[kernel/f15] Additional fixes for CVE-2011-4131 (rhbz 822874 822869)

Josh Boyer jwboyer at fedoraproject.org
Fri May 18 13:20:42 UTC 2012 

commit af7453a80684762d22aaf50e34fffc61cc7d0294
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Fri May 18 09:19:40 2012 -0400

    Additional fixes for CVE-2011-4131 (rhbz 822874 822869)

 kernel.spec                                        |   12 ++-
 ...void-beyond-bounds-copy-while-caching-ACL.patch |   85 ++++++++++++++
 ...d-reading-past-buffer-when-calling-GETACL.patch |  120 ++++++++++++++++++++
 3 files changed, 216 insertions(+), 1 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index de56a9e..938439f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -42,7 +42,7 @@ Summary: The Linux kernel
 # When changing real_sublevel below, reset this by hand to 1
 # (or to 0 and then use rpmdev-bumpspec).
 #
-%global baserelease 4
+%global baserelease 5
 %global fedora_build %{baserelease}
 
 # real_sublevel is the 3.x kernel version we're starting with
@@ -643,6 +643,10 @@ Patch4001: NFSv4-Further-reduce-the-footprint-of-the-idmapper.patch
 Patch4107: NFSv4-Minor-cleanups-for-nfs4_handle_exception-and-n.patch
 Patch4115: NFSv4-Rate-limit-the-state-manager-for-lock-reclaim-.patch
 
+#rhbz 822874
+Patch4116: nfs-Avoid-reading-past-buffer-when-calling-GETACL.patch
+Patch4117: nfs-Avoid-beyond-bounds-copy-while-caching-ACL.patch
+
 # patches headed upstream
 
 Patch12016: disable-i8042-check-on-apple-mac.patch
@@ -1166,6 +1170,9 @@ ApplyPatch NFSv4-Further-reduce-the-footprint-of-the-idmapper.patch
 ApplyPatch NFSv4-Minor-cleanups-for-nfs4_handle_exception-and-n.patch
 ApplyPatch NFSv4-Rate-limit-the-state-manager-for-lock-reclaim-.patch
 
+ApplyPatch nfs-Avoid-reading-past-buffer-when-calling-GETACL.patch
+ApplyPatch nfs-Avoid-beyond-bounds-copy-while-caching-ACL.patch
+
 # USB
 
 # WMI
@@ -1963,6 +1970,9 @@ fi
 # and build.
 
 %changelog
+* Fri May 18 2012 Josh Boyer <jwboyer at redhat.com>
+- Additional fixes for CVE-2011-4131 (rhbz 822874 822869)
+
 * Thu May 17 2012 Josh Boyer <jwboyer at redhat.com>
 - Fix rtlwifi async firmware load race condition (rhbz 822120)
 
