Re: [patch 38/39] Normal user can panic NFS client with direct I/O (CVE-2006-0555)

From: Dave Jones
Date: Wed Mar 01 2006 - 23:37:13 EST

Next message: Andrew Morton: "Re: [PATCH 3/4] map multiple blocks for mpage_readpages()"
Previous message: Andrew Morton: "Re: + proc-dont-lock-task_structs-indefinitely-cpuset-fix-2.patchadded to -mm tree"
Next in thread: Chris Wright: "Re: [stable] Re: [patch 38/39] Normal user can panic NFS client with direct I/O (CVE-2006-0555)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Feb 27, 2006 at 02:32:38PM -0800, Chris Wright wrote:
> -stable review patch. If anyone has any objections, please let us know.
> ------------------
>
> This is CVE-2006-0555 and SGI bug 946529. A normal user can panic an
> NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT.
>
> Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
> ---
>
> fs/nfs/direct.c | 5 +++++
> 1 files changed, 5 insertions(+)
>
> --- linux-2.6.15.4.orig/fs/nfs/direct.c
> +++ linux-2.6.15.4/fs/nfs/direct.c
> @@ -106,6 +106,11 @@ nfs_get_user_pages(int rw, unsigned long
> result = get_user_pages(current, current->mm, user_addr,
> page_count, (rw == READ), 0,
> *pages, NULL);
> + if (result >= 0 && result < page_count) {
> + nfs_free_user_pages(*pages, result, 0);
> + *pages = NULL;
> + result = -EFAULT;
> + }
> up_read(&current->mm->mmap_sem);
> }
> return result;

Also broken in 2.6.15.5 it seems :-/

fs/nfs/direct.c: In function 'nfs_get_user_pages':
fs/nfs/direct.c:110: warning: implicit declaration of function 'nfs_free_user_pages'
fs/nfs/direct.c: At top level:
fs/nfs/direct.c:127: warning: conflicting types for 'nfs_free_user_pages'
fs/nfs/direct.c:127: error: static declaration of 'nfs_free_user_pages' follows non-static declaration
fs/nfs/direct.c:110: error: previous implicit declaration of 'nfs_free_user_pages' was here

Some function juggling should do the trick.

Signed-off-by: Dave Jones <davej@xxxxxxxxxx>

--- linux-2.6.15/fs/nfs/direct.c~ 2006-03-01 23:31:37.000000000 -0500
+++ linux-2.6.15/fs/nfs/direct.c 2006-03-01 23:32:01.000000000 -0500
@@ -73,6 +73,23 @@ struct nfs_direct_req {
error; /* any reported error */
};

+/**
+ * nfs_free_user_pages - tear down page struct array
+ * @pages: array of page struct pointers underlying target buffer
+ * @npages: number of pages in the array
+ * @do_dirty: dirty the pages as we release them
+ */
+static void
+nfs_free_user_pages(struct page **pages, int npages, int do_dirty)
+{
+ int i;
+ for (i = 0; i < npages; i++) {
+ if (do_dirty)
+ set_page_dirty_lock(pages[i]);
+ page_cache_release(pages[i]);
+ }
+ kfree(pages);
+}

/**
* nfs_get_user_pages - find and set up pages underlying user's buffer
@@ -117,24 +134,6 @@ nfs_get_user_pages(int rw, unsigned long
}

/**
- * nfs_free_user_pages - tear down page struct array
- * @pages: array of page struct pointers underlying target buffer
- * @npages: number of pages in the array
- * @do_dirty: dirty the pages as we release them
- */
-static void
-nfs_free_user_pages(struct page **pages, int npages, int do_dirty)
-{
- int i;
- for (i = 0; i < npages; i++) {
- if (do_dirty)
- set_page_dirty_lock(pages[i]);
- page_cache_release(pages[i]);
- }
- kfree(pages);
-}
-
-/**
* nfs_direct_req_release - release nfs_direct_req structure for direct read
* @kref: kref object embedded in an nfs_direct_req structure
*
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Morton: "Re: [PATCH 3/4] map multiple blocks for mpage_readpages()"
Previous message: Andrew Morton: "Re: + proc-dont-lock-task_structs-indefinitely-cpuset-fix-2.patchadded to -mm tree"
Next in thread: Chris Wright: "Re: [stable] Re: [patch 38/39] Normal user can panic NFS client with direct I/O (CVE-2006-0555)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]