Message ID | 1536951250-22907-2-git-send-email-tyhicks@canonical.com |
---|---|
State | New |
Headers | show |
Series | CVE-2017-18216 - DoS in ocfs2 | expand |
On 14.09.2018 20:54, Tyler Hicks wrote: > From: alex chen <alex.chen@huawei.com> > > The subsystem.su_mutex is required while accessing the item->ci_parent, > otherwise, NULL pointer dereference to the item->ci_parent will be > triggered in the following situation: > > add node delete node > sys_write > vfs_write > configfs_write_file > o2nm_node_store > o2nm_node_local_write > do_rmdir > vfs_rmdir > configfs_rmdir > mutex_lock(&subsys->su_mutex); > unlink_obj > item->ci_group = NULL; > item->ci_parent = NULL; > to_o2nm_cluster_from_node > node->nd_item.ci_parent->ci_parent > BUG since of NULL pointer dereference to nd_item.ci_parent > > Moreover, the o2nm_cluster also should be protected by the > subsystem.su_mutex. > > [alex.chen@huawei.com: v2] > Link: http://lkml.kernel.org/r/59EEAA69.9080703@huawei.com > Link: http://lkml.kernel.org/r/59E9B36A.10700@huawei.com > Signed-off-by: Alex Chen <alex.chen@huawei.com> > Reviewed-by: Jun Piao <piaojun@huawei.com> > Reviewed-by: Joseph Qi <jiangqi903@gmail.com> > Cc: Mark Fasheh <mfasheh@versity.com> > Cc: Joel Becker <jlbec@evilplan.org> > Cc: Junxiao Bi <junxiao.bi@oracle.com> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > CVE-2017-18216 > > (backported from commit 853bc26a7ea39e354b9f8889ae7ad1492ffa28d2) > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > fs/ocfs2/cluster/nodemanager.c | 63 ++++++++++++++++++++++++++++++++++++------ > 1 file changed, 55 insertions(+), 8 deletions(-) > > diff --git a/fs/ocfs2/cluster/nodemanager.c b/fs/ocfs2/cluster/nodemanager.c > index bb240647ca5f..c76302a51aed 100644 > --- a/fs/ocfs2/cluster/nodemanager.c > +++ b/fs/ocfs2/cluster/nodemanager.c > @@ -41,6 +41,9 @@ char *o2nm_fence_method_desc[O2NM_FENCE_METHODS] = { > "panic", /* O2NM_FENCE_PANIC */ > }; > > +static inline void o2nm_lock_subsystem(void); > +static inline void o2nm_unlock_subsystem(void); > + > struct o2nm_node *o2nm_get_node_by_num(u8 node_num) > { > struct o2nm_node *node = NULL; > @@ -182,7 +185,10 @@ static struct o2nm_cluster *to_o2nm_cluster_from_node(struct o2nm_node *node) > { > /* through the first node_set .parent > * mycluster/nodes/mynode == o2nm_cluster->o2nm_node_group->o2nm_node */ > - return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent); > + if (node->nd_item.ci_parent) > + return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent); > + else > + return NULL; > } > > enum { > @@ -195,7 +201,7 @@ enum { > static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page, > size_t count) > { > - struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node); > + struct o2nm_cluster *cluster; > unsigned long tmp; > char *p = (char *)page; > > @@ -214,6 +220,13 @@ static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page, > !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes)) > return -EINVAL; /* XXX */ > > + o2nm_lock_subsystem(); > + cluster = to_o2nm_cluster_from_node(node); > + if (!cluster) { > + o2nm_unlock_subsystem(); > + return -EINVAL; > + } > + > write_lock(&cluster->cl_nodes_lock); > if (cluster->cl_nodes[tmp]) > p = NULL; > @@ -223,6 +236,8 @@ static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page, > set_bit(tmp, cluster->cl_nodes_bitmap); > } > write_unlock(&cluster->cl_nodes_lock); > + o2nm_unlock_subsystem(); > + > if (p == NULL) > return -EEXIST; > > @@ -262,7 +277,7 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node, > const char *page, > size_t count) > { > - struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node); > + struct o2nm_cluster *cluster; > int ret, i; > struct rb_node **p, *parent; > unsigned int octets[4]; > @@ -279,6 +294,13 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node, > be32_add_cpu(&ipv4_addr, octets[i] << (i * 8)); > } > > + o2nm_lock_subsystem(); > + cluster = to_o2nm_cluster_from_node(node); > + if (!cluster) { > + o2nm_unlock_subsystem(); > + return -EINVAL; > + } > + > ret = 0; > write_lock(&cluster->cl_nodes_lock); > if (o2nm_node_ip_tree_lookup(cluster, ipv4_addr, &p, &parent)) > @@ -288,6 +310,8 