From 0cfa86bc13729a11d1ab643b8b35f93299b19537 Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Mon, 4 Feb 2019 14:35:01 +0100 Subject: sunrpc: CVE-2018-16884 sunrpc: use-after-free in svc_process_common() References: https://nvd.nist.gov/vuln/detail/CVE-2018-16884 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=65dba32522065b79a16393efc75f8006c2c3dbb8 Change-Id: I440846fe5b7e8a67209bf02857ee2e7691bd4f06 Signed-off-by: Andreas Wellving --- patches/cve/4.14.x.scc | 2 + ...nrpc-use-after-free-in-svc_process_common.patch | 167 +++++++++++++++++++++ 2 files changed, 169 insertions(+) create mode 100644 patches/cve/CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index 36143b1..41bfe7a 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc @@ -19,3 +19,5 @@ patch CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch CVEs fixed in 4.14.91: patch CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch +CVEs fixed in 4.14.94: +patch CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch diff --git a/patches/cve/CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch b/patches/cve/CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch new file mode 100644 index 0000000..36878cb --- /dev/null +++ b/patches/cve/CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch @@ -0,0 +1,167 @@ +From 65dba32522065b79a16393efc75f8006c2c3dbb8 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Mon, 24 Dec 2018 14:44:52 +0300 +Subject: [PATCH] sunrpc: use-after-free in svc_process_common() + +commit d4b09acf924b84bae77cad090a9d108e70b43643 upstream. + +if node have NFSv41+ mounts inside several net namespaces +it can lead to use-after-free in svc_process_common() + +svc_process_common() + /* Setup reply header */ + rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr(rqstp); <<< HERE + +svc_process_common() can use incorrect rqstp->rq_xprt, +its caller function bc_svc_process() takes it from serv->sv_bc_xprt. +The problem is that serv is global structure but sv_bc_xprt +is assigned per-netnamespace. + +According to Trond, the whole "let's set up rqstp->rq_xprt +for the back channel" is nothing but a giant hack in order +to work around the fact that svc_process_common() uses it +to find the xpt_ops, and perform a couple of (meaningless +for the back channel) tests of xpt_flags. + +All we really need in svc_process_common() is to be able to run +rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr() + +Bruce J Fields points that this xpo_prep_reply_hdr() call +is an awfully roundabout way just to do "svc_putnl(resv, 0);" +in the tcp case. + +This patch does not initialiuze rqstp->rq_xprt in bc_svc_process(), +now it calls svc_process_common() with rqstp->rq_xprt = NULL. + +To adjust reply header svc_process_common() just check +rqstp->rq_prot and calls svc_tcp_prep_reply_hdr() for tcp case. + +To handle rqstp->rq_xprt = NULL case in functions called from +svc_process_common() patch intruduces net namespace pointer +svc_rqst->rq_bc_net and adjust SVC_NET() definition. +Some other function was also adopted to properly handle described case. + +CVE: CVE-2018-16884 +Upstream-Status: Backport + +Signed-off-by: Vasily Averin +Cc: stable@vger.kernel.org +Fixes: 23c20ecd4475 ("NFS: callback up - users counting cleanup") +Signed-off-by: J. Bruce Fields +v2: - added lost extern svc_tcp_prep_reply_hdr() + - dropped trace_svc_process() changes +Signed-off-by: Vasily Averin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Andreas Wellving +--- + include/linux/sunrpc/svc.h | 5 ++++- + net/sunrpc/svc.c | 11 +++++++---- + net/sunrpc/svc_xprt.c | 5 +++-- + net/sunrpc/svcsock.c | 2 +- + 4 files changed, 15 insertions(+), 