evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/fs/nfs
History
Exact
Dave Wysochanski ba195a931a NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message 
commit d68894800ec5712d7ddf042356f11e36f87d7f78 upstream.

In nfs_idmap_read_and_verify_message there is an incorrect sprintf '%d'
that converts the __u32 'im_id' from struct idmap_msg to 'id_str', which
is a stack char array variable of length NFS_UINT_MAXLEN == 11.
If a uid or gid value is > 2147483647 = 0x7fffffff, the conversion
overflows into a negative value, for example:
crash> p (unsigned) (0x80000000)
$1 = 2147483648
crash> p (signed) (0x80000000)
$2 = -2147483648
The '-' sign is written to the buffer and this causes a 1 byte overflow
when the NULL byte is written, which corrupts kernel stack memory.  If
CONFIG_CC_STACKPROTECTOR_STRONG is set we see a stack-protector panic:

[11558053.616565] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa05b8a8c
[11558053.639063] CPU: 6 PID: 9423 Comm: rpc.idmapd Tainted: G        W      ------------ T 3.10.0-514.el7.x86_64 #1
[11558053.641990] Hardware name: Red Hat OpenStack Compute, BIOS 1.10.2-3.el7_4.1 04/01/2014
[11558053.644462]  ffffffff818c7bc0 00000000b1f3aec1 ffff880de0f9bd48 ffffffff81685eac
[11558053.646430]  ffff880de0f9bdc8 ffffffff8167f2b3 ffffffff00000010 ffff880de0f9bdd8
[11558053.648313]  ffff880de0f9bd78 00000000b1f3aec1 ffffffff811dcb03 ffffffffa05b8a8c
[11558053.650107] Call Trace:
[11558053.651347]  [<ffffffff81685eac>] dump_stack+0x19/0x1b
[11558053.653013]  [<ffffffff8167f2b3>] panic+0xe3/0x1f2
[11558053.666240]  [<ffffffff811dcb03>] ? kfree+0x103/0x140
[11558053.682589]  [<ffffffffa05b8a8c>] ? idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
[11558053.689710]  [<ffffffff810855db>] __stack_chk_fail+0x1b/0x30
[11558053.691619]  [<ffffffffa05b8a8c>] idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
[11558053.693867]  [<ffffffffa00209d6>] rpc_pipe_write+0x56/0x70 [sunrpc]
[11558053.695763]  [<ffffffff811fe12d>] vfs_write+0xbd/0x1e0
[11558053.702236]  [<ffffffff810acccc>] ? task_work_run+0xac/0xe0
[11558053.704215]  [<ffffffff811fec4f>] SyS_write+0x7f/0xe0
[11558053.709674]  [<ffffffff816964c9>] system_call_fastpath+0x16/0x1b

Fix this by calling the internally defined nfs_map_numeric_to_string()
function which properly uses '%u' to convert this __u32.  For consistency,
also replace the one other place where snprintf is called.

Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
Reported-by: Stephen Johnston <sjohnsto@redhat.com>
Fixes: cf4ab538f1 ("NFSv4: Fix the string length returned by the idmapper")
Cc: stable@vger.kernel.org # v3.4+
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-07-03 11:21:34 +02:00
..
