|
Message-ID: <90626448.919981257441819306.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Date: Thu, 5 Nov 2009 12:23:39 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request: kernel: NULL pointer dereference in nfs4_proc_lock() Please use CVE-2009-3726 Thanks. -- JB ----- "Eugene Teo" <eugeneteo@...nel.sg> wrote: > Quote from upstream commit: > "We just had a case in which a buggy server occasionally returns the > wrong attributes during an OPEN call. While the client does catch this > > sort of condition in nfs4_open_done(), and causes the > nfs4_atomic_open() > to return -EISDIR, the logic in nfs_atomic_lookup() is broken, since > it > causes a fallback to an ordinary lookup instead of just returning the > error. > > When the buggy server then returns a regular file for the fallback > lookup, the VFS allows the open, and bad things start to happen, since > > the open file doesn't have any associated NFSv4 state. > > The fix is firstly to return the EISDIR/ENOTDIR errors immediately, > and > secondly to ensure that we are always careful when dereferencing the > nfs_open_context state pointer." > > Upstream commit: > http://git.kernel.org/linus/d953126a28f97e (v2.6.31-rc4) > > Steps to reproduce the issue/backtraces: > https://bugzilla.redhat.com/show_bug.cgi?id=529227#c0 > > References: > http://www.spinics.net/linux/lists/linux-nfs/msg03357.html > https://bugzilla.redhat.com/show_bug.cgi?id=529227 > > Thanks, Eugene
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.