[PATCH 0/1][T] CVE-2017-18216 - DoS in ocfs2

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH 0/1][T] CVE-2017-18216 - DoS in ocfs2

Tyler Hicks-2
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18216.html

 In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local
 users can cause a denial of service (NULL pointer dereference and BUG)
 because a required mutex is not used.

Tyler


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/1] ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent

Tyler Hicks-2
From: alex chen <[hidden email]>

The subsystem.su_mutex is required while accessing the item->ci_parent,
otherwise, NULL pointer dereference to the item->ci_parent will be
triggered in the following situation:

add node                     delete node
sys_write
 vfs_write
  configfs_write_file
   o2nm_node_store
    o2nm_node_local_write
                             do_rmdir
                              vfs_rmdir
                               configfs_rmdir
                                mutex_lock(&subsys->su_mutex);
                                unlink_obj
                                 item->ci_group = NULL;
                                 item->ci_parent = NULL;
         to_o2nm_cluster_from_node
          node->nd_item.ci_parent->ci_parent
          BUG since of NULL pointer dereference to nd_item.ci_parent

Moreover, the o2nm_cluster also should be protected by the
subsystem.su_mutex.

[[hidden email]: v2]
  Link: http://lkml.kernel.org/r/59EEAA69.9080703@...
Link: http://lkml.kernel.org/r/59E9B36A.10700@...
Signed-off-by: Alex Chen <[hidden email]>
Reviewed-by: Jun Piao <[hidden email]>
Reviewed-by: Joseph Qi <[hidden email]>
Cc: Mark Fasheh <[hidden email]>
Cc: Joel Becker <[hidden email]>
Cc: Junxiao Bi <[hidden email]>
Signed-off-by: Andrew Morton <[hidden email]>
Signed-off-by: Linus Torvalds <[hidden email]>

CVE-2017-18216

(backported from commit 853bc26a7ea39e354b9f8889ae7ad1492ffa28d2)
Signed-off-by: Tyler Hicks <[hidden email]>
---
 fs/ocfs2/cluster/nodemanager.c | 63 ++++++++++++++++++++++++++++++++++++------
 1 file changed, 55 insertions(+), 8 deletions(-)

diff --git a/fs/ocfs2/cluster/nodemanager.c b/fs/ocfs2/cluster/nodemanager.c
index bb240647ca5f..c76302a51aed 100644
--- a/fs/ocfs2/cluster/nodemanager.c
+++ b/fs/ocfs2/cluster/nodemanager.c
@@ -41,6 +41,9 @@ char *o2nm_fence_method_desc[O2NM_FENCE_METHODS] = {
  "panic", /* O2NM_FENCE_PANIC */
 };
 
+static inline void o2nm_lock_subsystem(void);
+static inline void o2nm_unlock_subsystem(void);
+
 struct o2nm_node *o2nm_get_node_by_num(u8 node_num)
 {
  struct o2nm_node *node = NULL;
@@ -182,7 +185,10 @@ static struct o2nm_cluster *to_o2nm_cluster_from_node(struct o2nm_node *node)
 {
  /* through the first node_set .parent
  * mycluster/nodes/mynode == o2nm_cluster->o2nm_node_group->o2nm_node */
- return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
+ if (node->nd_item.ci_parent)
+ return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
+ else
+ return NULL;
 }
 
 enum {
@@ -195,7 +201,7 @@ enum {
 static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page,
    size_t count)
 {
- struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
+ struct o2nm_cluster *cluster;
  unsigned long tmp;
  char *p = (char *)page;
 
@@ -214,6 +220,13 @@ static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page,
     !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
  return -EINVAL; /* XXX */
 
+ o2nm_lock_subsystem();
+ cluster = to_o2nm_cluster_from_node(node);
+ if (!cluster) {
+ o2nm_unlock_subsystem();
+ return -EINVAL;
+ }
+
  write_lock(&cluster->cl_nodes_lock);
  if (cluster->cl_nodes[tmp])
  p = NULL;
@@ -223,6 +236,8 @@ static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page,
  set_bit(tmp, cluster->cl_nodes_bitmap);
  }
  write_unlock(&cluster->cl_nodes_lock);
+ o2nm_unlock_subsystem();
+
  if (p == NULL)
  return -EEXIST;
 
@@ -262,7 +277,7 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node,
     const char *page,
     size_t count)
 {
- struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
+ struct o2nm_cluster *cluster;
  int ret, i;
  struct rb_node **p, *parent;
  unsigned int octets[4];
@@ -279,6 +294,13 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node,
  be32_add_cpu(&ipv4_addr, octets[i] << (i * 8));
  }
 
+ o2nm_lock_subsystem();
+ cluster = to_o2nm_cluster_from_node(node);
+ if (!cluster) {
+ o2nm_unlock_subsystem();
+ return -EINVAL;
+ }
+
  ret = 0;
  write_lock(&cluster->cl_nodes_lock);
  if (o2nm_node_ip_tree_lookup(cluster, ipv4_addr, &p, &parent))
@@ -288,6 +310,8 @@ static ssize_t o2nm_node_ipv4_address_write(struct o2nm_node *node,
  rb_insert_color(&node->nd_ip_node, &cluster->cl_node_ip_tree);
  }
  write_unlock(&cluster->cl_nodes_lock);
+ o2nm_unlock_subsystem();
+
  if (ret)
  return ret;
 
@@ -304,7 +328,7 @@ static ssize_t o2nm_node_local_read(struct o2nm_node *node, char *page)
 static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page,
      size_t count)
 {
- struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
+ struct o2nm_cluster *cluster;
  unsigned long tmp;
  char *p = (char *)page;
  ssize_t ret;
@@ -322,17 +346,26 @@ static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page,
     !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
  return -EINVAL; /* XXX */
 
+ o2nm_lock_subsystem();
+ cluster = to_o2nm_cluster_from_node(node);
+ if (!cluster) {
+ ret = -EINVAL;
+ goto out;
+ }
+
  /* the only failure case is trying to set a new local node
  * when a different one is already set */
  if (tmp && tmp == cluster->cl_has_local &&
-    cluster->cl_local_node != node->nd_num)
- return -EBUSY;
+    cluster->cl_local_node != node->nd_num) {
+ ret = -EBUSY;
+ goto out;
+ }
 
  /* bring up the rx thread if we're setting the new local node. */
  if (tmp && !cluster->cl_has_local) {
  ret = o2net_start_listening(node);
  if (ret)
- return ret;
+ goto out;
  }
 
  if (!tmp && cluster->cl_has_local &&
@@ -347,7 +380,11 @@ static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page,
  cluster->cl_local_node = node->nd_num;
  }
 
- return count;
+ ret = count;
+
+out:
+ o2nm_unlock_subsystem();
+ return ret;
 }
 
 struct o2nm_node_attribute {
@@ -890,6 +927,16 @@ static struct o2nm_cluster_group o2nm_cluster_group = {
  },
 };
 
+static inline void o2nm_lock_subsystem(void)
+{
+ mutex_lock(&o2nm_cluster_group.cs_subsys.su_mutex);
+}
+
+static inline void o2nm_unlock_subsystem(void)
+{
+ mutex_unlock(&o2nm_cluster_group.cs_subsys.su_mutex);
+}
+
 int o2nm_depend_item(struct config_item *item)
 {
  return configfs_depend_item(&o2nm_cluster_group.cs_subsys, item);
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team