blocklayout nfs/blocklayout: Fix bad using of page offset in bl_read_pagelist 2015-10-21 15:55:47 -05:00
filelayout NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success. 2017-01-19 20:17:22 +01:00
flexfilelayout pNFS/flexfiles: missing error code in ff_layout_alloc_lseg() 2018-04-13 19:50:10 +02:00
objlayout osd fs: __r4w_get_page rely on PageUptodate for uptodate 2015-12-12 10:15:34 -08:00
cache_lib.c NFS: simplify and clean cache library 2013-02-15 10:43:36 -05:00
cache_lib.h NFS: simplify and clean cache library 2013-02-15 10:43:36 -05:00
callback.c NFSv4.x: hide array-bounds warning 2016-12-02 09:09:01 +01:00
callback.h NFS: Remove the left function defines in callback.h 2015-10-21 15:49:22 -05:00
callback_proc.c NFS: Remove unneeded NFS_DEBUG checking before define NFSDBG_FACILITY 2015-10-21 15:49:23 -05:00
callback_xdr.c NFS: Don't drop CB requests with invalid principals 2016-10-07 15:23:45 +02:00
client.c nfs: get clone_blksize when probing fsinfo 2015-10-15 16:08:18 -04:00
delegation.c NFSv4: nfs4_copy_delegation_stateid() must fail if the delegation is invalid 2016-10-28 03:01:31 -04:00
delegation.h NFSv4: Recovery of recalled read delegations is broken 2015-09-20 22:34:16 -04:00
dir.c NFS: Fix a typo in nfs_rename() 2017-12-16 10:33:55 +01:00
direct.c NFS: Fix an incorrect type in struct nfs_direct_req 2018-03-18 11:17:52 +01:00
dns_resolve.c NFS: Enabling v4.2 should not recompile nfsd and lockd 2013-11-19 16:20:40 -05:00
dns_resolve.h NFS: DNS resolver cache per network namespace context introduced 2012-01-31 18:20:26 -05:00
file.c nfs_write_end(): fix handling of short copies 2017-01-09 08:07:52 +01:00
fscache-index.c NFS: Fabricate fscache server index key correctly 2014-09-25 21:25:18 -04:00
fscache.c nfs: define nfs_inc_fscache_stats and using it as possible 2014-11-24 20:08:47 -05:00
fscache.h NFS: Use i_writecount to control whether to get an fscache cookie in nfs_open() 2013-09-27 18:40:25 +01:00
getroot.c VFS: normal filesystems (and lustre): d_inode() annotations 2015-04-15 15:06:57 -04:00
inode.c NFS: only invalidate dentrys that are clearly invalid. 2017-07-27 15:06:08 -07:00
internal.h NFS: Fix 2 use after free issues in the I/O code 2017-09-13 14:09:46 -07:00
iostat.h nfs: define nfs_inc_fscache_stats and using it as possible 2014-11-24 20:08:47 -05:00
Kconfig pnfs/blocklayout: require 64-bit sector_t 2017-08-16 13:40:30 -07:00
Makefile NFS: Rename idmap.c to nfs4idmap.c 2015-04-23 15:16:14 -04:00
mount_clnt.c NFS: Remove unneeded NFS_DEBUG checking before define NFSDBG_FACILITY 2015-10-21 15:49:23 -05:00
namespace.c VFS: normal filesystems (and lustre): d_inode() annotations 2015-04-15 15:06:57 -04:00
netns.h pnfs/blocklayout: serialize GETDEVICEINFO calls 2014-11-12 14:22:52 -05:00
nfs.h NFS: Convert v4 into a module 2012-07-30 19:06:52 -04:00
nfs2super.c NFS: Convert v2 into a module 2012-07-30 19:06:41 -04:00
nfs2xdr.c nfs: save server READ/WRITE/COMMIT status 2015-02-03 11:06:40 -08:00
nfs3_fs.h nfsv3: introduce nfs3_set_ds_client 2015-02-03 11:06:34 -08:00
nfs3acl.c VFS: normal filesystems (and lustre): d_inode() annotations 2015-04-15 15:06:57 -04:00
nfs3client.c nfs: set hostname when creating nfsv3 ds connection 2015-02-03 11:06:38 -08:00
nfs3proc.c VFS: normal filesystems (and lustre): d_inode() annotations 2015-04-15 15:06:57 -04:00