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node, > rb_insert_color(&node->nd_ip_node, &cluster->cl_node_ip_tree); > } > write_unlock(&cluster->cl_nodes_lock); > + o2nm_unlock_subsystem(); > + > if (ret) > return ret; > > @@ -304,7 +328,7 @@ static ssize_t o2nm_node_local_read(struct o2nm_node *node, char *page) > static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page, > size_t count) > { > - struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node); > + struct o2nm_cluster *cluster; > unsigned long tmp; > char *p = (char *)page; > ssize_t ret; > @@ -322,17 +346,26 @@ static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page, > !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes)) > return -EINVAL; /* XXX */ > > + o2nm_lock_subsystem(); > + cluster = to_o2nm_cluster_from_node(node); > + if (!cluster) { > + ret = -EINVAL; > + goto out; > + } > + > /* the only failure case is trying to set a new local node > * when a different one is already set */ > if (tmp && tmp == cluster->cl_has_local && > - cluster->cl_local_node != node->nd_num) > - return -EBUSY; > + cluster->cl_local_node != node->nd_num) { > + ret = -EBUSY; > + goto out; > + } > > /* bring up the rx thread if we're setting the new local node. */ > if (tmp && !cluster->cl_has_local) { > ret = o2net_start_listening(node); > if (ret) > - return ret; > + goto out; > } > > if (!tmp && cluster->cl_has_local && > @@ -347,7 +380,11 @@ static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page, > cluster->cl_local_node = node->nd_num; > } > > - return count; > + ret = count; > + > +out: > + o2nm_unlock_subsystem(); > + return ret; > } > > struct o2nm_node_attribute { > @@ -890,6 +927,16 @@ static struct o2nm_cluster_group o2nm_cluster_group = { > }, > }; > > +static inline void o2nm_lock_subsystem(void) > +{ > + mutex_lock(&o2nm_cluster_group.cs_subsys.su_mutex); > +} > + > +static inline void o2nm_unlock_subsystem(void) > +{ > + mutex_unlock(&o2nm_cluster_group.cs_subsys.su_mutex); > +} > + > int o2nm_depend_item(struct config_item *item) > { > return configfs_depend_item(&o2nm_cluster_group.cs_subsys, item); >
On 09/14/18 20:54, Tyler Hicks wrote: > From: alex chen <alex.chen@huawei.com> > > The subsystem.su_mutex is required while accessing the item->ci_parent, > otherwise, NULL pointer dereference to the item->ci_parent will be > triggered in the following situation: > > add node delete node > sys_write > vfs_write > configfs_write_file > o2nm_node_store > o2nm_node_local_write > do_rmdir > vfs_rmdir > configfs_rmdir > mutex_lock(&subsys->su_mutex); > unlink_obj > item->ci_group = NULL; > item->ci_parent = NULL; > to_o2nm_cluster_from_node > node->nd_item.ci_parent->ci_parent > BUG since of NULL pointer dereference to nd_item.ci_parent > > Moreover, the o2nm_cluster also should be protected by the > subsystem.su_mutex. > > [alex.chen@huawei.com: v2] > Link: http://lkml.kernel.org/r/59EEAA69.9080703@huawei.com > Link: http://lkml.kernel.org/r/59E9B36A.10700@huawei.com > Signed-off-by: Alex Chen <alex.chen@huawei.com> > Reviewed-by: Jun Piao <piaojun@huawei.com> > Reviewed-by: Joseph Qi <jiangqi903@gmail.com> > Cc: Mark Fasheh <mfasheh@versity.com> > Cc: Joel Becker <jlbec@evilplan.org> > Cc: Junxiao Bi <junxiao.bi@oracle.com> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > CVE-2017-18216 > > (backported from commit 853bc26a7ea39e354b9f8889ae7ad1492ffa28d2) > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > fs/ocfs2/cluster/nodemanager.c | 63 ++++++++++++++++++++++++++++++++++++------ > 1 file changed, 55 insertions(+), 8 deletions(-) > > diff --git a/fs/ocfs2/cluster/nodemanager.c b/fs/ocfs2/cluster/nodemanager.c > index bb240647ca5f..c76302a51aed 100644 > --- a/fs/ocfs2/cluster/nodemanager.c > +++ b/fs/ocfs2/cluster/nodemanager.c > @@ -41,6 +41,9 @@ char *o2nm_fence_method_desc[O2NM_FENCE_METHODS] = { > "panic", /* O2NM_FENCE_PANIC */ > }; > > +static inline void o2nm_lock_subsystem(void); > +static inline void o2nm_unlock_subsystem(void); > + > struct o2nm_node *o2nm_get_node_by_num(u8 node_num) > { > struct o2nm_node *node = NULL; > @@ -182,7 +185,10 @@ static struct o2nm_cluster *to_o2nm_cluster_from_node(struct o2nm_node *node) > { > /* through the first node_set .parent > * mycluster/nodes/mynode == o2nm_cluster->o2nm_node_group->o2nm_node */ > - return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent); > + if (node->nd_item.ci_parent) > + return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent); > + else > + return NULL; > } > > enum { > @@ -195,7 +201,7 @@ enum { > static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page, > size_t count) > { > - struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node); > + struct o2nm_cluster *cluster; > unsigned long tmp; > char *p = (char *)page; > > @@ -214,6 +220,13 @@ static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page, > !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes)) > return -EINVAL; /* XXX */ > > + o2nm_lock_subsystem(); > + cluster = to_o2nm_cluster_from_node(node); > + if (!cluster) { > + o2nm_unlock_subsystem(); > + return -EINVAL; > + } > + > write_lock(&cluster->cl_nodes_lock); > if (cluster->cl_nodes[tmp]) > p = NULL; > @@ -223,6 +236,8 @@ static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page, > set_bit(tmp, cluster->cl_nodes_bitmap); > } > write_unlock(&cluster->cl_nodes_lock); > + o2nm_unlock_subsystem(); > + > if (p == NULL) > return -EEXIST; > > @@ -262,7 +277,7 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node, > const char *page, > size_t count) > { > - struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node); > + struct o2nm_cluster *cluster; > int ret, i; > struct rb_node **p, *parent; > unsigned int octets[4]; > @@ -279,6 +294,13 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node, > be32_add_cpu(&ipv4_addr, octets[i] << (i * 8)); > } > > + o2nm_lock_subsystem(); > + cluster = to_o2nm_cluster_from_node(node); > + if (!cluster) { > + o2nm_unlock_subsystem(); > + return -EINVAL; > + } > + > ret = 0; > write_lock(&cluster->cl_nodes_lock); > if (o2nm_node_ip_tree_lookup(cluster, ipv4_addr, &p, &parent)) > @@ -288,6 +310,8 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node, > rb_insert_color(&node->nd_ip_node, &cluster->cl_node_ip_tree); > } > write_unlock(&cluster->cl_nodes_lock); > + o2nm_unlock_subsystem(); > + > if (ret) > return ret; > > @@ -304,7 +328,7 @@ static ssize_t o2nm_node_local_read(struct o2nm_node *node, char *page) > static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page, > size_t count) > { > - struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node); > + struct o2nm_cluster *cluster; > unsigned long tmp; > char *p = (char *)page; > ssize_t ret; > @@ -322,17 +346,26 @@ static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page, > !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes)) > return -EINVAL; /* XXX */ > > + o2nm_lock_subsystem(); > + cluster = to_o2nm_cluster_from_node(node); > + if (!cluster) { > + ret = -EINVAL; > + goto out; > + } > + > /* the only failure case is trying to set a new local node > * when a different one is already set */ > if (tmp && tmp == cluster->cl_has_local && > - cluster->cl_local_node != node->nd_num) > - return -EBUSY; > + cluster->cl_local_node != node->nd_num) { > + ret = -EBUSY; > + goto out; > + } > > /* bring up the rx thread if we're setting the new local node. */ > if (tmp && !cluster->cl_has_local) { > ret = o2net_start_listening(node); > if (ret) > - return ret; > + goto out; > } > > if (!tmp && cluster->cl_has_local && > @@ -347,7 +380,11 @@ static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page, > cluster->cl_local_node = node->nd_num; > } > > - return count; > + ret = count; > + > +out: > + o2nm_unlock_subsystem(); > + return ret; > } > > struct o2nm_node_attribute { > @@ -890,6 +927,16 @@ static struct o2nm_cluster_group o2nm_cluster_group = { > }, > }; > > +static inline void o2nm_lock_subsystem(void) > +{ > + mutex_lock(&o2nm_cluster_group.cs_subsys.su_mutex); > +} > + > +static inline void o2nm_unlock_subsystem(void) > +{ > + mutex_unlock(&o2nm_cluster_group.cs_subsys.su_mutex); > +} > + > int o2nm_depend_item(struct config_item *item) > { > return configfs_depend_item(&o2nm_cluster_group.cs_subsys, item); >
