linux-hardened/fs/nfsd
Sasha Levin b2ea70afad nfsd: Fix oops when parsing a 0 length export
expkey_parse() oopses when handling a 0 length export. This is easily
triggerable from usermode by writing 0 bytes into
'/proc/[proc id]/net/rpc/nfsd.fh/channel'.

Below is the log:

[ 1402.286893] BUG: unable to handle kernel paging request at ffff880077c49fff
[ 1402.287632] IP: [<ffffffff812b4b99>] expkey_parse+0x28/0x2e1
[ 1402.287632] PGD 2206063 PUD 1fdfd067 PMD 1ffbc067 PTE 8000000077c49160
[ 1402.287632] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 1402.287632] CPU 1
[ 1402.287632] Pid: 20198, comm: trinity Not tainted 3.2.0-rc2-sasha-00058-gc65cd37 #6
[ 1402.287632] RIP: 0010:[<ffffffff812b4b99>]  [<ffffffff812b4b99>] expkey_parse+0x28/0x2e1
[ 1402.287632] RSP: 0018:ffff880077f0fd68  EFLAGS: 00010292
[ 1402.287632] RAX: ffff880077c49fff RBX: 00000000ffffffea RCX: 0000000001043400
[ 1402.287632] RDX: 0000000000000000 RSI: ffff880077c4a000 RDI: ffffffff82283de0
[ 1402.287632] RBP: ffff880077f0fe18 R08: 0000000000000001 R09: ffff880000000000
[ 1402.287632] R10: 0000000000000000 R11: 0000000000000001 R12: ffff880077c4a000
[ 1402.287632] R13: ffffffff82283de0 R14: 0000000001043400 R15: ffffffff82283de0
[ 1402.287632] FS:  00007f25fec3f700(0000) GS:ffff88007d400000(0000) knlGS:0000000000000000
[ 1402.287632] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 1402.287632] CR2: ffff880077c49fff CR3: 0000000077e1d000 CR4: 00000000000406e0
[ 1402.287632] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1402.287632] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 1402.287632] Process trinity (pid: 20198, threadinfo ffff880077f0e000, task ffff880077db17b0)
[ 1402.287632] Stack:
[ 1402.287632]  ffff880077db17b0 ffff880077c4a000 ffff880077f0fdb8 ffffffff810b411e
[ 1402.287632]  ffff880000000000 ffff880077db17b0 ffff880077c4a000 ffffffff82283de0
[ 1402.287632]  0000000001043400 ffffffff82283de0 ffff880077f0fde8 ffffffff81111f63
[ 1402.287632] Call Trace:
[ 1402.287632]  [<ffffffff810b411e>] ? lock_release+0x1af/0x1bc
[ 1402.287632]  [<ffffffff81111f63>] ? might_fault+0x97/0x9e
[ 1402.287632]  [<ffffffff81111f1a>] ? might_fault+0x4e/0x9e
[ 1402.287632]  [<ffffffff81a8bcf2>] cache_do_downcall+0x3e/0x4f
[ 1402.287632]  [<ffffffff81a8c950>] cache_write.clone.16+0xbb/0x130
[ 1402.287632]  [<ffffffff81a8c9df>] ? cache_write_pipefs+0x1a/0x1a
[ 1402.287632]  [<ffffffff81a8c9f8>] cache_write_procfs+0x19/0x1b
[ 1402.287632]  [<ffffffff8118dc54>] proc_reg_write+0x8e/0xad
[ 1402.287632]  [<ffffffff8113fe81>] vfs_write+0xaa/0xfd
[ 1402.287632]  [<ffffffff8114142d>] ? fget_light+0x35/0x9e
[ 1402.287632]  [<ffffffff8113ff8b>] sys_write+0x48/0x6f
[ 1402.287632]  [<ffffffff81bbdb92>] system_call_fastpath+0x16/0x1b
[ 1402.287632] Code: c0 c9 c3 55 48 63 d2 48 89 e5 48 8d 44 32 ff 41 57 41 56 41 55 41 54 53 bb ea ff ff ff 48 81 ec 88 00 00 00 48 89 b5 58 ff ff ff
[ 1402.287632]  38 0a 0f 85 89 02 00 00 c6 00 00 48 8b 3d 44 4a e5 01 48 85
[ 1402.287632] RIP  [<ffffffff812b4b99>] expkey_parse+0x28/0x2e1
[ 1402.287632]  RSP <ffff880077f0fd68>
[ 1402.287632] CR2: ffff880077c49fff
[ 1402.287632] ---[ end trace 368ef53ff773a5e3 ]---

