Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp597534pxb;
        Wed, 13 Apr 2022 08:27:41 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzBkPcEMOUUuKff8yxrpt7MEuQj0hPnaQkRcGLOOfPP3WUstF06/uDWaFgSCOB16S4q4zyL
X-Received: by 2002:a17:903:22cc:b0:158:52d6:1b0b with SMTP id y12-20020a17090322cc00b0015852d61b0bmr17871147plg.47.1649863661777;
        Wed, 13 Apr 2022 08:27:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649863661; cv=none;
        d=google.com; s=arc-20160816;
        b=jfLGTkvKfPpY9N2yffMW8zH6MqZrtiPO/2IyoKex7gR6+8XBwhU8Dj91WHTi9r2nt0
         un1ZAAbGItHXmDyI6DrvZ9MnYm2S4FIwVXHzhIDWQUlVC8PiF0TUhgQa4Gm69CCsEctl
         59zOE8UndcbR2e7/Rj5AgIhFoQ45Vq2usSnCZIEC/zuqqROv5ZxIoAkGMHd7QwTvqI3t
         GBNB9CCl0xM91qKUrWqMFb7orxdHsiwFrjpJobf0NQxE9POFPFuLtUqeLHe9Ugl0eLhu
         mL8yjkPHQeexXV51JVRizGMxgpcjvleTDztCNTw2kADRh9doC6ql9bviR6+Yvlm8YKCY
         AKmg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:references
         :cc:to:from:subject:user-agent:mime-version:date:message-id;
        bh=A1rJ4pCztKqN6KxUuzx4ZAPcnyNmk7mOk8qFa6Rvo6A=;
        b=X1P9Lp5J1zUkmmOM5e5J2+f+WK07Wdx9b83PFAsvokBBIzp9jEn+EMW7roaeHozC9b
         6Tt+bA3KOWf6R+cjuiaRb/++GplWsQg69hYUAkp8K7HA26JgejjQwhJRHB//Zd/xsDyV
         G2WYZPJfnnj3Mdg/EqdlqjOj6kpbKqZ9s3H5ThwIZ6/A0aYmjOuDIoVma+z0o643qW+k
         30bjo0z/0eZ/mwIviGQQMn2CEFKKlg80SMNQagkU/wFyze36j21zGIhf82Or+hLrys+8
         Hv+NKc6cU4s2+Zo+eLab+SthfuFh7XMokoZAHBXaIFAVL6Mz1PBmmW15UMc4uGRV2GDY
         Rw+A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Return-Path: <linux-nfs-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id p20-20020a170902b09400b001583ec38334si11899495plr.533.2022.04.13.08.27.13;
        Wed, 13 Apr 2022 08:27:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234419AbiDMOhE (ORCPT <rfc822;jx.jiangxin@gmail.com>
        + 99 others); Wed, 13 Apr 2022 10:37:04 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40614 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232591AbiDMOhD (ORCPT
        <rfc822;linux-nfs@vger.kernel.org>); Wed, 13 Apr 2022 10:37:03 -0400
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5D95F4BBB7;
        Wed, 13 Apr 2022 07:34:41 -0700 (PDT)
Received: from kwepemi500025.china.huawei.com (unknown [172.30.72.54])
        by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4KdlS16SF1zgYKd;
        Wed, 13 Apr 2022 22:32:49 +0800 (CST)
Received: from kwepemm600015.china.huawei.com (7.193.23.52) by
 kwepemi500025.china.huawei.com (7.221.188.170) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Wed, 13 Apr 2022 22:34:39 +0800
Received: from [10.174.176.52] (10.174.176.52) by
 kwepemm600015.china.huawei.com (7.193.23.52) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Wed, 13 Apr 2022 22:34:38 +0800
Message-ID: <9b879bf5-53f1-663f-97ad-aeb91055bb05@huawei.com>
Date:   Wed, 13 Apr 2022 22:34:37 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.2.1
Subject: Re: [PATCH -next 0/2] fix nfsv4 bugs of opening with O_ACCMODE flag
From:   "chenxiaosong (A)" <chenxiaosong2@huawei.com>
To:     Lyu Tao <tao.lyu@epfl.ch>,
        Trond Myklebust <trond.myklebust@hammerspace.com>,
        "anna@kernel.org" <anna@kernel.org>,
        "bjschuma@netapp.com" <bjschuma@netapp.com>
CC:     "linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "liuyongqiang13@huawei.com" <liuyongqiang13@huawei.com>,
        "yi.zhang@huawei.com" <yi.zhang@huawei.com>,
        "zhangxiaoxu5@huawei.com" <zhangxiaoxu5@huawei.com>
References: <20220329113208.2466000-1-chenxiaosong2@huawei.com>
 <68b65889-3b2c-fb72-a0a8-d0afc15a03e0@huawei.com>
 <e0c2d7ec62b447cabddbc8a9274be955@epfl.ch>
 <0b6546f7-8a04-9d6e-50c3-483c8a1a6591@huawei.com>
 <d73a51a2-6b63-b536-61e6-3d18563f027d@huawei.com>
In-Reply-To: <d73a51a2-6b63-b536-61e6-3d18563f027d@huawei.com>
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.174.176.52]
X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To
 kwepemm600015.china.huawei.com (7.193.23.52)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-5.5 required=5.0 tests=BAYES_00,NICE_REPLY_A,
        RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
        SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org

