[1/2] Remove risk of nfs_addmntent corrupting mtab
diff mbox

Message ID 20110517045217.29020.16140.stgit@notabene.brown
State New, archived
Headers show

Commit Message

NeilBrown May 17, 2011, 4:52 a.m. UTC
nfs_addmntent is used to append directly to /etc/mtab.
If the write partially fail, e.g. due to RLIMIT_FSIZE,
truncate back to original size and return an error.

See also https://bugzilla.redhat.com/show_bug.cgi?id=697975
 (CVE-2011-1749) CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE

Signed-off-by: NeilBrown <neilb@suse.de>
---

 support/nfs/nfs_mntent.c |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Chuck Lever May 17, 2011, 1:45 p.m. UTC | #1
On May 17, 2011, at 12:52 AM, Neil Brown wrote:

> nfs_addmntent is used to append directly to /etc/mtab.
> If the write partially fail, e.g. due to RLIMIT_FSIZE,
> truncate back to original size and return an error.
> 
> See also https://bugzilla.redhat.com/show_bug.cgi?id=697975
> (CVE-2011-1749) CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE

Seems reasonable.  Is there a similar fix needed for libmount?

> Signed-off-by: NeilBrown <neilb@suse.de>
> ---
> 
> support/nfs/nfs_mntent.c |    9 +++++++++
> 1 files changed, 9 insertions(+), 0 deletions(-)
> 
> diff --git a/support/nfs/nfs_mntent.c b/support/nfs/nfs_mntent.c
> index a5216fc..a2118a2 100644
> --- a/support/nfs/nfs_mntent.c
> +++ b/support/nfs/nfs_mntent.c
> @@ -12,6 +12,7 @@
> #include <string.h>		/* for index */
> #include <ctype.h>		/* for isdigit */
> #include <sys/stat.h>		/* for umask */
> +#include <unistd.h>		/* for ftruncate */
> 
> #include "nfs_mntent.h"
> #include "nls.h"
> @@ -127,9 +128,11 @@ int
> nfs_addmntent (mntFILE *mfp, struct mntent *mnt) {
> 	char *m1, *m2, *m3, *m4;
> 	int res;
> +	off_t length;
> 
> 	if (fseek (mfp->mntent_fp, 0, SEEK_END))
> 		return 1;			/* failure */
> +	length = ftell(mfp->mntent_fp);
> 
> 	m1 = mangle(mnt->mnt_fsname);
> 	m2 = mangle(mnt->mnt_dir);
> @@ -143,6 +146,12 @@ nfs_addmntent (mntFILE *mfp, struct mntent *mnt) {
> 	free(m2);
> 	free(m3);
> 	free(m4);
> +	if (res >= 0) {
> +		res = fflush(mfp->mntent_fp);
> +		if (res < 0)
> +			/* Avoid leaving a corrupt mtab file */
> +			ftruncate(fileno(mfp->mntent_fp), length);
> +	}
> 	return (res < 0) ? 1 : 0;
> }
> 
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
Steve Dickson May 23, 2011, 12:26 p.m. UTC | #2
On 05/17/2011 12:52 AM, Neil Brown wrote:
> nfs_addmntent is used to append directly to /etc/mtab.
> If the write partially fail, e.g. due to RLIMIT_FSIZE,
> truncate back to original size and return an error.
> 
> See also https://bugzilla.redhat.com/show_bug.cgi?id=697975
>  (CVE-2011-1749) CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE
> 
> Signed-off-by: NeilBrown <neilb@suse.de>
> ---
> 
>  support/nfs/nfs_mntent.c |    9 +++++++++
>  1 files changed, 9 insertions(+), 0 deletions(-)
> 
> diff --git a/support/nfs/nfs_mntent.c b/support/nfs/nfs_mntent.c
> index a5216fc..a2118a2 100644
> --- a/support/nfs/nfs_mntent.c
> +++ b/support/nfs/nfs_mntent.c
> @@ -12,6 +12,7 @@
>  #include <string.h>		/* for index */
>  #include <ctype.h>		/* for isdigit */
>  #include <sys/stat.h>		/* for umask */
> +#include <unistd.h>		/* for ftruncate */
>  
>  #include "nfs_mntent.h"
>  #include "nls.h"
> @@ -127,9 +128,11 @@ int
>  nfs_addmntent (mntFILE *mfp, struct mntent *mnt) {
>  	char *m1, *m2, *m3, *m4;
>  	int res;
> +	off_t length;
>  
>  	if (fseek (mfp->mntent_fp, 0, SEEK_END))
>  		return 1;			/* failure */
> +	length = ftell(mfp->mntent_fp);
>  
>  	m1 = mangle(mnt->mnt_fsname);
>  	m2 = mangle(mnt->mnt_dir);
> @@ -143,6 +146,12 @@ nfs_addmntent (mntFILE *mfp, struct mntent *mnt) {
>  	free(m2);
>  	free(m3);
>  	free(m4);
> +	if (res >= 0) {
> +		res = fflush(mfp->mntent_fp);
> +		if (res < 0)
> +			/* Avoid leaving a corrupt mtab file */
> +			ftruncate(fileno(mfp->mntent_fp), length);
> +	}
>  	return (res < 0) ? 1 : 0;
>  }
>  
> 
> 
Committed...

steved.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch
diff mbox

diff --git a/support/nfs/nfs_mntent.c b/support/nfs/nfs_mntent.c
index a5216fc..a2118a2 100644
--- a/support/nfs/nfs_mntent.c
+++ b/support/nfs/nfs_mntent.c
@@ -12,6 +12,7 @@ 
 #include <string.h>		/* for index */
 #include <ctype.h>		/* for isdigit */
 #include <sys/stat.h>		/* for umask */
+#include <unistd.h>		/* for ftruncate */
 
 #include "nfs_mntent.h"
 #include "nls.h"
@@ -127,9 +128,11 @@  int
 nfs_addmntent (mntFILE *mfp, struct mntent *mnt) {
 	char *m1, *m2, *m3, *m4;
 	int res;
+	off_t length;
 
 	if (fseek (mfp->mntent_fp, 0, SEEK_END))
 		return 1;			/* failure */
+	length = ftell(mfp->mntent_fp);
 
 	m1 = mangle(mnt->mnt_fsname);
 	m2 = mangle(mnt->mnt_dir);
@@ -143,6 +146,12 @@  nfs_addmntent (mntFILE *mfp, struct mntent *mnt) {
 	free(m2);
 	free(m3);
 	free(m4);
+	if (res >= 0) {
+		res = fflush(mfp->mntent_fp);
+		if (res < 0)
+			/* Avoid leaving a corrupt mtab file */
+			ftruncate(fileno(mfp->mntent_fp), length);
+	}
 	return (res < 0) ? 1 : 0;
 }