Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp774578pxb;
        Wed, 13 Apr 2022 12:03:49 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxWjyuEd+kOmtNG+2j/NixqvjgvxSB4c2r2Z1G9IeruD8xttfI+qx7fplYc4ePZXohAjb9c
X-Received: by 2002:a17:906:2b93:b0:6cf:bb48:5a80 with SMTP id m19-20020a1709062b9300b006cfbb485a80mr39319904ejg.681.1649876628966;
        Wed, 13 Apr 2022 12:03:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649876628; cv=none;
        d=google.com; s=arc-20160816;
        b=pZL3yQhO1B/Ly0qXtyYFu4/uD3SReR2PmWkm98zS/huPUf9AWKmibp2xCanb/dslLr
         ylplxggEIOz7z9lNloAMAZlOwEy2PhHWNG7nleXBB8sSNizVkpHYbVRq9NRXfz+UTjuK
         mVANNc/5zqLKnGX438LGnT3a51tgdrHfVQJ2PfISNp7i7z2W10I3ej3oWSfWuAemBjYA
         5/TT//lHLKotOBHX0bVkwmmDztREOEI4GRgvfAH9ic4fgNIAL9D5SnA8mEEBCR7XxLGQ
         +PHzIslYBbU7q9UwWT7k9epsygOVVsPfhb1fYBTfgmrIanokjqAQ1WXmpavNTaOPrqaq
         q7/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:subject:user-agent:mime-version:date:message-id;
        bh=0I+dGjIRdBHqcUczxBsKQBc2mMQTAW/cvvXCS8KFWpI=;
        b=jJoVJ7cvgx4XeIcJ+zteazKE94OHcSBezi5OZhUK7bI/oYeppPJTv8k2c8XneXcsC/
         0Gz58KThe5L57cA7nyMDYMf96TOhzCSZ2yRoG/AOxaoUCjEYkVXOcqf7SU1+ed15Owrp
         qr/IxUfngGPPZuiJIomPd7oVi2/kY+2xiYFxmPSgjmt1w5oiysL0Ndn4C/BakIoWhfHE
         aByVIk9B0oqaC58WmypOKJS+p6P03Ikn4Eyq44ftCwlyr/wYVuTSRc9/WuesRLNubceZ
         CORw6YLWwO7F4oaWc607JFhomX7I8n9+5UskYDE+8yGoibGvZie2dg3PEBU1lXghmwOk
         yPqw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Return-Path: <linux-nfs-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id c17-20020aa7c751000000b0041d7f725d4fsi1888273eds.619.2022.04.13.12.03.23;
        Wed, 13 Apr 2022 12:03:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233001AbiDMNpG (ORCPT <rfc822;jx.jiangxin@gmail.com>
        + 99 others); Wed, 13 Apr 2022 09:45:06 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53496 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233893AbiDMNpF (ORCPT
        <rfc822;linux-nfs@vger.kernel.org>); Wed, 13 Apr 2022 09:45:05 -0400
Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8ED8D6006F;
        Wed, 13 Apr 2022 06:42:43 -0700 (PDT)
Received: from kwepemi500011.china.huawei.com (unknown [172.30.72.54])
        by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4KdkHN2QN1zFpqf;
        Wed, 13 Apr 2022 21:40:16 +0800 (CST)
Received: from kwepemm600015.china.huawei.com (7.193.23.52) by
 kwepemi500011.china.huawei.com (7.221.188.124) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Wed, 13 Apr 2022 21:42:41 +0800
Received: from [10.174.176.52] (10.174.176.52) by
 kwepemm600015.china.huawei.com (7.193.23.52) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Wed, 13 Apr 2022 21:42:40 +0800
Message-ID: <0b6546f7-8a04-9d6e-50c3-483c8a1a6591@huawei.com>
Date:   Wed, 13 Apr 2022 21:42:39 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.2.1
Subject: Re: [PATCH -next 0/2] fix nfsv4 bugs of opening with O_ACCMODE flag
To:     Lyu Tao <tao.lyu@epfl.ch>,
        Trond Myklebust <trond.myklebust@hammerspace.com>,
        "anna@kernel.org" <anna@kernel.org>,
        "bjschuma@netapp.com" <bjschuma@netapp.com>
CC:     "linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "liuyongqiang13@huawei.com" <liuyongqiang13@huawei.com>,
        "yi.zhang@huawei.com" <yi.zhang@huawei.com>,
        "zhangxiaoxu5@huawei.com" <zhangxiaoxu5@huawei.com>
References: <20220329113208.2466000-1-chenxiaosong2@huawei.com>
 <68b65889-3b2c-fb72-a0a8-d0afc15a03e0@huawei.com>
 <e0c2d7ec62b447cabddbc8a9274be955@epfl.ch>
From:   "chenxiaosong (A)" <chenxiaosong2@huawei.com>
In-Reply-To: <e0c2d7ec62b447cabddbc8a9274be955@epfl.ch>
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.174.176.52]
X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To
 kwepemm600015.china.huawei.com (7.193.23.52)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-5.5 required=5.0 tests=BAYES_00,NICE_REPLY_A,
        RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
        SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org


在 2022/4/13 20:07, Lyu Tao 写道:
> 
> Hi Xiaosong,
> 
> 
> Thanks for keeping focusing on this bug.
> 
> 
> I applied this CVE for the NULL dereference bug at 
> nfs4_valid_open_stateid() and added the following description to this 
> CVE due to the NFS maintainers replied that to me.
> 
> "An issue was discovered in fs/nfs/dir.c in the Linux kernel before 
> 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a 
> regular file, nfs_atomic_open() performs a regular lookup. If a regular 
> file is found, ENOTDIR should occur, but the server instead returns 
> uninitialized data in the file descriptor.
> 
> 
> Actually I'm still confused with the root cause of this bug. In the 
> original PoC, there is no O_DIRECTORY flag but commit ac795161c936 
> mentioned.
> 
> Moreover, in your latest commit ab0fc21bc710, it said "After secondly 
> opening a file with O_ACCMODE|O_DIRECT flags, nfs4_valid_open_stateid() 
> will dereference NULL nfs4_state when lseek()." However, the original 
> PoC opens the file only with O_RDWR|O_CREAT for the first time.
> 
> 
> Original PoC:
> 
> fd = openat("./file1", o_RDWR|O_CREAT, 000);
> 
> open("./file1", 
> O_ACCMODE|O_CREAT|O_DIRECT|O_LARGEFILE|O_NOFOLLOW|O_NOATIME|O_CLOEXEC|FASYNC|0xb3000008, 
> 001);
> 
> lseek(fd, 9, SEEK_HOLE);
> 
> 
> I'll update this CVE's description after I figure out these.
> 
> 
> Best Regards,
> 
> Tao
> 

Hi Tao:

Yes, O_ACCEMODE is _not_ necessary when fistly open() file.

When open() the file secondly, O_ACCEMODE is necessary if we want to 
reproduce the bug.

Waiting for your modification of the CVE's description.

Best Regards.