Bug 1824270
Summary: | CVE-2020-10742 kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic [rhel-7] | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Frank Sorenson <fsorenso> | ||||
Component: | kernel | Assignee: | Benjamin Coddington <bcodding> | ||||
kernel sub component: | NFS | QA Contact: | Zhi Li <yieli> | ||||
Status: | CLOSED ERRATA | Docs Contact: | |||||
Severity: | medium | ||||||
Priority: | medium | CC: | allarkin, bcodding, bhu, eshatokhin, jaeshin, jforbes, jshivers, nfs-maint, pvlasin, snishika, swhiteho, xzhou, yieli, yoyang | ||||
Version: | 7.7 | Keywords: | Patch, Reproducer, Security, SecurityTracking | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | kernel-3.10.0-1140.el7 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1826332 (view as bug list) | Environment: | |||||
Last Closed: | 2020-09-29 21:12:31 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1826332, 1835127, 1839680 | ||||||
Deadline: | 2021-05-13 | ||||||
Attachments: |
|
Description
Frank Sorenson
2020-04-15 16:53:20 UTC
Created attachment 1679154 [details]
dmesg from 3.10.0-1062.1.1.el7.x86_64 kernel with slub_debug=FZPU
Hi Jay, I was responding to the patches on rhkernel-list but I have a little more to discuss so I am bringing the discussion here. It seems infeasible to convert to iov_iter, so let's abandon that. One issue with using krealloc() though is that you'll be incurring an unnecessary memcpy() penalty. It's nice to reuse the pages, but there's no need to copy over the pointer values from the last pass, right? It seems we ought to be able correctly calculate the the maximum pages needed before we enter the loop.. perhaps it makes sense to just assume that we're going to potentially cross a page boundary on the next pass through the loop, so let's just allocate the extra page ptr in the first place. We're not allocating a page, we're just allocating a pointer. What do you think? Well, the other difference is that in the RHEL 7 loop, there are a number of checks that can cause the loop to abort. If you abort the loop after allocating, you have to handle code paths to free those pointers each time. However, we can simply handle this case by always allocating an extra pointer: diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c index f639618b7a2d..d3cc27cd28df 100644 --- a/fs/nfs/direct.c +++ b/fs/nfs/direct.c @@ -873,7 +873,7 @@ static ssize_t nfs_direct_write_schedule_segment(struct nfs_pageio_descriptor *d result = -ENOMEM; npages = nfs_page_array_len(pgbase, bytes); if (!pagevec) - pagevec = kmalloc(npages * sizeof(struct page *), GFP_KERNEL); + pagevec = kmalloc((npages + 1) * sizeof(struct page *), GFP_KERNEL); if (!pagevec) break; What do you think? Ben, what is the current status here? Do we need to defer? Please update the bug flags. Patch(es) committed on kernel-3.10.0-1140.el7 Moving to VERIFIED according to comment#44 and comment#46. *** Bug 1839679 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: kernel security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4060 |