[kernel] Linux 3.2-rc1-git4

Josh Boyer jwboyer at fedoraproject.org
Mon Nov 14 14:56:16 UTC 2011 

commit c7a536b3308eb65a29df2fbce8c1c3bc2d6cacee
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Mon Nov 14 09:55:52 2011 -0500

    Linux 3.2-rc1-git4
    
    Also fix CVE-2011-4131: nfs4_getfacl decoding kernel oops (rhbz 753236)

 kernel.spec                                      |   12 ++-
 nfsv4-include-bitmap-in-nfsv4_get_acl_data.patch |  118 ++++++++++++++++++++++
 sources                                          |    2 +-
 3 files changed, 130 insertions(+), 2 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 6032037..c0a7319 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -87,7 +87,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 1
 # The git snapshot level
-%define gitrev 3
+%define gitrev 4
 # Set rpm version accordingly
 %define rpmversion 3.%{upstream_sublevel}.0
 %endif
@@ -707,6 +707,9 @@ Patch21090: bcma-brcmsmac-compat.patch
 
 Patch21091: pci-Rework-ASPM-disable-code.patch
 
+#rhbz 753236
+Patch21029: nfsv4-include-bitmap-in-nfsv4_get_acl_data.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1347,6 +1350,9 @@ ApplyPatch bcma-brcmsmac-compat.patch
 
 ApplyPatch pci-Rework-ASPM-disable-code.patch
 
+#rhbz 753236
+ApplyPatch nfsv4-include-bitmap-in-nfsv4_get_acl_data.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2053,6 +2059,10 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Mon Nov 14 2011 Josh Boyer <jwboyer at redhat.com>
+- CVE-2011-4131: nfs4_getfacl decoding kernel oops (rhbz 753236)
+- Linux 3.2-rc1-git4
+
 * Sat Nov 12 2011 Josh Boyer <jwboyer at redhat.com>
 - Linux 3.2-rc1-git3
 
