Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp1321290pxb;
        Tue, 8 Feb 2022 14:37:25 -0800 (PST)
X-Google-Smtp-Source: ABdhPJw7YXYCXbTvzB0O8dIqOyGhEI89avFhFBXJacOdJAcSN6mZXzdJ+q0SlR66InC50/U8ys1V
X-Received: by 2002:a17:90a:4588:: with SMTP id v8mr185386pjg.114.1644359845401;
        Tue, 08 Feb 2022 14:37:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1644359845; cv=none;
        d=google.com; s=arc-20160816;
        b=D26uGHKtiSU3SPLQRvYaB06Ofs4Q3Rzx6toF+LVIKVAiue1m4Gd5iQfcslec9ZGrIl
         tiha+1B9bOWeqqTmGWrt76QCxME509KEPI+6ljrIJ2l+qR3TNYcZ96B0tiBqEeHIEqbe
         /9l8HB0aBdSXKZxH4UYPQTBlcE9V2KZ0/sjBu+5CRNG5UTwUEESWWcS7DO8y0+2VLhqy
         D7/skCPBKhE1aog8jVQslSe//5pD1fNTC4vImzRGk3yr3k1bsGMlts64VJPbW60D0eVv
         NRFYSq5VDR7JJncMVePtVm5L8LSTI8I0XFl1Xt+XYSxHMKvdV6Gpitu85hTqByRngN0o
         hB4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:date:message-id:subject:cc:to:from;
        bh=t+BqIn6bkqG00KAz0uKa7/O8qSsNIySH1uzYVYokIjc=;
        b=cuS+Hh5141GJjKUKjUP9WVmDYUj0DIfVATNOHUWvNsybbPL0Huh9sgiY4Zasin9WrZ
         SNyJV+bMgdjekUnYr42u5XTkThxJWMZf8z9s4GVvv4BaOC53XSV5R/w+gYbSxa/gXYjI
         1WglVJ9UgQBEYcqn2eaJkDfqtNB8RI1IH6c0iOAfBg/xVDepqKhLiUjnWNMEzgvqTFAt
         31zgyTw+/SqJGwV6ts61KdFABqq9TCKau/fk22hwy5m6DfMKWudXRXUjVCOlemclKNrP
         Zxq2WvXqCGrTWkVmza5grTvDFEsqFhSiPqRMzARH97vWaYGOh0YbfEpocy55LXaUxguO
         J1gQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Return-Path: <linux-nfs-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id i63si2402645pge.878.2022.02.08.14.37.05;
        Tue, 08 Feb 2022 14:37:25 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S243620AbiBHLvE (ORCPT <rfc822;chilversc@gmail.com> + 99 others);
        Tue, 8 Feb 2022 06:51:04 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41640 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1358967AbiBHLuq (ORCPT
        <rfc822;linux-nfs@vger.kernel.org>); Tue, 8 Feb 2022 06:50:46 -0500
Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 24C1BC03E95F
        for <linux-nfs@vger.kernel.org>; Tue,  8 Feb 2022 03:49:01 -0800 (PST)
Received: from dggpeml500023.china.huawei.com (unknown [172.30.72.57])
        by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4JtLqL56yTzbkBr;
        Tue,  8 Feb 2022 19:47:58 +0800 (CST)
Received: from [10.174.176.83] (10.174.176.83) by
 dggpeml500023.china.huawei.com (7.185.36.114) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.21; Tue, 8 Feb 2022 19:48:58 +0800
From:   "zhangxiaoxu (A)" <zhangxiaoxu5@huawei.com>
To:     <tao.lyu@epfl.ch>,
        Trond Myklebust <trond.myklebust@hammerspace.com>
CC:     ChenXiaoSong <chenxiaosong2@huawei.com>,
        yanaijie <yanaijie@huawei.com>,
        "zhangyi (F)" <yi.zhang@huawei.com>,
        Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Question about CVE-2022-24448
Message-ID: <1bb42908-8f58-bf56-c2da-42739ee48d16@huawei.com>
Date:   Tue, 8 Feb 2022 19:48:58 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.7.1
MIME-Version: 1.0
Content-Type: text/plain; charset="gbk"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.174.176.83]
X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To
 dggpeml500023.china.huawei.com (7.185.36.114)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org

Hi Trond and Tao,

I have some question about CVE-2022-24448[1].

It's description as:
   An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5.
   If an application sets the O_DIRECTORY flag, and tries to open a regular
   file, nfs_atomic_open() performs a regular lookup. If a regular file is
   found, ENOTDIR should occur, but the server instead returns uninitialized
   data in the file descriptor.

It's fixed by ac795161c936 ("NFSv4: Handle case where the lookup of a directory fails")

When try to open a regular file with O_DIRECTORY flag,
it always return -ENOTDIR to userspace rather than a
valid file descriptor because the 'do_open' check the
dentry type.

My questions are:
1. which uninitialized data in the file description are returned from 'nfs_atomic_open'?
2. where use the uninitialized data?
3. which uninitialized data are returned from server?
4. is there a PoC reproducer or how to trigger it?


[1] https://nvd.nist.gov/vuln/detail/CVE-2022-24448