diff --git a/nfs-Avoid-beyond-bounds-copy-while-caching-ACL.patch b/nfs-Avoid-beyond-bounds-copy-while-caching-ACL.patch
new file mode 100644
index 0000000..2798b0d
--- /dev/null
+++ b/nfs-Avoid-beyond-bounds-copy-while-caching-ACL.patch
@@ -0,0 +1,85 @@
+From 5794d21ef4639f0e33440927bb903f9598c21e92 Mon Sep 17 00:00:00 2001
+From: Sachin Prabhu <sprabhu at redhat.com>
+Date: Tue, 17 Apr 2012 14:36:40 +0100
+Subject: [PATCH] Avoid beyond bounds copy while caching ACL
+
+When attempting to cache ACLs returned from the server, if the bitmap
+size + the ACL size is greater than a PAGE_SIZE but the ACL size itself
+is smaller than a PAGE_SIZE, we can read past the buffer page boundary.
+
+Signed-off-by: Sachin Prabhu <sprabhu at redhat.com>
+Reported-by: Jian Li <jiali at redhat.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+---
+ fs/nfs/nfs4proc.c |   12 +++++-------
+ fs/nfs/nfs4xdr.c  |    2 +-
+ 2 files changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index f5f125f..2ce0698 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3628,16 +3628,16 @@ out:
+ 	return ret;
+ }
+ 
+-static void nfs4_write_cached_acl(struct inode *inode, const char *buf, size_t acl_len)
++static void nfs4_write_cached_acl(struct inode *inode, struct page **pages, size_t pgbase, size_t acl_len)
+ {
+ 	struct nfs4_cached_acl *acl;
+ 
+-	if (buf && acl_len <= PAGE_SIZE) {
++	if (pages && acl_len <= PAGE_SIZE) {
+ 		acl = kmalloc(sizeof(*acl) + acl_len, GFP_KERNEL);
+ 		if (acl == NULL)
+ 			goto out;
+ 		acl->cached = 1;
+-		memcpy(acl->data, buf, acl_len);
++		_copy_from_pages(acl->data, pages, pgbase, acl_len);
+ 	} else {
+ 		acl = kmalloc(sizeof(*acl), GFP_KERNEL);
+ 		if (acl == NULL)
+@@ -3670,7 +3670,6 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
+ 	struct nfs_getaclres res = {
+ 		.acl_len = buflen,
+ 	};
+-	void *resp_buf;
+ 	struct rpc_message msg = {
+ 		.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_GETACL],
+ 		.rpc_argp = &args,
+@@ -3705,7 +3704,6 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
+ 	 * the page we send as a guess */
+ 	if (buf == NULL)
+ 		res.acl_flags |= NFS4_ACL_LEN_REQUEST;
+-	resp_buf = page_address(pages[0]);
+ 
+ 	dprintk("%s  buf %p buflen %zu npages %d args.acl_len %zu\n",
+ 		__func__, buf, buflen, npages, args.acl_len);
+@@ -3716,9 +3714,9 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
+ 
+ 	acl_len = res.acl_len - res.acl_data_offset;
+ 	if (acl_len > args.acl_len)
+-		nfs4_write_cached_acl(inode, NULL, acl_len);
++		nfs4_write_cached_acl(inode, NULL, 0, acl_len);
+ 	else
+-		nfs4_write_cached_acl(inode, resp_buf + res.acl_data_offset,
++		nfs4_write_cached_acl(inode, pages, res.acl_data_offset,
+ 				      acl_len);
+ 	if (buf) {
+ 		ret = -ERANGE;
+diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
+index 9312dd7..203c096 100644
+--- a/fs/nfs/nfs4xdr.c
++++ b/fs/nfs/nfs4xdr.c
+@@ -4940,7 +4940,7 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
+ 				res->acl_len = attrlen;
+ 				goto out;
+ 			}
+-			dprintk("NFS: acl reply: attrlen %zu > page_len %u\n",
++			dprintk("NFS: acl reply: attrlen %u > page_len %zu\n",
+ 					attrlen, page_len);
+ 			return -EINVAL;
+ 		}
+-- 
+1.7.7.6
+
diff --git a/nfs-Avoid-reading-past-buffer-when-calling-GETACL.patch b/nfs-Avoid-reading-past-buffer-when-calling-GETACL.patch
new file mode 100644
index 0000000..7122e3b
--- /dev/null
+++ b/nfs-Avoid-reading-past-buffer-when-calling-GETACL.patch
@@ -0,0 +1,120 @@
+From 5a00689930ab975fdd1b37b034475017e460cf2a Mon Sep 17 00:00:00 2001
+From: Sachin Prabhu <sprabhu at redhat.com>
+Date: Tue, 17 Apr 2012 14:35:39 +0100
+Subject: [PATCH] Avoid reading past buffer when calling GETACL
+
+Bug noticed in commit
