From patchwork Sun Sep 24 16:59:40 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Meng Xu X-Patchwork-Id: 9968091 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8F03C6020C for ; Sun, 24 Sep 2017 17:08:17 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7011028C22 for ; Sun, 24 Sep 2017 17:08:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6440E28C31; Sun, 24 Sep 2017 17:08:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, FREEMAIL_FROM,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E868128C22 for ; Sun, 24 Sep 2017 17:08:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752515AbdIXRHa (ORCPT ); Sun, 24 Sep 2017 13:07:30 -0400 Received: from mx1.gtisc.gatech.edu ([143.215.130.81]:54139 "EHLO mx1.gtisc.gatech.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752416AbdIXRHa (ORCPT ); Sun, 24 Sep 2017 13:07:30 -0400 X-Greylist: delayed 463 seconds by postgrey-1.27 at vger.kernel.org; Sun, 24 Sep 2017 13:07:29 EDT Received: from bombshell.gtisc.gatech.edu (unknown [172.30.240.76]) by mx1.gtisc.gatech.edu (Postfix) with SMTP id D8953C209B; Sun, 24 Sep 2017 12:59:41 -0400 (EDT) Received: (nullmailer pid 17812 invoked by uid 1026); Sun, 24 Sep 2017 16:59:42 -0000 From: Meng Xu To: bfields@fieldses.org, jlayton@poochiereds.net, linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org Cc: meng.xu@gatech.edu, sanidhya@gatech.edu, taesoo@gatech.edu, Meng Xu Subject: [PATCH] nfsd4: ensure cm_xid does not change across userspace fetches Date: Sun, 24 Sep 2017 12:59:40 -0400 Message-Id: <1506272380-17769-1-git-send-email-mengxu.gatech@gmail.com> X-Mailer: git-send-email 2.7.4 Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP cld_pipe_downcall() has two fetches from an overapped userspace memory. The first fetch copy_from_user(&xid, &cmsg->cm_xid, sizeof(xid)) get the xid and use xid to lookup the parent struct cld_upcall *cup. The second fetch copy_from_user(&cup->cu_msg, src, mlen) place the whole message into &cup->cu_msg. Since the userspace thread has full control over this &cmsg->cm_xid, it can race condition to change the cm_xid value across the two fetches, (say, change from 1 to 2), therefore, de-listing the cup with cu_msg.cm_xid == 1 but later put cu_msg.cm_xid = 2. Whether this double-fetch situation is a security critical bug depends on how cup->cu_msg is used later. However, given that it is hard to enumerate all the possible use cases, a safer way might be to ensure that the xid does not change across the fetches, which is what this patch is for. Signed-off-by: Meng Xu --- fs/nfsd/nfs4recover.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c index 66eaeb1..1abe9ed 100644 --- a/fs/nfsd/nfs4recover.c +++ b/fs/nfsd/nfs4recover.c @@ -753,6 +753,11 @@ cld_pipe_downcall(struct file *filp, const char __user *src, size_t mlen) if (copy_from_user(&cup->cu_msg, src, mlen) != 0) return -EFAULT; + /* ensure that the xid has not been changed */ + if (cup->cu_msg.cm_xid != xid) { + return -EFAULT; + } + wake_up_process(cup->cu_task); return mlen; }