sunrpc: CVE-2018-16884

sunrpc: use-after-free in svc_process_common()

References:
https://nvd.nist.gov/vuln/detail/CVE-2018-16884
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=65dba32522065b79a16393efc75f8006c2c3dbb8

Change-Id: I440846fe5b7e8a67209bf02857ee2e7691bd4f06
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>

2 files changed, 169 insertions, 0 deletions

diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc
index 36143b1..41bfe7a 100644
--- a/patches/cve/4.14.x.scc
+++ b/patches/cve/4.14.x.scc
@@ -19,3 +19,5 @@ patch CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch
 patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
 CVEs fixed in 4.14.91:
 patch CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch
+CVEs fixed in 4.14.94:
+patch CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch
diff --git a/patches/cve/CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch b/patches/cve/CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch
new file mode 100644
index 0000000..36878cb
--- /dev/null
+++ b/patches/cve/CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch
@@ -0,0 +1,167 @@
+From 65dba32522065b79a16393efc75f8006c2c3dbb8 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Mon, 24 Dec 2018 14:44:52 +0300
+Subject: [PATCH] sunrpc: use-after-free in svc_process_common()
+
+commit d4b09acf924b84bae77cad090a9d108e70b43643 upstream.
+
+if node have NFSv41+ mounts inside several net namespaces
+it can lead to use-after-free in svc_process_common()
+
+svc_process_common()
+        /* Setup reply header */
+        rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr(rqstp); <<< HERE
+
+svc_process_common() can use incorrect rqstp->rq_xprt,
+its caller function bc_svc_process() takes it from serv->sv_bc_xprt.
+The problem is that serv is global structure but sv_bc_xprt
+is assigned per-netnamespace.
+
+According to Trond, the whole "let's set up rqstp->rq_xprt
+for the back channel" is nothing but a giant hack in order
+to work around the fact that svc_process_common() uses it
+to find the xpt_ops, and perform a couple of (meaningless
+for the back channel) tests of xpt_flags.
+
+All we really need in svc_process_common() is to be able to run
+rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr()
+
+Bruce J Fields points that this xpo_prep_reply_hdr() call
+is an awfully roundabout way just to do "svc_putnl(resv, 0);"
+in the tcp case.
+
+This patch does not initialiuze rqstp->rq_xprt in bc_svc_process(),
+now it calls svc_process_common() with rqstp->rq_xprt = NULL.
+
+To adjust reply header svc_process_common() just check
+rqstp->rq_prot and calls svc_tcp_prep_reply_hdr() for tcp case.
+
+To handle rqstp->rq_xprt = NULL case in functions called from
+svc_process_common() patch intruduces net namespace pointer
+svc_rqst->rq_bc_net and adjust SVC_NET() definition.
+Some other function was also adopted to properly handle described case.
+
+CVE: CVE-2018-16884
+Upstream-Status: Backport
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Cc: stable@vger.kernel.org
+Fixes: 23c20ecd4475 ("NFS: callback up - users counting cleanup")
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+v2: - added lost extern svc_tcp_prep_reply_hdr()
+    - dropped trace_svc_process() changes
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ include/linux/sunrpc/svc.h |  5 ++++-
+ net/sunrpc/svc.c           | 11 +++++++----
+ net/sunrpc/svc_xprt.c      |  5 +++--
+ net/sunrpc/svcsock.c       |  2 +-
+ 4 files changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
+index 3b9f0d1dbb80..e1aa80c4d6db 100644
+--- a/include/linux/sunrpc/svc.h
++++ b/include/linux/sunrpc/svc.h
+@@ -292,9 +292,12 @@ struct svc_rqst {
+        struct svc_cacherep *   rq_cacherep;    /* cache info */
+        struct task_struct      *rq_task;       /* service thread */
+        spinlock_t              rq_lock;        /* per-request lock */
++       struct net              *rq_bc_net;     /* pointer to backchannel's
++                                                * net namespace
++                                                */
+ };
+ 
+-#define SVC_NET(svc_rqst)      (svc_rqst->rq_xprt->xpt_net)
++#define SVC_NET(rqst) (rqst->rq_xprt ? rqst->rq_xprt->xpt_net : rqst->rq_bc_net)
+ 
+ /*
+  * Rigorous type checking on sockaddr type conversions
+diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
+index aa04666f929d..3a9a03717212 100644
+--- a/net/sunrpc/svc.c
++++ b/net/sunrpc/svc.c
+@@ -1144,6 +1144,8 @@ void svc_printk(struct svc_rqst *rqstp, const char *fmt, ...)
+ static __printf(2,3) void svc_printk(struct svc_rqst *rqstp, const char *fmt, ...) {}
+ #endif
+ 
++extern void svc_tcp_prep_reply_hdr(struct svc_rqst *);
++
+ /*
+  * Common routine for processing the RPC request.
+  */
+@@ -1172,7 +1174,8 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv)
+        clear_bit(RQ_DROPME, &rqstp->rq_flags);
+ 
+        /* Setup reply header */
+-       rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr(rqstp);
++       if (rqstp->rq_prot == IPPROTO_TCP)
++               svc_tcp_prep_reply_hdr(rqstp);
+ 
+        svc_putu32(resv, rqstp->rq_xid);
+ 
+@@ -1244,7 +1247,7 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv)
+         * for lower versions. RPC_PROG_MISMATCH seems to be the closest
+         * fit.
+         */
+-       if (versp->vs_need_cong_ctrl &&
++       if (versp->vs_need_cong_ctrl && rqstp->rq_xprt &&
+            !test_bit(XPT_CONG_CTRL, &rqstp->rq_xprt->xpt_flags))
+                goto err_bad_vers;
+ 
+@@ -1335,7 +1338,7 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv)
+        return 0;
+ 
+  close:
+-       if (test_bit(XPT_TEMP, &rqstp->rq_xprt->xpt_flags))
++       if (rqstp->rq_xprt && test_bit(XPT_TEMP, &rqstp->rq_xprt->xpt_flags))
+                svc_close_xprt(rqstp->rq_xprt);
+        dprintk("svc: svc_process close\n");
+        return 0;
+@@ -1462,10 +1465,10 @@ bc_svc_process(struct svc_serv *serv, struct rpc_rqst *req,
+        dprintk("svc: %s(%p)\n", __func__, req);
+ 
+        /* Build the svc_rqst used by the common processing routine */
+-       rqstp->rq_xprt = serv->sv_bc_xprt;
+        rqstp->rq_xid = req->rq_xid;
+        rqstp->rq_prot = req->rq_xprt->prot;
+        rqstp->rq_server = serv;
++       rqstp->rq_bc_net = req->rq_xprt->xprt_net;
+ 
+        rqstp->rq_addrlen = sizeof(req->rq_xprt->addr);
+        memcpy(&rqstp->rq_addr, &req->rq_xprt->addr, rqstp->rq_addrlen);
+diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
+index ea7b5a3a53f0..7e5f849b44cd 100644
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -510,10 +510,11 @@ static struct svc_xprt *svc_xprt_dequeue(struct svc_pool *pool)
+  */
+ void svc_reserve(struct svc_rqst *rqstp, int space)
+ {
++       struct svc_xprt *xprt = rqstp->rq_xprt;
++
+        space += rqstp->rq_res.head[0].iov_len;
+ 
+-       if (space < rqstp->rq_reserved) {
+-               struct svc_xprt *xprt = rqstp->rq_xprt;
++       if (xprt && space < rqstp->rq_reserved) {
+                atomic_sub((rqstp->rq_reserved - space), &xprt->xpt_reserved);
+                rqstp->rq_reserved = space;
+ 
+diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
+index c83df30e9655..d6771f3b715b 100644
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -1207,7 +1207,7 @@ static int svc_tcp_sendto(struct svc_rqst *rqstp)
+ /*
+  * Setup response header. TCP has a 4B record length field.
+  */
+-static void svc_tcp_prep_reply_hdr(struct svc_rqst *rqstp)
++void svc_tcp_prep_reply_hdr(struct svc_rqst *rqstp)
+ {
+        struct kvec *resv = &rqstp->rq_res.head[0];
+ 
+-- 
+2.19.2
+