Hi,
I found a problem on NFS client code. It enables a local user to
crash the system.
NFS client prevents mandatory lock, but there is a flaw on it; Locks
are possibly left if the mode is changed while locking. And a recent
changes on VFS makes it calls BUG().
For example:
fd = open("file_on_nfs", O_RDWR | O_CREAT, 0644);
memset(&lck, 0, sizeof(lck));
lck.l_type = F_WRLCK;
fcntl(fd, F_SETLK, &lck); // get locked
fchmod(fd, 02644); // change i_mode to -rw-r-Sr--
close(fd); // "kernel BUG at fs/locks.c:1932!"
The cause is:
o The situation that locking succeeds but unlocking fails is
possible, because of i_mode.
o locks_remove_flock() calls BUG() if posix locks remain on an
inode when closing. It was changed at 2.6.13-rc4.
Here is a patch against 2.6.15-rc6. This permits unlocking even if
the mandatory lock bits are set.
Signed-off-by: ASANO Masahiro <[email protected]>
---
--- linux-2.6.15-rc6/fs/nfs/file.c.orig 2005-12-21 21:30:14.000000000 +0900
+++ linux-2.6.15-rc6/fs/nfs/file.c 2005-12-21 21:42:16.000000000 +0900
@@ -524,7 +524,8 @@ static int nfs_lock(struct file *filp, i
return -EINVAL;
/* No mandatory locks over NFS */
- if ((inode->i_mode & (S_ISGID | S_IXGRP)) == S_ISGID)
+ if ((inode->i_mode & (S_ISGID | S_IXGRP)) == S_ISGID &&
+ fl->fl_type != F_UNLCK)
return -ENOLCK;
if (IS_GETLK(cmd))
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]