I will give some detailed code process.

firstly open():

```c
open
   do_sys_open
     do_sys_openat2
       do_filp_open
         path_openat
           open_last_lookups
             lookup_open
               atomic_open
                 nfs_atomic_open
                   create_nfs_open_context
                     flags_to_mode() = FMODE_READ|FMODE_WRITE
                     alloc_nfs_open_context
                       ctx->mode = f_mode // FMODE_READ|FMODE_WRITE
                   // NFS_PROTO(dir)->open_context
                   nfs4_atomic_open
                     nfs4_do_open
                       _nfs4_do_open
                         fmode = _nfs4_ctx_to_openmode(ctx) = 3
                           ret = ctx->mode & (FMODE_READ|FMODE_WRITE) // 
ctx->mode = 3
                         nfs4_opendata_alloc
                           nfs4_map_atomic_open_share
                             return NFS4_SHARE_ACCESS_BOTH
```

secondly open():
```c
open
   do_sys_open
     do_sys_openat2
       do_filp_open
         path_openat
           open_last_lookups
             lookup_open
               return dentry // if (dentry->d_inode) {
           do_open
             vfs_open
               do_dentry_open
                 // f->f_op->open
                 nfs4_file_open
                   if ((openflags & O_ACCMODE) == 3)
                   nfs_open // without sunrpc request
                     alloc_nfs_open_context
                       ctx->state = NULL; // this is point
```

lseek() after secondly open():
```c
lseek
   ksys_lseek
     vfs_llseek
       // file->f_op->llseek
       nfs4_file_llseek
         nfs42_proc_llseek
           _nfs42_proc_llseek(lock)
             nfs4_set_rw_stateid(ctx=lock->open_context)
               nfs4_select_rw_stateid(state=ctx->state)
                 nfs4_valid_open_stateid(state)
                   state->flags // dereference NULL state
```

在 2022/4/13 22:05, chenxiaosong (A) 写道:
> 在 2022/4/13 21:42, chenxiaosong (A) 写道:
>>
>> 在 2022/4/13 20:07, Lyu Tao 写道:
>>>
>>> Hi Xiaosong,
>>>
>>>
>>> Thanks for keeping focusing on this bug.
>>>
>>>
>>> I applied this CVE for the NULL dereference bug at 
>>> nfs4_valid_open_stateid() and added the following description to this 
>>> CVE due to the NFS maintainers replied that to me.
>>>
>>> "An issue was discovered in fs/nfs/dir.c in the Linux kernel before 
>>> 5.16.5. If an application sets the O_DIRECTORY flag, and tries to 
>>> open a regular file, nfs_atomic_open() performs a regular lookup. If 
>>> a regular file is found, ENOTDIR should occur, but the server instead 
>>> returns uninitialized data in the file descriptor.
>>>
>>>
>>> Actually I'm still confused with the root cause of this bug. In the 
>>> original PoC, there is no O_DIRECTORY flag but commit ac795161c936 
>>> mentioned.
>>>
>>> Moreover, in your latest commit ab0fc21bc710, it said "After secondly 
>>> opening a file with O_ACCMODE|O_DIRECT flags, 
>>> nfs4_valid_open_stateid() will dereference NULL nfs4_state when 
>>> lseek()." However, the original PoC opens the file only with 
>>> O_RDWR|O_CREAT for the first time.
>>>
>>>
>>> Original PoC:
>>>
>>> fd = openat("./file1", o_RDWR|O_CREAT, 000);
>>>
>>> open("./file1", 
>>> O_ACCMODE|O_CREAT|O_DIRECT|O_LARGEFILE|O_NOFOLLOW|O_NOATIME|O_CLOEXEC|FASYNC|0xb3000008, 
>>> 001);
>>>
>>> lseek(fd, 9, SEEK_HOLE);
>>>
>>>
>>> I'll update this CVE's description after I figure out these.
>>>
>>>
>>> Best Regards,
>>>
>>> Tao
>>>
>>
>> Hi Tao:
>>
>> Yes, O_ACCEMODE is _not_ necessary when fistly open() file.
>>
>> When open() the file secondly, O_ACCEMODE is necessary if we want to 
>> reproduce the bug.
>>
>> Waiting for your modification of the CVE's description.
>>
>> Best Regards.
>> .
> 
> My reproducer:
>    1. mount -t nfs -o vers=4.2 $server_ip:/ /mnt/
>    2. fd = open("/mnt/file", O_ACCMODE|O_DIRECT|O_CREAT)
>    3. close(fd)
>    4. fd = open("/mnt/file", O_ACCMODE|O_DIRECT)
>    5. lseek(fd)
> 
> When firstly open() file, O_ACCMODE|O_DIRECT is _not_ necessary, we just 
> use O_CREAT to create new file.
> 
> When secondly open() file, only O_ACCMODE|O_DIRECT is necessary, 
> O_CREAT|O_LARGEFILE|O_NOFOLLOW|O_NOATIME|O_CLOEXEC|FASYNC|0xb3000008 in 
> your original PoC is not necessary (however, they are harmless).