oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: kernel: NULL pointer dereference in nfs4_proc_lock()

From: Josh Bressers <bressers () redhat com>
Date: Thu, 5 Nov 2009 12:23:39 -0500 (EST)
Please use CVE-2009-3726

Thanks.

-- 
    JB

----- "Eugene Teo" <eugeneteo () kernel sg> wrote:


Quote from upstream commit:
"We just had a case in which a buggy server occasionally returns the 
wrong attributes during an OPEN call. While the client does catch this

sort of condition in nfs4_open_done(), and causes the
nfs4_atomic_open() 
to return -EISDIR, the logic in nfs_atomic_lookup() is broken, since
it 
causes a fallback to an ordinary lookup instead of just returning the
error.

When the buggy server then returns a regular file for the fallback 
lookup, the VFS allows the open, and bad things start to happen, since

the open file doesn't have any associated NFSv4 state.

The fix is firstly to return the EISDIR/ENOTDIR errors immediately,
and 
secondly to ensure that we are always careful when dereferencing the 
nfs_open_context state pointer."

Upstream commit:
http://git.kernel.org/linus/d953126a28f97e (v2.6.31-rc4)

Steps to reproduce the issue/backtraces:
https://bugzilla.redhat.com/show_bug.cgi?id=529227#c0

References:
http://www.spinics.net/linux/lists/linux-nfs/msg03357.html
https://bugzilla.redhat.com/show_bug.cgi?id=529227

Thanks, Eugene
Previous By Date Next
Previous By Thread Next

Current thread: