Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 361856 Details for
Bug 524520
CVE-2009-3286 kernel: O_EXCL creates on NFSv4 are broken
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh90 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Proposed patch
bz522163.patch (text/plain), 7.58 KB, created by
Eugene Teo (Security Response)
on 2009-09-21 03:12:39 UTC
(
hide
)
Description:
Proposed patch
Filename:
MIME Type:
Creator:
Eugene Teo (Security Response)
Created:
2009-09-21 03:12:39 UTC
Size:
7.58 KB
patch
obsolete
>------------------------------------------------------------------------------- >bz-522163-nfsd4-turn-nfsd4_ope >------------------------------------------------------------------------------- >BZ#522163: nfsd4: turn nfsd4_open struct's iattr/verf union into separate fields > >From: Jeff Layton <jlayton@redhat.com> > >(backported from commit 79fb54abd285b442e1f30f851902f3ddf58e7704) > >nfsd4_open has a union that's used to store the verifier for exclusive >creates and the inode attributes for other create modes. The nfsd code >however, will sometimes reference fields in the iattr portion of the >union even for exclusive creates. > >Upstream has separated this union into two fields as part of the NFSv4.1 >merge, and I believe that fixed this bug there. > >Signed-off-by: Jeff Layton <jlayton@redhat.com> >--- > > include/linux/nfsd/xdr4.h | 10 ++++------ > 1 files changed, 4 insertions(+), 6 deletions(-) > > >diff --git a/include/linux/nfsd/xdr4.h b/include/linux/nfsd/xdr4.h >index f894f04..0426106 100644 >--- a/include/linux/nfsd/xdr4.h >+++ b/include/linux/nfsd/xdr4.h >@@ -201,10 +201,8 @@ struct nfsd4_open { > u32 op_create; /* request */ > u32 op_createmode; /* request */ > u32 op_bmval[2]; /* request */ >- union { /* request */ >- struct iattr iattr; /* UNCHECKED4,GUARDED4 */ >- nfs4_verifier verf; /* EXCLUSIVE4 */ >- } u; >+ struct iattr iattr; /* UNCHECKED4,GUARDED4 */ >+ nfs4_verifier verf; /* EXCLUSIVE4 */ > clientid_t op_clientid; /* request */ > struct xdr_netobj op_owner; /* request */ > u32 op_seqid; /* request */ >@@ -218,8 +216,8 @@ struct nfsd4_open { > struct nfs4_stateowner *op_stateowner; /* used during processing */ > struct nfs4_acl *op_acl; > }; >-#define op_iattr u.iattr >-#define op_verf u.verf >+#define op_iattr iattr >+#define op_verf verf > > struct nfsd4_open_confirm { > stateid_t oc_req_stateid /* request */; >------------------------------------------------------------------------------- >bz-522163-nfsd4-reindent-do_op >------------------------------------------------------------------------------- >BZ#522163: nfsd4: reindent do_open_lookup() > >From: J. Bruce Fields <bfields@fieldses.org> > >Minor rearrangement, cleanup of do_open_lookup(). No change in behavior. > >Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> >Acked-by: Neil Brown <neilb@suse.de> >Cc: Jeff Garzik <jeff@garzik.org> >Signed-off-by: Andrew Morton <akpm@osdl.org> >Signed-off-by: Linus Torvalds <torvalds@osdl.org> >--- > > fs/nfsd/nfs4proc.c | 21 ++++++++++----------- > 1 files changed, 10 insertions(+), 11 deletions(-) > > >diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c >index 3740220..075937a 100644 >--- a/fs/nfsd/nfs4proc.c >+++ b/fs/nfsd/nfs4proc.c >@@ -121,21 +121,20 @@ do_open_lookup(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nfsd4_o > open->op_fname.data, open->op_fname.len, &resfh); > fh_unlock(current_fh); > } >+ if (status) >+ goto out; > >- if (!status) { >- set_change_info(&open->op_cinfo, current_fh); >+ set_change_info(&open->op_cinfo, current_fh); > >- /* set reply cache */ >- fh_dup2(current_fh, &resfh); >- open->op_stateowner->so_replay.rp_openfh_len = >- resfh.fh_handle.fh_size; >- memcpy(open->op_stateowner->so_replay.rp_openfh, >- &resfh.fh_handle.fh_base, >- resfh.fh_handle.fh_size); >+ /* set reply cache */ >+ fh_dup2(current_fh, &resfh); >+ open->op_stateowner->so_replay.rp_openfh_len = resfh.fh_handle.fh_size; >+ memcpy(open->op_stateowner->so_replay.rp_openfh, >+ &resfh.fh_handle.fh_base, resfh.fh_handle.fh_size); > >- status = do_open_permission(rqstp, current_fh, open, MAY_NOP); >- } >+ status = do_open_permission(rqstp, current_fh, open, MAY_NOP); > >+out: > fh_put(&resfh); > return status; > } >------------------------------------------------------------------------------- >bz-522163-nfsd4-fix-open-creat >------------------------------------------------------------------------------- >BZ#522163: nfsd4: fix open-create permissions > >From: J. Bruce Fields <bfields@fieldses.org> > >In the case where an open creates the file, we shouldn't be rechecking >permissions to open the file; the open succeeds regardless of what the new >file's mode bits say. > >This patch fixes the problem, but only by introducing yet another parameter >to nfsd_create_v3. This is ugly. This will be fixed by later patches. > >Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> >Acked-by: Neil Brown <neilb@suse.de> >Cc: Jeff Garzik <jeff@garzik.org> >Signed-off-by: Andrew Morton <akpm@osdl.org> >Signed-off-by: Linus Torvalds <torvalds@osdl.org> >--- > > fs/nfsd/nfs3proc.c | 2 +- > fs/nfsd/nfs4proc.c | 6 ++++-- > fs/nfsd/vfs.c | 4 +++- > include/linux/nfsd/nfsd.h | 2 +- > 4 files changed, 9 insertions(+), 5 deletions(-) > > >diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c >index 7d47c16..ebb0464 100644 >--- a/fs/nfsd/nfs3proc.c >+++ b/fs/nfsd/nfs3proc.c >@@ -256,7 +256,7 @@ nfsd3_proc_create(struct svc_rqst *rqstp, struct nfsd3_createargs *argp, > /* Now create the file and set attributes */ > nfserr = nfsd_create_v3(rqstp, dirfhp, argp->name, argp->len, > attr, newfhp, >- argp->createmode, argp->verf, NULL); >+ argp->createmode, argp->verf, NULL, NULL); > > RETURN_STATUS(nfserr); > } >diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c >index 075937a..0d4e647 100644 >--- a/fs/nfsd/nfs4proc.c >+++ b/fs/nfsd/nfs4proc.c >@@ -95,6 +95,7 @@ do_open_lookup(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nfsd4_o > { > struct svc_fh resfh; > int status; >+ int created = 0; > > fh_init(&resfh, NFS4_FHSIZE); > open->op_truncate = 0; >@@ -108,7 +109,7 @@ do_open_lookup(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nfsd4_o > open->op_fname.len, &open->op_iattr, > &resfh, open->op_createmode, > (u32 *)open->op_verf.data, >- &open->op_truncate); >+ &open->op_truncate, &created); > > /* If we ever decide to use different attrs to store the > * verifier in nfsd_create_v3, then we'll need to change this >@@ -132,7 +133,8 @@ do_open_lookup(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nfsd4_o > memcpy(open->op_stateowner->so_replay.rp_openfh, > &resfh.fh_handle.fh_base, resfh.fh_handle.fh_size); > >- status = do_open_permission(rqstp, current_fh, open, MAY_NOP); >+ if (!created) >+ status = do_open_permission(rqstp, current_fh, open, MAY_NOP); > > out: > fh_put(&resfh); >diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c >index 5290248..773b280 100644 >--- a/fs/nfsd/vfs.c >+++ b/fs/nfsd/vfs.c >@@ -1241,7 +1241,7 @@ int > nfsd_create_v3(struct svc_rqst *rqstp, struct svc_fh *fhp, > char *fname, int flen, struct iattr *iap, > struct svc_fh *resfhp, int createmode, u32 *verifier, >- int *truncp) >+ int *truncp, int *created) > { > struct dentry *dentry, *dchild = NULL; > struct inode *dirp; >@@ -1330,6 +1330,8 @@ nfsd_create_v3(struct svc_rqst *rqstp, struct svc_fh *fhp, > err = vfs_create(dirp, dchild, iap->ia_mode, NULL); > if (err < 0) > goto out_nfserr; >+ if (created) >+ *created = 1; > > if (EX_ISSYNC(fhp->fh_export)) { > err = nfserrno(nfsd_sync_dir(dentry)); >diff --git a/include/linux/nfsd/nfsd.h b/include/linux/nfsd/nfsd.h >index 17db1ce..ff1b586 100644 >--- a/include/linux/nfsd/nfsd.h >+++ b/include/linux/nfsd/nfsd.h >@@ -92,7 +92,7 @@ int nfsd_access(struct svc_rqst *, struct svc_fh *, u32 *, u32 *); > int nfsd_create_v3(struct svc_rqst *, struct svc_fh *, > char *name, int len, struct iattr *attrs, > struct svc_fh *res, int createmode, >- u32 *verifier, int *truncp); >+ u32 *verifier, int *truncp, int *created); > int nfsd_commit(struct svc_rqst *, struct svc_fh *, > loff_t, unsigned long); > #endif /* CONFIG_NFSD_V3 */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=361856">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 524520
: 361856