8 deletions(-) + +diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h +index 3b9f0d1dbb80..e1aa80c4d6db 100644 +--- a/include/linux/sunrpc/svc.h ++++ b/include/linux/sunrpc/svc.h +@@ -292,9 +292,12 @@ struct svc_rqst { + struct svc_cacherep * rq_cacherep; /* cache info */ + struct task_struct *rq_task; /* service thread */ + spinlock_t rq_lock; /* per-request lock */ ++ struct net *rq_bc_net; /* pointer to backchannel's ++ * net namespace ++ */ + }; + +-#define SVC_NET(svc_rqst) (svc_rqst->rq_xprt->xpt_net) ++#define SVC_NET(rqst) (rqst->rq_xprt ? rqst->rq_xprt->xpt_net : rqst->rq_bc_net) + + /* + * Rigorous type checking on sockaddr type conversions +diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c +index aa04666f929d..3a9a03717212 100644 +--- a/net/sunrpc/svc.c ++++ b/net/sunrpc/svc.c +@@ -1144,6 +1144,8 @@ void svc_printk(struct svc_rqst *rqstp, const char *fmt, ...) + static __printf(2,3) void svc_printk(struct svc_rqst *rqstp, const char *fmt, ...) {} + #endif + ++extern void svc_tcp_prep_reply_hdr(struct svc_rqst *); ++ + /* + * Common routine for processing the RPC request. + */ +@@ -1172,7 +1174,8 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv) + clear_bit(RQ_DROPME, &rqstp->rq_flags); + + /* Setup reply header */ +- rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr(rqstp); ++ if (rqstp->rq_prot == IPPROTO_TCP) ++ svc_tcp_prep_reply_hdr(rqstp); + + svc_putu32(resv, rqstp->rq_xid); + +@@ -1244,7 +1247,7 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv) + * for lower versions. RPC_PROG_MISMATCH seems to be the closest + * fit. + */ +- if (versp->vs_need_cong_ctrl && ++ if (versp->vs_need_cong_ctrl && rqstp->rq_xprt && + !test_bit(XPT_CONG_CTRL, &rqstp->rq_xprt->xpt_flags)) + goto err_bad_vers; + +@@ -1335,7 +1338,7 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv) + return 0; + + close: +- if (test_bit(XPT_TEMP, &rqstp->rq_xprt->xpt_flags)) ++ if (rqstp->rq_xprt && test_bit(XPT_TEMP, &rqstp->rq_xprt->xpt_flags)) + svc_close_xprt(rqstp->rq_xprt); + dprintk("svc: svc_process close\n"); + return 0; +@@ -1462,10 +1465,10 @@ bc_svc_process(struct svc_serv *serv, struct rpc_rqst *req, + dprintk("svc: %s(%p)\n", __func__, req); + + /* Build the svc_rqst used by the common processing routine */ +- rqstp->rq_xprt = serv->sv_bc_xprt; + rqstp->rq_xid = req->rq_xid; + rqstp->rq_prot = req->rq_xprt->prot; + rqstp->rq_server = serv; ++ rqstp->rq_bc_net = req->rq_xprt->xprt_net; + + rqstp->rq_addrlen = sizeof(req->rq_xprt->addr); + memcpy(&rqstp->rq_addr, &req->rq_xprt->addr, rqstp->rq_addrlen); +diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c +index ea7b5a3a53f0..7e5f849b44cd 100644 +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -510,10 +510,11 @@ static struct svc_xprt *svc_xprt_dequeue(struct svc_pool *pool) + */ + void svc_reserve(struct svc_rqst *rqstp, int space) + { ++ struct svc_xprt *xprt = rqstp->rq_xprt; ++ + space += rqstp->rq_res.head[0].iov_len; + +- if (space < rqstp->rq_reserved) { +- struct svc_xprt *xprt = rqstp->rq_xprt; ++ if (xprt && space < rqstp->rq_reserved) { + atomic_sub((rqstp->rq_reserved - space), &xprt->xpt_reserved); + rqstp->rq_reserved = space; + +diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c +index c83df30e9655..d6771f3b715b 100644 +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -1207,7 +1207,7 @@ static int svc_tcp_sendto(struct svc_rqst *rqstp) + /* + * Setup response header. TCP has a 4B record length field. + */ +-static void svc_tcp_prep_reply_hdr(struct svc_rqst *rqstp) ++void svc_tcp_prep_reply_hdr(struct svc_rqst *rqstp) + { + struct kvec *resv = &rqstp->rq_res.head[0]; + +-- +2.19.2 + -- cgit v1.2.3-54-g00ecf