Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp774578pxb; Wed, 13 Apr 2022 12:03:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxWjyuEd+kOmtNG+2j/NixqvjgvxSB4c2r2Z1G9IeruD8xttfI+qx7fplYc4ePZXohAjb9c X-Received: by 2002:a17:906:2b93:b0:6cf:bb48:5a80 with SMTP id m19-20020a1709062b9300b006cfbb485a80mr39319904ejg.681.1649876628966; Wed, 13 Apr 2022 12:03:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649876628; cv=none; d=google.com; s=arc-20160816; b=pZL3yQhO1B/Ly0qXtyYFu4/uD3SReR2PmWkm98zS/huPUf9AWKmibp2xCanb/dslLr ylplxggEIOz7z9lNloAMAZlOwEy2PhHWNG7nleXBB8sSNizVkpHYbVRq9NRXfz+UTjuK mVANNc/5zqLKnGX438LGnT3a51tgdrHfVQJ2PfISNp7i7z2W10I3ej3oWSfWuAemBjYA 5/TT//lHLKotOBHX0bVkwmmDztREOEI4GRgvfAH9ic4fgNIAL9D5SnA8mEEBCR7XxLGQ +PHzIslYBbU7q9UwWT7k9epsygOVVsPfhb1fYBTfgmrIanokjqAQ1WXmpavNTaOPrqaq q7/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:subject:user-agent:mime-version:date:message-id; bh=0I+dGjIRdBHqcUczxBsKQBc2mMQTAW/cvvXCS8KFWpI=; b=jJoVJ7cvgx4XeIcJ+zteazKE94OHcSBezi5OZhUK7bI/oYeppPJTv8k2c8XneXcsC/ 0Gz58KThe5L57cA7nyMDYMf96TOhzCSZ2yRoG/AOxaoUCjEYkVXOcqf7SU1+ed15Owrp qr/IxUfngGPPZuiJIomPd7oVi2/kY+2xiYFxmPSgjmt1w5oiysL0Ndn4C/BakIoWhfHE aByVIk9B0oqaC58WmypOKJS+p6P03Ikn4Eyq44ftCwlyr/wYVuTSRc9/WuesRLNubceZ CORw6YLWwO7F4oaWc607JFhomX7I8n9+5UskYDE+8yGoibGvZie2dg3PEBU1lXghmwOk yPqw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c17-20020aa7c751000000b0041d7f725d4fsi1888273eds.619.2022.04.13.12.03.23; Wed, 13 Apr 2022 12:03:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233001AbiDMNpG (ORCPT + 99 others); Wed, 13 Apr 2022 09:45:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53496 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233893AbiDMNpF (ORCPT ); Wed, 13 Apr 2022 09:45:05 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8ED8D6006F; Wed, 13 Apr 2022 06:42:43 -0700 (PDT) Received: from kwepemi500011.china.huawei.com (unknown [172.30.72.54]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4KdkHN2QN1zFpqf; Wed, 13 Apr 2022 21:40:16 +0800 (CST) Received: from kwepemm600015.china.huawei.com (7.193.23.52) by kwepemi500011.china.huawei.com (7.221.188.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Wed, 13 Apr 2022 21:42:41 +0800 Received: from [10.174.176.52] (10.174.176.52) by kwepemm600015.china.huawei.com (7.193.23.52) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Wed, 13 Apr 2022 21:42:40 +0800 Message-ID: <0b6546f7-8a04-9d6e-50c3-483c8a1a6591@huawei.com> Date: Wed, 13 Apr 2022 21:42:39 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.2.1 Subject: Re: [PATCH -next 0/2] fix nfsv4 bugs of opening with O_ACCMODE flag To: Lyu Tao , Trond Myklebust , "anna@kernel.org" , "bjschuma@netapp.com" CC: "linux-nfs@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "liuyongqiang13@huawei.com" , "yi.zhang@huawei.com" , "zhangxiaoxu5@huawei.com" References: <20220329113208.2466000-1-chenxiaosong2@huawei.com> <68b65889-3b2c-fb72-a0a8-d0afc15a03e0@huawei.com> From: "chenxiaosong (A)" In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.176.52] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To kwepemm600015.china.huawei.com (7.193.23.52) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-5.5 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org 在 2022/4/13 20:07, Lyu Tao 写道: > > Hi Xiaosong, > > > Thanks for keeping focusing on this bug. > > > I applied this CVE for the NULL dereference bug at > nfs4_valid_open_stateid() and added the following description to this > CVE due to the NFS maintainers replied that to me. > > "An issue was discovered in fs/nfs/dir.c in the Linux kernel before > 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a > regular file, nfs_atomic_open() performs a regular lookup. If a regular > file is found, ENOTDIR should occur, but the server instead returns > uninitialized data in the file descriptor. > > > Actually I'm still confused with the root cause of this bug. In the > original PoC, there is no O_DIRECTORY flag but commit ac795161c936 > mentioned. > > Moreover, in your latest commit ab0fc21bc710, it said "After secondly > opening a file with O_ACCMODE|O_DIRECT flags, nfs4_valid_open_stateid() > will dereference NULL nfs4_state when lseek()." However, the original > PoC opens the file only with O_RDWR|O_CREAT for the first time. > > > Original PoC: > > fd = openat("./file1", o_RDWR|O_CREAT, 000); > > open("./file1", > O_ACCMODE|O_CREAT|O_DIRECT|O_LARGEFILE|O_NOFOLLOW|O_NOATIME|O_CLOEXEC|FASYNC|0xb3000008, > 001); > > lseek(fd, 9, SEEK_HOLE); > > > I'll update this CVE's description after I figure out these. > > > Best Regards, > > Tao > Hi Tao: Yes, O_ACCEMODE is _not_ necessary when fistly open() file. When open() the file secondly, O_ACCEMODE is necessary if we want to reproduce the bug. Waiting for your modification of the CVE's description. Best Regards.