Bug 1776096

Summary: [rpc.statd] New use-after-free in monitor list when insertion fails for existing entry
Product: Red Hat Enterprise Linux 8 Reporter: Yongcheng Yang <yoyang>
Component: nfs-utilsAssignee: Steve Dickson <steved>
Status: CLOSED ERRATA QA Contact: Yongcheng Yang <yoyang>
Severity: high Docs Contact:
Priority: high    
Version: 8.2CC: gcase, pawel_sikora, rhandlin, steved, swhiteho, tborcin, xzhou
Target Milestone: rcKeywords: Regression, Reproducer
Target Release: 8.2Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nfs-utils-2.3.3-29.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:51:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1776036, 1776957    

Description Yongcheng Yang 2019-11-25 06:48:50 UTC 
Description of problem:
The patch of Bug 1746572 modifies file "utils/statd/monitor.c" which might introduce an use_after_free problem. 

It might be USE_AFTER_FREE issue as this reproducer is from Bug 1624542 (Fix use-after-free in rpc.statd monitor list when insertion fails for existing entry).

Version-Release number of selected component (if applicable):
nfs-utils-2.3.3-27.el8
(previous version 2.3.3-26.el8 is good)

How reproducible:
always

Steps to Reproduce:
1. chown -R rpcuser:rpcuser /var/lib/nfs/statd/sm{,.bak}  # Not neccessary for the first time
2. ./nsm_client mon 192.168.123.1 1
3. chown -R root:root /var/lib/nfs/statd/sm{,.bak}
4. ./nsm_client mon 192.168.123.1 2
5. # Check `rpc.statd` exists or not

Actual results:
[root.0 ~]# ll /var/lib/nfs/statd
total 0
drwx------. 2 rpcuser rpcuser 6 Nov 11 09:29 sm     <<<<
drwx------. 2 rpcuser rpcuser 6 Nov 11 09:29 sm.bak <<<<
[root.0 ~]# ps aux | grep -v grep | grep statd
rpcuser   1625  0.0  0.0  45472  3764 ?        Ss   01:12   0:00 rpc.statd
[root.0 ~]# ./nsm_client mon 192.168.123.10 1
Calling 127.0.0.1 (as rhel-8.2.0.rhts.eng.pek2.redhat.com) to monitor 192.168.123.10
SM_MON request successful, state: 5
[root.0 ~]# chown -R root:root /var/lib/nfs/statd/sm{,.bak}
[root.0 ~]# ll /var/lib/nfs/statd/
total 0
drwx------. 2 root root 217 Nov 25 01:13 sm       <<<<<
drwx------. 2 root root   6 Nov 11 09:29 sm.bak   <<<<<
[root.0 ~]# ps aux | grep -v grep | grep statd
rpcuser   1625  0.0  0.1  61460  4620 ?        Ss   01:12   0:00 rpc.statd
[root.0 ~]# ./nsm_client mon 192.168.123.10 2
Calling 127.0.0.1 (as rhel-8.2.0.rhts.eng.pek2.redhat.com) to monitor 192.168.123.10
RPC:0
sm_mon_1: RPC: Unable to receive; errno = Connection refused   <<<<<<<<<<<<<<
[root.0 ~]# ps aux | grep -v grep | grep statd
[root.0 ~]# coredumpctl 
No coredumps found.
[root.0 ~]# tail /var/log/messages 
...
Nov 25 01:16:20 rhel-8.2.0 kernel: rpc.statd[1625]: segfault at 10 ip 000055c3e9717a0a sp 00007ffca5641e90 error 6 in rpc.statd (deleted)[55c3e9712000+17000]
Nov 25 01:16:20 rhel-8.2.0 kernel: Code: 7c e6 ff ff 48 8d 3d fa b7 00 00 31 c0 e8 6e 9a 00 00 e9 81 fe ff ff 48 8d 35 c2 b5 00 00 bf 01 00 00 00 31 c0 e8 86 97 00 00 <c7> 04 25 10 00 00 00 00 00 00 00 0f 0b e8 f4 e5 ff ff 0f 1f 40 00
...
[root.0 ~]# rpm -q nfs-utils
nfs-utils-2.3.3-27.el8.x86_64
[root.0 ~]# 


Expected results:
No crash rpc.statd

Additional info:
Comment 1 Steve Whitehouse 2019-12-16 10:58:38 UTC 
Since this is a regression, should it also be a blocker for 8.2?
Comment 4 Steve Dickson 2020-01-13 17:26:11 UTC 
(In reply to Steve Whitehouse from comment #1)
> Since this is a regression, should it also be a blocker for 8.2?

It is a regression... since the permission denied broke.
The fix is an easy one

diff -up ./tests/nsm_client/nlm_sm_inter.h.orig ./tests/nsm_client/nlm_sm_inter.h
diff -up ./utils/statd/monitor.c.orig ./utils/statd/monitor.c
--- ./utils/statd/monitor.c.orig	2020-01-13 10:06:55.962136625 -0500
+++ ./utils/statd/monitor.c	2020-01-13 11:01:43.037265175 -0500
@@ -177,7 +177,6 @@ sm_mon_1_svc(struct mon *argp, struct sv
 	 * We're committed...ignoring errors.  Let's hope that a malloc()
 	 * doesn't fail.  (I should probably fix this assumption.)
 	 */
-	clnt = NULL;
 	if (!existing && !(clnt = nlist_new(my_name, mon_name, 0))) {
 		free(dnsname);
 		xlog_warn("out of memory");

So we need to fix this.... Waiting on the blocker ack.
Comment 10 errata-xmlrpc 2020-04-28 16:51:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1832