diff --git a/fs/ocfs2/cluster/nodemanager.c b/fs/ocfs2/cluster/nodemanager.c index bb240647ca5f..c76302a51aed 100644 --- a/fs/ocfs2/cluster/nodemanager.c +++ b/fs/ocfs2/cluster/nodemanager.c @@ -41,6 +41,9 @@ char *o2nm_fence_method_desc[O2NM_FENCE_METHODS] = { "panic", /* O2NM_FENCE_PANIC */ }; +static inline void o2nm_lock_subsystem(void); +static inline void o2nm_unlock_subsystem(void); + struct o2nm_node *o2nm_get_node_by_num(u8 node_num) { struct o2nm_node *node = NULL; @@ -182,7 +185,10 @@ static struct o2nm_cluster *to_o2nm_cluster_from_node(struct o2nm_node *node) { /* through the first node_set .parent * mycluster/nodes/mynode == o2nm_cluster->o2nm_node_group->o2nm_node */ - return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent); + if (node->nd_item.ci_parent) + return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent); + else + return NULL; } enum { @@ -195,7 +201,7 @@ enum { static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page, size_t count) { - struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node); + struct o2nm_cluster *cluster; unsigned long tmp; char *p = (char *)page; @@ -214,6 +220,13 @@ static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page, !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes)) return -EINVAL; /* XXX */ + o2nm_lock_subsystem(); + cluster = to_o2nm_cluster_from_node(node); + if (!cluster) { + o2nm_unlock_subsystem(); + return -EINVAL; + } + write_lock(&cluster->cl_nodes_lock); if (cluster->cl_nodes[tmp]) p = NULL; @@ -223,6 +236,8 @@ static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page, set_bit(tmp, cluster->cl_nodes_bitmap); } write_unlock(&cluster->cl_nodes_lock); + o2nm_unlock_subsystem(); + if (p == NULL) return -EEXIST; @@ -262,7 +277,7 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node, const char *page, size_t count) { - struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node); + struct o2nm_cluster *cluster; int ret, i; struct rb_node **p, *parent; unsigned int octets[4]; @@ -279,6 +294,13 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node, be32_add_cpu(&ipv4_addr, octets[i] << (i * 8)); } + o2nm_lock_subsystem(); + cluster = to_o2nm_cluster_from_node(node); + if (!cluster) { + o2nm_unlock_subsystem(); + return -EINVAL; + } + ret = 0; write_lock(&cluster->cl_nodes_lock); if (o2nm_node_ip_tree_lookup(cluster, ipv4_addr, &p, &parent)) @@ -288,6 +310,8 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node, rb_insert_color(&node->nd_ip_node, &cluster->cl_node_ip_tree); } write_unlock(&cluster->cl_nodes_lock); + o2nm_unlock_subsystem(); + if (ret) return ret; @@ -304,7 +328,7 @@ static ssize_t o2nm_node_local_read(struct o2nm_node *node, char *page) static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page, size_t count) { - struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node); + struct o2nm_cluster *cluster; unsigned long tmp; char *p = (char *)page; ssize_t ret; @@ -322,17 +346,26 @@ static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page, !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes)) return -EINVAL; /* XXX */ + o2nm_lock_subsystem(); + cluster = to_o2nm_cluster_from_node(node); + if (!cluster) { + ret = -EINVAL; + goto out; + } + /* the only failure case is trying to set a new local node * when a different one is already set */ if (tmp && tmp == cluster->cl_has_local && - cluster->cl_local_node != node->nd_num) - return -EBUSY; + cluster->cl_local_node != node->nd_num) { + ret = -EBUSY; + goto out; + } /* bring up the rx thread if we're setting the new local node. */ if (tmp && !cluster->cl_has_local) { ret = o2net_start_listening(node); if (ret) - return ret; + goto out; } if (!tmp && cluster->cl_has_local && @@ -347,7 +380,11 @@ static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page, cluster->cl_local_node = node->nd_num; } - return count; + ret = count; + +out: + o2nm_unlock_subsystem(); + return ret; } struct o2nm_node_attribute { @@ -890,6 +927,16 @@ static struct o2nm_cluster_group o2nm_cluster_group = { }, }; +static inline void o2nm_lock_subsystem(void) +{ + mutex_lock(&o2nm_cluster_group.cs_subsys.su_mutex); +} + +static inline void o2nm_unlock_subsystem(void) +{ + mutex_unlock(&o2nm_cluster_group.cs_subsys.su_mutex); +} + int o2nm_depend_item(struct config_item *item) { return configfs_depend_item(&o2nm_cluster_group.cs_subsys, item);