linux/net/sunrpc
Vasily Averin d4b09acf92 sunrpc: use-after-free in svc_process_common()
if node have NFSv41+ mounts inside several net namespaces
it can lead to use-after-free in svc_process_common()

svc_process_common()
        /* Setup reply header */
        rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr(rqstp); <<< HERE

svc_process_common() can use incorrect rqstp->rq_xprt,
its caller function bc_svc_process() takes it from serv->sv_bc_xprt.
The problem is that serv is global structure but sv_bc_xprt
is assigned per-netnamespace.

According to Trond, the whole "let's set up rqstp->rq_xprt
for the back channel" is nothing but a giant hack in order
to work around the fact that svc_process_common() uses it
to find the xpt_ops, and perform a couple of (meaningless
for the back channel) tests of xpt_flags.

All we really need in svc_process_common() is to be able to run
rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr()

Bruce J Fields points that this xpo_prep_reply_hdr() call
is an awfully roundabout way just to do "svc_putnl(resv, 0);"
in the tcp case.

This patch does not initialiuze rqstp->rq_xprt in bc_svc_process(),
now it calls svc_process_common() with rqstp->rq_xprt = NULL.

To adjust reply header svc_process_common() just check
rqstp->rq_prot and calls svc_tcp_prep_reply_hdr() for tcp case.

To handle rqstp->rq_xprt = NULL case in functions called from
svc_process_common() patch intruduces net namespace pointer
svc_rqst->rq_bc_net and adjust SVC_NET() definition.
Some other function was also adopted to properly handle described case.

Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Cc: stable@vger.kernel.org
Fixes: 23c20ecd44 ("NFS: callback up - users counting cleanup")
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2018-12-27 21:00:58 -05:00
..
auth_gss sunrpc: use SVC_NET() in svcauth_gss_* functions 2018-12-27 21:00:23 -05:00
xprtrdma svcrdma: Optimize the logic that selects the R_key to invalidate 2018-11-28 18:36:03 -05:00
addr.c
auth_generic.c SUNRPC: Fix a bogus get/put in generic_key_to_expire() 2018-11-12 16:39:13 -05:00
auth_null.c SUNRPC: Convert the auth cred cache to use refcount_t 2018-10-23 12:24:33 -04:00
auth_unix.c SUNRPC: Convert the auth cred cache to use refcount_t 2018-10-23 12:24:33 -04:00
auth.c SUNRPC: Convert the auth cred cache to use refcount_t 2018-10-23 12:24:33 -04:00
backchannel_rqst.c SUNRPC: Refactor xprt_transmit() to remove the reply queue code 2018-09-30 15:35:14 -04:00
cache.c sunrpc: fix cache_head leak due to queued request 2018-12-04 15:42:08 -05:00
clnt.c SUNRPC: Add a bvec array to struct xdr_buf for use with iovec_iter() 2018-09-30 15:35:16 -04:00
debugfs.c
Kconfig
Makefile
netns.h
rpc_pipe.c
rpcb_clnt.c sunrpc: whitespace fixes 2018-07-31 12:53:40 -04:00
sched.c SUNRPC: Fix priority queue fairness 2018-09-30 15:35:16 -04:00
socklib.c SUNRPC: Unexport xdr_partial_copy_from_skb() 2018-09-30 15:35:16 -04:00
stats.c sunrpc: whitespace fixes 2018-07-31 12:53:40 -04:00
sunrpc_syms.c
sunrpc.h sunrpc: whitespace fixes 2018-07-31 12:53:40 -04:00
svc_xprt.c sunrpc: use-after-free in svc_process_common() 2018-12-27 21:00:58 -05:00
svc.c sunrpc: use-after-free in svc_process_common() 2018-12-27 21:00:58 -05:00
svcauth_unix.c SUNRPC: Make server side AUTH_UNIX use lockless lookups 2018-10-29 16:58:04 -04:00
svcauth.c SUNRPC: Add lockless lookup of the server's auth domain 2018-10-03 11:32:59 -04:00
svcsock.c sunrpc: use-after-free in svc_process_common() 2018-12-27 21:00:58 -05:00
sysctl.c
timer.c
xdr.c SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer() 2018-11-08 12:12:23 -05:00
xprt.c NFS RDMA client updates for Linux 4.20 2018-10-18 17:29:00 -04:00
xprtmultipath.c
xprtsock.c missing bits of "iov_iter: Separate type from direction and use accessor functions" 2018-11-01 18:19:03 -04:00