problems with nfsd dentry validation

Bill Hawes (whawes@star.net)
Sun, 17 Aug 1997 11:22:10 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Alan Cox: "Re: large file support? (fwd)"
Previous message: eyal: "Re: large file support? (fwd)"
Next in thread: Alan Cox: "Re: ppp/telnet lockup under 2.0.31 pre 6"
Reply: Alan Cox: "Re: ppp/telnet lockup under 2.0.31 pre 6"
Maybe reply: David S. Miller: "Re: problems with nfsd dentry validation"

After looking further into the nfsd dentry validation, I don't see how
this can be safe against potentially malicious clients. Consider these
cases:

(1) Server has valid dentry and has bumped the use count so it can't
disappear locally. Client modifies packet to install a bogus dentry
pointer. Server calls d_validate, finds that the dentry doesn't exist
and returns error. But the dentry count has now leaked -- I don't see
how the server can do an eventual dput() to release the original dentry.

(2) As is case (1), but malicious client remembers dentry pointers from
previous transactions, and changes the current dentry pointer to a
previously good one. Server calls d_validate, and sometimes the
inserted pointer is still valid. Server processes call, but there's now
an extra reference to a dentry. Eventual dput() corrupts the dentry
tree.

Also, there's a problem with the fh_copy routine, which can add a
reference to a dentry. (i.e. if dvalidate is set, doing a fh_copy adds
a reference to the dentry without doing a dget().)

Regards,
Bill

Next message: Alan Cox: "Re: large file support? (fwd)"
Previous message: eyal: "Re: large file support? (fwd)"
Next in thread: Alan Cox: "Re: ppp/telnet lockup under 2.0.31 pre 6"
Reply: Alan Cox: "Re: ppp/telnet lockup under 2.0.31 pre 6"
Maybe reply: David S. Miller: "Re: problems with nfsd dentry validation"