Re: [patch 38/39] Normal user can panic NFS client with direct I/O (CVE-2006-0555)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Feb 27, 2006 at 02:32:38PM -0800, Chris Wright wrote:
 > -stable review patch.  If anyone has any objections, please let us know.
 > ------------------
 > 
 > This is CVE-2006-0555 and SGI bug 946529.  A normal user can panic an
 > NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT.
 > 
 > Signed-off-by: Chris Wright <[email protected]>
 > ---
 > 
 >  fs/nfs/direct.c |    5 +++++
 >  1 files changed, 5 insertions(+)
 > 
 > --- linux-2.6.15.4.orig/fs/nfs/direct.c
 > +++ linux-2.6.15.4/fs/nfs/direct.c
 > @@ -106,6 +106,11 @@ nfs_get_user_pages(int rw, unsigned long
 >  		result = get_user_pages(current, current->mm, user_addr,
 >  					page_count, (rw == READ), 0,
 >  					*pages, NULL);
 > +		if (result >= 0 && result < page_count) {
 > +			nfs_free_user_pages(*pages, result, 0);
 > +			*pages = NULL;
 > +			result = -EFAULT;
 > +		}
 >  		up_read(&current->mm->mmap_sem);
 >  	}
 >  	return result;

Also broken in 2.6.15.5 it seems :-/

fs/nfs/direct.c: In function 'nfs_get_user_pages':
fs/nfs/direct.c:110: warning: implicit declaration of function 'nfs_free_user_pages'
fs/nfs/direct.c: At top level:
fs/nfs/direct.c:127: warning: conflicting types for 'nfs_free_user_pages'
fs/nfs/direct.c:127: error: static declaration of 'nfs_free_user_pages' follows non-static declaration
fs/nfs/direct.c:110: error: previous implicit declaration of 'nfs_free_user_pages' was here

Some function juggling should do the trick.

Signed-off-by: Dave Jones <[email protected]>

--- linux-2.6.15/fs/nfs/direct.c~	2006-03-01 23:31:37.000000000 -0500
+++ linux-2.6.15/fs/nfs/direct.c	2006-03-01 23:32:01.000000000 -0500
@@ -73,6 +73,23 @@ struct nfs_direct_req {
 				error;		/* any reported error */
 };
 
+/**
+ * nfs_free_user_pages - tear down page struct array
+ * @pages: array of page struct pointers underlying target buffer
+ * @npages: number of pages in the array
+ * @do_dirty: dirty the pages as we release them
+ */
+static void
+nfs_free_user_pages(struct page **pages, int npages, int do_dirty)
+{
+	int i;
+	for (i = 0; i < npages; i++) {
+		if (do_dirty)
+			set_page_dirty_lock(pages[i]);
+		page_cache_release(pages[i]);
+	}
+	kfree(pages);
+}
 
 /**
  * nfs_get_user_pages - find and set up pages underlying user's buffer
@@ -117,24 +134,6 @@ nfs_get_user_pages(int rw, unsigned long
 }
 
 /**
- * nfs_free_user_pages - tear down page struct array
- * @pages: array of page struct pointers underlying target buffer
- * @npages: number of pages in the array
- * @do_dirty: dirty the pages as we release them
- */
-static void
-nfs_free_user_pages(struct page **pages, int npages, int do_dirty)
-{
-	int i;
-	for (i = 0; i < npages; i++) {
-		if (do_dirty)
-			set_page_dirty_lock(pages[i]);
-		page_cache_release(pages[i]);
-	}
-	kfree(pages);
-}
-
-/**
  * nfs_direct_req_release - release  nfs_direct_req structure for direct read
  * @kref: kref object embedded in an nfs_direct_req structure
  *
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux