./nfs_15
...
[ 27.950132] decode_attr_mdsthreshold: Warning: Multiple pNFS layout drivers per filesystem not supported
[ 27.969630] Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b6f
[ 28.058092] epc : ffffffff8023dee0 ra : ffffffff8023deb2 sp : ffffffd00055b500
[ 28.231013] status: 0000000200000121 badaddr: 6b6b6b6b6b6b6b6f cause: 000000000000000f
[ 28.246069] [<ffffffff8023dee0>] decode_getfattr_attrs+0xdae/0x11fe
[ 28.259758] [<ffffffff8023e44e>] decode_getfattr_generic.constprop.0+0x11e/0x1b2
[ 28.275547] [<ffffffff8023ec86>] nfs4_xdr_dec_lookup+0xa2/0xac
[ 28.289208] [<ffffffff80754750>] rpcauth_unwrap_resp_decode+0x12/0x1a
[ 28.302635] [<ffffffff8075540c>] rpcauth_unwrap_resp+0x12/0x1a
[ 28.316324] [<ffffffff8074b7a8>] call_decode+0x112/0x176
[ 28.327634] [<ffffffff80753c8c>] __rpc_execute+0x76/0x216
[ 28.338932] [<ffffffff807542aa>] rpc_execute+0x58/0x7e
[ 28.350241] [<ffffffff8074cb34>] rpc_run_task+0x12c/0x16c
[ 28.361567] [<ffffffff8022271e>] nfs4_call_sync_custom+0x12/0x32
[ 28.375315] [<ffffffff802227ae>] nfs4_do_call_sync+0x70/0x8c
[ 28.389058] [<ffffffff802233ba>] _nfs4_proc_lookup+0xf2/0x11a
[ 28.402819] [<ffffffff8022e7ea>] nfs4_proc_lookup_common+0x7c/0x2a2
[ 28.416516] [<ffffffff8022eace>] nfs4_proc_lookup+0x42/0x9e
[ 28.427830] [<ffffffff80209c02>] nfs_lookup+0xa6/0x122
[ 28.439138] [<ffffffff80209f18>] nfs_atomic_open+0x29a/0x342
[ 28.452815] [<ffffffff8013756e>] path_openat+0x5ca/0xaf6
[ 28.464063] [<ffffffff80138468>] do_filp_open+0x70/0xd0
[ 28.475375] [<ffffffff801276de>] do_sys_openat2+0x1fc/0x298
[ 28.486697] [<ffffffff80128870>] do_sys_open+0x3c/0x78
[ 28.497986] [<ffffffff801288ee>] sys_openat+0x18/0x20
[ 28.509270] [<ffffffff80003046>] ret_from_syscall+0x0/0x2


Attachments:
nfs_15.c (19.00 kB)