Revision - e6838a2 - nfsd: check for oversized NFSv2/v3 arguments

Revision e6838a29ecb484c97e4efef9429643b9851fba6e authored by J. Bruce Fields on 21 April 2017, 20:10:18 UTC, committed by J. Bruce Fields on 25 April 2017, 20:34:37 UTC

nfsd: check for oversized NFSv2/v3 arguments

A client can append random data to the end of an NFSv2 or NFSv3 RPC call
without our complaining; we'll just stop parsing at the end of the
expected data and ignore the rest.

Encoded arguments and replies are stored together in an array of pages,
and if a call is too large it could leave inadequate space for the
reply.  This is normally OK because NFS RPC's typically have either
short arguments and long replies (like READ) or long arguments and short
replies (like WRITE).  But a client that sends an incorrectly long reply
can violate those assumptions.  This was observed to cause crashes.

Also, several operations increment rq_next_page in the decode routine
before checking the argument size, which can leave rq_next_page pointing
well past the end of the page array, causing trouble later in
svc_free_pages.

So, following a suggestion from Neil Brown, add a central check to
enforce our expectation that no NFSv2/v3 call has both a large call and
a large reply.

As followup we may also want to rewrite the encoding routines to check
more carefully that they aren't running off the end of the page array.

We may also consider rejecting calls that have any extra garbage
appended.  That would be safer, and within our rights by spec, but given
the age of our server and the NFS protocol, and the fact that we've
never enforced this before, we may need to balance that against the
possibility of breaking some oddball client.

Reported-by: Tuomas Haanpää <thaan@synopsys.com>
Reported-by: Ari Kauppi <ari@synopsys.com>
Cc: stable@vger.kernel.org
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>

1 parent 5a7ad11

Files
Changes

Permalinks

check_extable.sh

#! /bin/bash
# (c) 2015, Quentin Casasnovas <quentin.casasnovas@oracle.com>

obj=$1

file ${obj} | grep -q ELF || (echo "${obj} is not and ELF file." 1>&2 ; exit 0)

# Bail out early if there isn't an __ex_table section in this object file.
objdump -hj __ex_table ${obj} 2> /dev/null > /dev/null
[ $? -ne 0 ] && exit 0

white_list=.text,.fixup

suspicious_relocs=$(objdump -rj __ex_table ${obj}  | tail -n +6 |
			grep -v $(eval echo -e{${white_list}}) | awk '{print $3}')

# No suspicious relocs in __ex_table, jobs a good'un
[ -z "${suspicious_relocs}" ] && exit 0


# After this point, something is seriously wrong since we just found out we
# have some relocations in __ex_table which point to sections which aren't
# white listed.  If you're adding a new section in the Linux kernel, and
# you're expecting this section to contain code which can fault (i.e. the
# __ex_table relocation to your new section is expected), simply add your
# new section to the white_list variable above.  If not, you're probably
# doing something wrong and the rest of this code is just trying to print
# you more information about it.

function find_section_offset_from_symbol()
{
    eval $(objdump -t ${obj} | grep ${1} | sed 's/\([0-9a-f]\+\) .\{7\} \([^ \t]\+\).*/section="\2"; section_offset="0x\1" /')

    # addr2line takes addresses in hexadecimal...
    section_offset=$(printf "0x%016x" $(( ${section_offset} + $2 )) )
}

function find_symbol_and_offset_from_reloc()
{
    # Extract symbol and offset from the objdump output
    eval $(echo $reloc | sed 's/\([^+]\+\)+\?\(0x[0-9a-f]\+\)\?/symbol="\1"; symbol_offset="\2"/')

    # When the relocation points to the begining of a symbol or section, it
    # won't print the offset since it is zero.
    if [ -z "${symbol_offset}" ]; then
	symbol_offset=0x0
    fi
}

function find_alt_replacement_target()
{
    # The target of the .altinstr_replacement is the relocation just before
    # the .altinstr_replacement one.
    eval $(objdump -rj .altinstructions ${obj} | grep -B1 "${section}+${section_offset}" | head -n1 | awk '{print $3}' |
	   sed 's/\([^+]\+\)+\(0x[0-9a-f]\+\)/alt_target_section="\1"; alt_target_offset="\2"/')
}

function handle_alt_replacement_reloc()
{
    # This will define alt_target_section and alt_target_section_offset
    find_alt_replacement_target ${section} ${section_offset}

    echo "Error: found a reference to .altinstr_replacement in __ex_table:"
    addr2line -fip -j ${alt_target_section} -e ${obj} ${alt_target_offset} | awk '{print "\t" $0}'

    error=true
}

function is_executable_section()
{
    objdump -hwj ${section} ${obj} | grep -q CODE
    return $?
}

function handle_suspicious_generic_reloc()
{
    if is_executable_section ${section}; then
	# We've got a relocation to a non white listed _executable_
	# section, print a warning so the developper adds the section to
	# the white list or fix his code.  We try to pretty-print the file
	# and line number where that relocation was added.
	echo "Warning: found a reference to section \"${section}\" in __ex_table:"
	addr2line -fip -j ${section} -e ${obj} ${section_offset} | awk '{print "\t" $0}'
    else
	# Something is definitively wrong here since we've got a relocation
	# to a non-executable section, there's no way this would ever be
	# running in the kernel.
	echo "Error: found a reference to non-executable section \"${section}\" in __ex_table at offset ${section_offset}"
	error=true
    fi
}

function handle_suspicious_reloc()
{
    case "${section}" in
	".altinstr_replacement")
	    handle_alt_replacement_reloc ${section} ${section_offset}
	    ;;
	*)
	    handle_suspicious_generic_reloc ${section} ${section_offset}
	    ;;
    esac
}

function diagnose()
{

    for reloc in ${suspicious_relocs}; do
	# Let's find out where the target of the relocation in __ex_table
	# is, this will define ${symbol} and ${symbol_offset}
	find_symbol_and_offset_from_reloc ${reloc}

	# When there's a global symbol at the place of the relocation,
	# objdump will use it instead of giving us a section+offset, so
	# let's find out which section is this symbol in and the total
	# offset withing that section.
	find_section_offset_from_symbol ${symbol} ${symbol_offset}

	# In this case objdump was presenting us with a reloc to a symbol
	# rather than a section. Now that we've got the actual section,
	# we can skip it if it's in the white_list.
	if [ -z "$( echo $section | grep -v $(eval echo -e{${white_list}}))" ]; then
	    continue;
	fi

	# Will either print a warning if the relocation happens to be in a
	# section we do not know but has executable bit set, or error out.
	handle_suspicious_reloc
    done
}

function check_debug_info() {
    objdump -hj .debug_info ${obj} 2> /dev/null > /dev/null ||
	echo -e "${obj} does not contain debug information, the addr2line output will be limited.\n" \
	     "Recompile ${obj} with CONFIG_DEBUG_INFO to get a more useful output."
}

check_debug_info

diagnose

if [ "${error}" ]; then
    exit 1
fi

exit 0

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...