diff --git a/nfsv4-include-bitmap-in-nfsv4_get_acl_data.patch b/nfsv4-include-bitmap-in-nfsv4_get_acl_data.patch
new file mode 100644
index 0000000..1b795e9
--- /dev/null
+++ b/nfsv4-include-bitmap-in-nfsv4_get_acl_data.patch
@@ -0,0 +1,118 @@
+From: Andy Adamson <andros at xxxxxxxxxx>
+
+The NFSv4 bitmap size is unbounded: a server can return an arbitrary
+sized bitmap in an FATTR4_WORD0_ACL request.  Replace using the
+nfs4_fattr_bitmap_maxsz as a guess to the maximum bitmask returned by a server
+with the inclusion of the bitmap (xdr length plus bitmasks) and the acl data
+xdr length to the (cached) acl page data.
+
+This is a general solution to commit e5012d1f "NFSv4.1: update
+nfs4_fattr_bitmap_maxsz" and fixes hitting a BUG_ON in xdr_shrink_bufhead
+when getting ACLs.
+
+Cc:stable at xxxxxxxxxx
+Signed-off-by: Andy Adamson <andros at xxxxxxxxxx>
+---
+ fs/nfs/nfs4proc.c |   20 ++++++++++++++++++--
+ fs/nfs/nfs4xdr.c  |   15 ++++++++++++---
+ 2 files changed, 30 insertions(+), 5 deletions(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index deb88d9..97014dd 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3671,6 +3671,22 @@ static void nfs4_zap_acl_attr(struct inode *inode)
+ 	nfs4_set_cached_acl(inode, NULL);
+ }
+ 
++/*
++ * The bitmap xdr length, bitmasks, and the attr xdr length are stored in
++ * the acl cache to handle variable length bitmasks. Just copy the acl data.
++ */
++static void nfs4_copy_acl(char *buf, char *acl_data, size_t acl_len)
++{
++	__be32 *q, *p = (__be32 *)acl_data;
++	int32_t len;
++
++	len = be32_to_cpup(p); /* number of bitmasks */
++	len += 2;  /* add words for bitmap and attr xdr len */
++	q = p + len;
++	len = len << 2; /* convert to bytes for acl_len math */
++	memcpy(buf, (char *)q, acl_len - len);
++}
++
+ static inline ssize_t nfs4_read_cached_acl(struct inode *inode, char *buf, size_t buflen)
+ {
+ 	struct nfs_inode *nfsi = NFS_I(inode);
+@@ -3688,7 +3704,7 @@ static inline ssize_t nfs4_read_cached_acl(struct inode *inode, char *buf, size_
+ 	ret = -ERANGE; /* see getxattr(2) man page */
+ 	if (acl->len > buflen)
+ 		goto out;
+-	memcpy(buf, acl->data, acl->len);
++	nfs4_copy_acl(buf, acl->data, acl->len);
+ out_len:
+ 	ret = acl->len;
+ out:
+@@ -3763,7 +3779,7 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
+ 		if (res.acl_len > buflen)
+ 			goto out_free;
+ 		if (localpage)
+-			memcpy(buf, resp_buf, res.acl_len);
++			nfs4_copy_acl(buf, resp_buf, res.acl_len);
+ 	}
+ 	ret = res.acl_len;
+ out_free:
+diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
+index f9fd96d..9c07380 100644
+--- a/fs/nfs/nfs4xdr.c
++++ b/fs/nfs/nfs4xdr.c
+@@ -2513,7 +2513,7 @@ static void nfs4_xdr_enc_getacl(struct rpc_rqst *req, struct xdr_stream *xdr,
+ 	encode_compound_hdr(xdr, req, &hdr);
+ 	encode_sequence(xdr, &args->seq_args, &hdr);
+ 	encode_putfh(xdr, args->fh, &hdr);
+-	replen = hdr.replen + op_decode_hdr_maxsz + nfs4_fattr_bitmap_maxsz + 1;
++	replen = hdr.replen + op_decode_hdr_maxsz + 1;
+ 	encode_getattr_two(xdr, FATTR4_WORD0_ACL, 0, &hdr);
+ 
+ 	xdr_inline_pages(&req->rq_rcv_buf, replen << 2,
+@@ -4955,7 +4955,7 @@ decode_restorefh(struct xdr_stream *xdr)
+ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
+ 		size_t *acl_len)
+ {
+-	__be32 *savep;
++	__be32 *savep, *bm_p;
+ 	uint32_t attrlen,
+ 		 bitmap[3] = {0};
+ 	struct kvec *iov = req->rq_rcv_buf.head;
+@@ -4964,6 +4964,7 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
+ 	*acl_len = 0;
+ 	if ((status = decode_op_hdr(xdr, OP_GETATTR)) != 0)
+ 		goto out;
++	bm_p = xdr->p;
+ 	if ((status = decode_attr_bitmap(xdr, bitmap)) != 0)
+ 		goto out;
+ 	if ((status = decode_attr_length(xdr, &attrlen, &savep)) != 0)
+@@ -4972,12 +4973,20 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
+ 	if (unlikely(bitmap[0] & (FATTR4_WORD0_ACL - 1U)))
+ 		return -EIO;
+ 	if (likely(bitmap[0] & FATTR4_WORD0_ACL)) {
+-		size_t hdrlen;
++		size_t hdrlen, len;
+ 		u32 recvd;
+ 
++		/*The bitmap (xdr len + bitmasks) and the attr xdr len words
++		 * are stored with the acl data to handle the problem of
++		 * variable length bitmasks.*/
++		xdr->p = bm_p;
++		len = be32_to_cpup(bm_p);
++		len += 2; /* add bitmap and attr xdr len words */
++
+ 		/* We ignore &savep and don't do consistency checks on
+ 		 * the attr length.  Let userspace figure it out.... */
+ 		hdrlen = (u8 *)xdr->p - (u8 *)iov->iov_base;
++		attrlen += len << 2; /* attrlen is in bytes */
+ 		recvd = req->rq_rcv_buf.len - hdrlen;
+ 		if (attrlen > recvd) {
+ 			dprintk("NFS: server cheating in getattr"
+-- 
+1.7.6.4
diff --git a/sources b/sources
index 9017496..f0537b6 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 8d43453f8159b2332ad410b19d86a931  linux-3.1.tar.bz2
 c12c4ef15682ca8caa360d013625ea3f  patch-3.2-rc1.bz2
-ab4107808a6c22a7ed3058127af416ec  patch-3.2-rc1-git3.bz2
+0fa9eeb841b5abb2391011b1fd7e6c11  patch-3.2-rc1-git4.bz2

More information about the scm-commits mailing list