From patchwork Tue May 17 04:52:17 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: NeilBrown X-Patchwork-Id: 790382 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id p4H4rDbP002838 for ; Tue, 17 May 2011 04:53:13 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751247Ab1EQExM (ORCPT ); Tue, 17 May 2011 00:53:12 -0400 Received: from cantor.suse.de ([195.135.220.2]:49749 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751007Ab1EQExL (ORCPT ); Tue, 17 May 2011 00:53:11 -0400 Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.221.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.suse.de (Postfix) with ESMTP id 7B3A194393; Tue, 17 May 2011 06:53:10 +0200 (CEST) From: Neil Brown To: Steve Dickson Date: Tue, 17 May 2011 14:52:17 +1000 Subject: [PATCH 1/2] Remove risk of nfs_addmntent corrupting mtab Cc: linux-nfs@vger.kernel.org, NeilBrown Message-ID: <20110517045217.29020.16140.stgit@notabene.brown> In-Reply-To: <20110517045125.29020.14596.stgit@notabene.brown> References: <20110517045125.29020.14596.stgit@notabene.brown> User-Agent: StGIT/0.14.3 MIME-Version: 1.0 Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter1.kernel.org [140.211.167.41]); Tue, 17 May 2011 04:53:13 +0000 (UTC) nfs_addmntent is used to append directly to /etc/mtab. If the write partially fail, e.g. due to RLIMIT_FSIZE, truncate back to original size and return an error. See also https://bugzilla.redhat.com/show_bug.cgi?id=697975 (CVE-2011-1749) CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE Signed-off-by: NeilBrown --- support/nfs/nfs_mntent.c | 9 +++++++++ 1 files changed, 9 insertions(+), 0 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/support/nfs/nfs_mntent.c b/support/nfs/nfs_mntent.c index a5216fc..a2118a2 100644 --- a/support/nfs/nfs_mntent.c +++ b/support/nfs/nfs_mntent.c @@ -12,6 +12,7 @@ #include /* for index */ #include /* for isdigit */ #include /* for umask */ +#include /* for ftruncate */ #include "nfs_mntent.h" #include "nls.h" @@ -127,9 +128,11 @@ int nfs_addmntent (mntFILE *mfp, struct mntent *mnt) { char *m1, *m2, *m3, *m4; int res; + off_t length; if (fseek (mfp->mntent_fp, 0, SEEK_END)) return 1; /* failure */ + length = ftell(mfp->mntent_fp); m1 = mangle(mnt->mnt_fsname); m2 = mangle(mnt->mnt_dir); @@ -143,6 +146,12 @@ nfs_addmntent (mntFILE *mfp, struct mntent *mnt) { free(m2); free(m3); free(m4); + if (res >= 0) { + res = fflush(mfp->mntent_fp); + if (res < 0) + /* Avoid leaving a corrupt mtab file */ + ftruncate(fileno(mfp->mntent_fp), length); + } return (res < 0) ? 1 : 0; }