+bf118a342f10dafe44b14451a1392c3254629a1f
+
+When calling GETACL, if the size of the bitmap array, the length
+attribute and the acl returned by the server is greater than the
+allocated buffer(args.acl_len), we can Oops with a General Protection
+fault at _copy_from_pages() when we attempt to read past the pages
+allocated.
+
+This patch allocates an extra PAGE for the bitmap and checks to see that
+the bitmap + attribute_length + ACLs don't exceed the buffer space
+allocated to it.
+
+Signed-off-by: Sachin Prabhu <sprabhu at redhat.com>
+Reported-by: Jian Li <jiali at redhat.com>
+[Trond: Fixed a size_t vs unsigned int printk() warning]
+Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+---
+ fs/nfs/nfs4proc.c |   16 ++++++++++------
+ fs/nfs/nfs4xdr.c  |   18 +++++++++++-------
+ 2 files changed, 21 insertions(+), 13 deletions(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 60d5f4c..f5f125f 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3684,19 +3684,23 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
+ 	if (npages == 0)
+ 		npages = 1;
+ 
++	/* Add an extra page to handle the bitmap returned */
++	npages++;
++
+ 	for (i = 0; i < npages; i++) {
+ 		pages[i] = alloc_page(GFP_KERNEL);
+ 		if (!pages[i])
+ 			goto out_free;
+ 	}
+-	if (npages > 1) {
+-		/* for decoding across pages */
+-		res.acl_scratch = alloc_page(GFP_KERNEL);
+-		if (!res.acl_scratch)
+-			goto out_free;
+-	}
++
++	/* for decoding across pages */
++	res.acl_scratch = alloc_page(GFP_KERNEL);
++	if (!res.acl_scratch)
++		goto out_free;
++
+ 	args.acl_len = npages * PAGE_SIZE;
+ 	args.acl_pgbase = 0;
++
+ 	/* Let decode_getfacl know not to fail if the ACL data is larger than
+ 	 * the page we send as a guess */
+ 	if (buf == NULL)
+diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
+index 77fc5f9..9312dd7 100644
+--- a/fs/nfs/nfs4xdr.c
++++ b/fs/nfs/nfs4xdr.c
+@@ -4902,11 +4902,19 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
+ 		 bitmap[3] = {0};
+ 	struct kvec *iov = req->rq_rcv_buf.head;
+ 	int status;
++	size_t page_len = xdr->buf->page_len;
+ 
+ 	res->acl_len = 0;
+ 	if ((status = decode_op_hdr(xdr, OP_GETATTR)) != 0)
+ 		goto out;
++
+ 	bm_p = xdr->p;
++	res->acl_data_offset = be32_to_cpup(bm_p) + 2;
++	res->acl_data_offset <<= 2;
++	/* Check if the acl data starts beyond the allocated buffer */
++	if (res->acl_data_offset > page_len)
++		return -ERANGE;
++
+ 	if ((status = decode_attr_bitmap(xdr, bitmap)) != 0)
+ 		goto out;
+ 	if ((status = decode_attr_length(xdr, &attrlen, &savep)) != 0)
+@@ -4916,28 +4924,24 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
+ 		return -EIO;
+ 	if (likely(bitmap[0] & FATTR4_WORD0_ACL)) {
+ 		size_t hdrlen;
+-		u32 recvd;
+ 
+ 		/* The bitmap (xdr len + bitmaps) and the attr xdr len words
+ 		 * are stored with the acl data to handle the problem of
+ 		 * variable length bitmaps.*/
+ 		xdr->p = bm_p;
+-		res->acl_data_offset = be32_to_cpup(bm_p) + 2;
+-		res->acl_data_offset <<= 2;
+ 
+ 		/* We ignore &savep and don't do consistency checks on
+ 		 * the attr length.  Let userspace figure it out.... */
+ 		hdrlen = (u8 *)xdr->p - (u8 *)iov->iov_base;
+ 		attrlen += res->acl_data_offset;
+-		recvd = req->rq_rcv_buf.len - hdrlen;
+-		if (attrlen > recvd) {
++		if (attrlen > page_len) {
+ 			if (res->acl_flags & NFS4_ACL_LEN_REQUEST) {
+ 				/* getxattr interface called with a NULL buf */
+ 				res->acl_len = attrlen;
+ 				goto out;
+ 			}
+-			dprintk("NFS: acl reply: attrlen %u > recvd %u\n",
+-					attrlen, recvd);
++			dprintk("NFS: acl reply: attrlen %zu > page_len %u\n",
++					attrlen, page_len);
+ 			return -EINVAL;
+ 		}
+ 		xdr_read_pages(xdr, attrlen);
+-- 
+1.7.7.6
+

More information about the scm-commits mailing list