From patchwork Wed Oct 30 03:50:06 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Ruffell <matthew.ruffell@canonical.com>
X-Patchwork-Id: 1186482
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (no SPF record)
	smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19;
	helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 472vcM5ty2z9sQm;
	Wed, 30 Oct 2019 14:50:27 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1iPf04-0001It-27; Wed, 30 Oct 2019 03:50:24 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
	(envelope-from <matthew.ruffell@canonical.com>) id 1iPf00-0001I0-Cf
	for kernel-team@lists.ubuntu.com; Wed, 30 Oct 2019 03:50:20 +0000
Received: from mail-pf1-f200.google.com ([209.85.210.200])
	by youngberry.canonical.com with esmtps
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
	(envelope-from <matthew.ruffell@canonical.com>) id 1iPf00-0001Rf-2m
	for kernel-team@lists.ubuntu.com; Wed, 30 Oct 2019 03:50:20 +0000
Received: by mail-pf1-f200.google.com with SMTP id 20so652000pfp.19
	for <kernel-team@lists.ubuntu.com>;
	Tue, 29 Oct 2019 20:50:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=OJFgo6RNe3/iVqRuA9e8CxRmC/kxSMv7yCgXGE4k3rY=;
	b=iDowJ3O7qcrk+tcePGSvnQvmx7WknfqOKl1aQ/6hEOfSLCK4FNC0Gc8+KUXQ3CPo6Y
	ltj5EnyqMg9wZBpyEDdSFZuhZEdkzXQrb89cszbAti/auGEUyRUAaV+lrBnChmD9j8i+
	XW3yBgLzbNHPTFXg0ZuKaQXstzRbM5TtDTR6hng0IBq+vBUzkL0tD3a4xWDC1oTilDiz
	VrpUtMHbeU5HcEtz8677fh7R02ORMg6WyTAEN74bOZHTC8u1GZ7nNC7ijCiCMTuP1RVS
	EEgAAoeK2EAsMh2oD0iGFSRyi1oo/51KnO5hCWaxxrvqC/f/GyXJXQGb/4IF5RD7ixYD
	BvoQ==
X-Gm-Message-State: APjAAAUdv/XVWc/QC5jAUUmAgtPx1WLyFYwWXHt/o8MQoOhdI3nPIVXP
	8mqLQG0FPgKvapJAdVrDPIPjJnyPAqitfRZgu6+GE9bDlfhwfup6L33HYIGxAD4J9+DbdnuMXca
	yVQji1otZ8Shpvu4h4pid3epFDWFSoTiNnGwf1jxhZA==
X-Received: by 2002:aa7:8b02:: with SMTP id f2mr31876797pfd.31.1572407418547;
	Tue, 29 Oct 2019 20:50:18 -0700 (PDT)
X-Google-Smtp-Source: 
 APXvYqy0gip/e03SZ+nzYuhsatSN2JdBURoP8oBVvKafhacygmQqlZWAIlMh+Yr/EEKpdPdybQxqNQ==
X-Received: by 2002:aa7:8b02:: with SMTP id f2mr31876779pfd.31.1572407418324;
	Tue, 29 Oct 2019 20:50:18 -0700 (PDT)
Received: from localhost.localdomain (222-154-99-146-fibre.sparkbb.co.nz.
	[222.154.99.146])
	by smtp.gmail.com with ESMTPSA id w2sm504855pjt.1.2019.10.29.20.50.16
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Tue, 29 Oct 2019 20:50:17 -0700 (PDT)
From: Matthew Ruffell <matthew.ruffell@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Disco][PATCH 2/2] SUNRPC: Fix a use after free when a server
	rejects the RPCSEC_GSS credential
Date: Wed, 30 Oct 2019 16:50:06 +1300
Message-Id: <20191030035006.31696-3-matthew.ruffell@canonical.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20191030035006.31696-1-matthew.ruffell@canonical.com>
References: <20191030035006.31696-1-matthew.ruffell@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Trond Myklebust <trond.myklebust@hammerspace.com>

BugLink: https://bugs.launchpad.net/bugs/1842037

The addition of rpc_check_timeout() to call_decode causes an Oops
when the RPCSEC_GSS credential is rejected.
The reason is that rpc_decode_header() will call xprt_release() in
order to free task->tk_rqstp, which is needed by rpc_check_timeout()
to check whether or not we should exit due to a soft timeout.

The fix is to move the call to xprt_release() into call_decode() so
we can perform it after rpc_check_timeout().

Reported-by: Olga Kornievskaia <olga.kornievskaia@gmail.com>
Reported-by: Nick Bowler <nbowler@draconx.ca>
Fixes: cea57789e408 ("SUNRPC: Clean up")
Cc: stable@vger.kernel.org # v5.1+
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
(backported from commit 7987b694ade8cc465ce10fb3dceaa614f13ceaf3)
[mruffell: rewrite goto error handling, medium context adjustments]
Signed-off-by: Matthew Ruffell <matthew.ruffell@canonical.com>
---
 net/sunrpc/clnt.c | 30 ++++++++++++++++--------------
 1 file changed, 16 insertions(+), 14 deletions(-)

diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index f9568b0dc63e..5ea3c62fff9f 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -2303,6 +2303,8 @@ call_decode(struct rpc_task *task)
 	if (IS_ERR(p)) {
 		if (p == ERR_PTR(-EAGAIN))
 			goto out_retry;
+		if (p == ERR_PTR(-EKEYREJECTED))
+			goto out_key_rejected;
 		return;
 	}
 	task->tk_action = rpc_exit_task;
@@ -2315,17 +2317,21 @@ call_decode(struct rpc_task *task)
 	return;
 out_retry:
 	task->tk_status = 0;
-	/* Note: rpc_verify_header() may have freed the RPC slot */
-	if (task->tk_rqstp == req) {
-		xdr_free_bvec(&req->rq_rcv_buf);
-		req->rq_reply_bytes_recvd = 0;
-		req->rq_rcv_buf.len = 0;
-		if (task->tk_client->cl_discrtry)
-			xprt_conditional_disconnect(req->rq_xprt,
-						    req->rq_connect_cookie);
-	}
+	xdr_free_bvec(&req->rq_rcv_buf);
+	req->rq_reply_bytes_recvd = 0;
+	req->rq_rcv_buf.len = 0;
+	if (task->tk_client->cl_discrtry)
+		xprt_conditional_disconnect(req->rq_xprt,
+					    req->rq_connect_cookie);
 	task->tk_action = call_encode;
 	rpc_check_timeout(task);
+	return;
+out_key_rejected:
+	task->tk_action = call_reserve;
+	rpc_check_timeout(task);
+	rpcauth_invalcred(task);
+	/* Ensure we obtain a new XID if we retry! */
+	xprt_release(task);
 }
 
 static __be32 *
@@ -2413,11 +2419,7 @@ rpc_verify_header(struct rpc_task *task)
 			task->tk_cred_retry--;
 			dprintk("RPC: %5u %s: retry stale creds\n",
 					task->tk_pid, __func__);
-			rpcauth_invalcred(task);
-			/* Ensure we obtain a new XID! */
-			xprt_release(task);
-			task->tk_action = call_reserve;
-			goto out_retry;
+			return ERR_PTR(-EKEYREJECTED);
 		case RPC_AUTH_BADCRED:
 		case RPC_AUTH_BADVERF:
 			/* possibly garbled cred/verf? */