Cc: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Neil Brown <neilb@suse.de>
Cc: linux-nfs@vger.kernel.org
Cc: stable@kernel.org
Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2011-12-06 16:18:37 -05:00
..
acl.h nfsd4: remove outdated pathname-comments 2011-01-04 18:22:10 -05:00
auth.c nfsd: remove pointless paths in file headers 2009-12-15 15:01:47 -05:00
auth.h
cache.h nfsd: turn on reply cache for NFSv4 2011-07-18 09:39:01 -04:00
export.c nfsd: Fix oops when parsing a 0 length export 2011-12-06 16:18:37 -05:00
fault_inject.c NFSD: Added fault injection 2011-11-07 21:10:47 -05:00
fault_inject.h NFSD: Added fault injection 2011-11-07 21:10:47 -05:00
idmap.h nfsd4: return nfs errno from name_to_id functions 2011-01-04 18:22:11 -05:00
Kconfig NFSD: Added fault injection 2011-11-07 21:10:47 -05:00
lockd.c nfsd: Remove deprecated nfsctl system call and related code. 2011-07-15 18:58:42 -04:00
Makefile NFSD: Added fault injection 2011-11-07 21:10:47 -05:00
nfs2acl.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
nfs3acl.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
nfs3proc.c nfsd41: make sure nfs server process OPEN with EXCLUSIVE4_1 correctly 2011-04-29 20:47:52 -04:00
nfs3xdr.c Merge branch 'for-2.6.40' of git://linux-nfs.org/~bfields/linux 2011-05-29 11:21:12 -07:00
nfs4acl.c fs: add export.h to files using EXPORT_SYMBOL/THIS_MODULE macros 2011-10-31 19:30:31 -04:00
nfs4callback.c nfsd41: use SEQ4_STATUS_BACKCHANNEL_FAULT when cb_sequence is invalid 2011-10-24 04:24:27 -04:00
nfs4idmap.c nfsd: kill unused macro definition 2011-03-07 12:05:09 -05:00
nfs4proc.c nfs41: implement DESTROY_CLIENTID operation 2011-10-24 04:24:30 -04:00
nfs4recover.c nfsd4: stop using nfserr_resource for transitory errors 2011-08-27 14:21:21 -04:00
nfs4state.c nfsd4: Use kmemdup rather than duplicating its implementation 2011-11-25 18:44:22 -05:00
nfs4xdr.c nfsd4: Use kmemdup rather than duplicating its implementation 2011-11-25 18:44:22 -05:00
nfscache.c nfsd: turn on reply cache for NFSv4 2011-07-18 09:39:01 -04:00
nfsctl.c NFSD: Call nfsd4_init_slabs() from init_nfsd() 2011-11-07 21:10:47 -05:00
nfsd.h NFSD: Remove unnecessary whitespace 2011-11-07 21:10:48 -05:00
nfsfh.c nfsd: clean up nfsd_mode_check() 2011-08-26 18:22:48 -04:00
nfsfh.h nfsd: fix BUG at fs/nfsd/nfsfh.h:199 on unlink 2010-10-13 15:48:55 -04:00
nfsproc.c nfsd4: return nfs errno from name_to_id functions 2011-01-04 18:22:11 -05:00
nfssvc.c Merge branch 'modsplit-Oct31_2011' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux 2011-11-06 19:44:47 -08:00
nfsxdr.c Fix common misspellings 2011-03-31 11:26:23 -03:00
state.h nfsd4: add a separate (lockowner, inode) lookup 2011-11-15 19:26:08 -05:00
stats.c treewide: fix a few typos in comments 2011-05-10 10:16:21 +02:00
vfs.c nfsd4: warn on open failure after create 2011-10-17 17:50:08 -04:00
vfs.h nfsd4: warn on open failure after create 2011-10-17 17:50:08 -04:00
xdr.h nfsd: remove pointless paths in file headers 2009-12-15 15:01:47 -05:00
xdr3.h nfsd: remove pointless paths in file headers 2009-12-15 15:01:47 -05:00
xdr4.h nfs41: implement DESTROY_CLIENTID operation 2011-10-24 04:24:30 -04:00