nfs3super.c nfsv3: introduce nfs3_set_ds_client 2015-02-03 11:06:34 -08:00
nfs3xdr.c xprtrdma: Fix large NFS SYMLINK calls 2015-08-05 16:21:28 -04:00
nfs4_fs.h NFSv4: Refactor NFSv4 error handling 2015-10-08 10:45:51 -04:00
nfs4client.c NFSv4.1 respect server's max size in CREATE_SESSION 2017-12-20 10:04:57 +01:00
nfs4file.c nfs: use file_dentry() 2016-04-20 15:42:13 +09:00
nfs4getroot.c nfs: Remove invalid NFS_ATTR_FATTR_V4_REFERRAL checking in nfs4_get_rootfh 2015-07-01 11:31:22 -04:00
nfs4idmap.c NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message 2018-07-03 11:21:34 +02:00
nfs4idmap.h NFS: Move nfs_idmap.h into fs/nfs/ 2015-04-23 15:16:14 -04:00
nfs4namespace.c VFS: normal filesystems (and lustre): d_inode() annotations 2015-04-15 15:06:57 -04:00
nfs4proc.c NFSv4: always set NFS_LOCK_LOST when a lock is lost. 2018-05-30 07:48:52 +02:00
nfs4renewd.c NFSv4.1: Fix an NFSv4.1 state renewal regression 2014-09-30 17:18:42 -04:00
nfs4session.c NFSv4.1: Don't set up a backchannel if the server didn't agree to do so 2015-02-18 12:30:47 -08:00
nfs4session.h NFSv4.1: Clear the old state by our client id before establishing a new lease 2015-03-03 21:52:30 -05:00
nfs4state.c NFSv4: always set NFS_LOCK_LOST when a lock is lost. 2018-05-30 07:48:52 +02:00
nfs4super.c NFS: Move nfs_idmap.h into fs/nfs/ 2015-04-23 15:16:14 -04:00
nfs4sysctl.c nfs: Do not convert nfs_idmap_cache_timeout to jiffies 2018-05-30 07:48:53 +02:00
nfs4trace.c NFSv4.1: Add tracepoints for debugging slot table operations 2013-08-22 08:58:27 -04:00
nfs4trace.h NFS: Fix a tracepoint NULL-pointer dereference 2015-10-06 18:56:25 -04:00
nfs4xdr.c NFSv4: fix getacl head length estimation 2017-03-12 06:37:30 +01:00
nfs42.h nfs42: add CLONE proc functions 2015-10-15 16:07:36 -04:00
nfs42proc.c NFSv4.2: Fix a reference leak in nfs42_proc_layoutstats_generic 2016-10-28 03:01:31 -04:00
nfs42xdr.c nfs42: add CLONE xdr functions 2015-10-15 16:07:21 -04:00
nfsroot.c nfsroot: make nfsroot to accept the 1024 bytes long directory name 2015-10-21 15:49:19 -05:00
nfstrace.c NFSv4: Allow tracing of NFSv4 fsync calls 2015-03-27 12:39:34 -04:00
nfstrace.h NFS: fix the handling of NFS_INO_INVALID_DATA flag in nfs_revalidate_mapping 2014-01-27 15:35:56 -05:00
pagelist.c NFS: Fix missing pg_cleanup after nfs_pageio_cond_complete() 2018-03-24 10:58:42 +01:00
pnfs.c nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds 2018-02-16 20:09:41 +01:00
pnfs.h NFS41: make close wait for layoutreturn 2015-09-23 08:55:32 -04:00
pnfs_dev.c NFSv4.1: Don't cache deviceids that have no notifications 2015-03-27 12:32:24 -04:00
pnfs_nfs.c NFS41: fix list splice type 2015-08-20 13:43:53 -05:00
proc.c VFS: normal filesystems (and lustre): d_inode() annotations 2015-04-15 15:06:57 -04:00
read.c NFSv4.1/pnfs: Retry through MDS when getting bad length of data 2015-10-21 15:55:47 -05:00
super.c fs: Teach path_connected to handle nfs filesystems with multiple roots. 2018-03-22 09:23:31 +01:00
symlink.c don't pass nameidata to ->follow_link() 2015-05-10 22:20:15 -04:00
sysctl.c nfs: convert use of typedef ctl_table to struct ctl_table 2014-06-06 16:08:16 -07:00
unlink.c VFS: normal filesystems (and lustre): d_inode() annotations 2015-04-15 15:06:57 -04:00
write.c NFS: Add a cond_resched() to nfs_commit_release_pages() 2018-02-16 20:09:42 +01:00