Date: Thu, 05 Nov 2009 13:29:24 +0800
From: Eugene Teo <eugeneteo@...nel.sg>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request: kernel: NULL pointer dereference in nfs4_proc_lock()

Quote from upstream commit:
"We just had a case in which a buggy server occasionally returns the 
wrong attributes during an OPEN call. While the client does catch this 
sort of condition in nfs4_open_done(), and causes the nfs4_atomic_open() 
to return -EISDIR, the logic in nfs_atomic_lookup() is broken, since it 
causes a fallback to an ordinary lookup instead of just returning the error.

When the buggy server then returns a regular file for the fallback 
lookup, the VFS allows the open, and bad things start to happen, since 
the open file doesn't have any associated NFSv4 state.

The fix is firstly to return the EISDIR/ENOTDIR errors immediately, and 
secondly to ensure that we are always careful when dereferencing the 
nfs_open_context state pointer."

Upstream commit:
http://git.kernel.org/linus/d953126a28f97e (v2.6.31-rc4)

Steps to reproduce the issue/backtraces:
https://bugzilla.redhat.com/show_bug.cgi?id=529227#c0

References:
http://www.spinics.net/linux/lists/linux-nfs/msg03357.html
https://bugzilla.redhat.com/show_bug.cgi?id=529227

Thanks, Eugene

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