On Mon, Feb 27, 2006 at 02:32:38PM -0800, Chris Wright wrote:
> -stable review patch. If anyone has any objections, please let us know.
> ------------------
>
> This is CVE-2006-0555 and SGI bug 946529. A normal user can panic an
> NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT.
>
> Signed-off-by: Chris Wright <[email protected]>
> ---
>
> fs/nfs/direct.c | 5 +++++
> 1 files changed, 5 insertions(+)
>
> --- linux-2.6.15.4.orig/fs/nfs/direct.c
> +++ linux-2.6.15.4/fs/nfs/direct.c
> @@ -106,6 +106,11 @@ nfs_get_user_pages(int rw, unsigned long
> result = get_user_pages(current, current->mm, user_addr,
> page_count, (rw == READ), 0,
> *pages, NULL);
> + if (result >= 0 && result < page_count) {
> + nfs_free_user_pages(*pages, result, 0);
> + *pages = NULL;
> + result = -EFAULT;
> + }
> up_read(¤t->mm->mmap_sem);
> }
> return result;
Also broken in 2.6.15.5 it seems :-/
fs/nfs/direct.c: In function 'nfs_get_user_pages':
fs/nfs/direct.c:110: warning: implicit declaration of function 'nfs_free_user_pages'
fs/nfs/direct.c: At top level:
fs/nfs/direct.c:127: warning: conflicting types for 'nfs_free_user_pages'
fs/nfs/direct.c:127: error: static declaration of 'nfs_free_user_pages' follows non-static declaration
fs/nfs/direct.c:110: error: previous implicit declaration of 'nfs_free_user_pages' was here
Some function juggling should do the trick.
Signed-off-by: Dave Jones <[email protected]>
--- linux-2.6.15/fs/nfs/direct.c~ 2006-03-01 23:31:37.000000000 -0500
+++ linux-2.6.15/fs/nfs/direct.c 2006-03-01 23:32:01.000000000 -0500
@@ -73,6 +73,23 @@ struct nfs_direct_req {
error; /* any reported error */
};
+/**
+ * nfs_free_user_pages - tear down page struct array
+ * @pages: array of page struct pointers underlying target buffer
+ * @npages: number of pages in the array
+ * @do_dirty: dirty the pages as we release them
+ */
+static void
+nfs_free_user_pages(struct page **pages, int npages, int do_dirty)
+{
+ int i;
+ for (i = 0; i < npages; i++) {
+ if (do_dirty)
+ set_page_dirty_lock(pages[i]);
+ page_cache_release(pages[i]);
+ }
+ kfree(pages);
+}
/**
* nfs_get_user_pages - find and set up pages underlying user's buffer
@@ -117,24 +134,6 @@ nfs_get_user_pages(int rw, unsigned long
}
/**
- * nfs_free_user_pages - tear down page struct array
- * @pages: array of page struct pointers underlying target buffer
- * @npages: number of pages in the array
- * @do_dirty: dirty the pages as we release them
- */
-static void
-nfs_free_user_pages(struct page **pages, int npages, int do_dirty)
-{
- int i;
- for (i = 0; i < npages; i++) {
- if (do_dirty)
- set_page_dirty_lock(pages[i]);
- page_cache_release(pages[i]);
- }
- kfree(pages);
-}
-
-/**
* nfs_direct_req_release - release nfs_direct_req structure for direct read
* @kref: kref object embedded in an nfs_direct_req structure
*
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]