aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTrond Myklebust <Trond.Myklebust@netapp.com>2006-03-14 00:20:46 -0500
committerLinus Torvalds <torvalds@g5.osdl.org>2006-03-14 10:57:17 -0500
commit143f412eb4c7cc48b9eb4381f9133b7d36c68075 (patch)
tree383c140bf7879c77781d4aa113e517a92f16991d
parentf9a3879abf2f1a27c39915e6074b8ff15a24cb55 (diff)
[PATCH] NFS: Fix a potential panic in O_DIRECT
Based on an original patch by Mike O'Connor and Greg Banks of SGI. Mike states: A normal user can panic an NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT. Any O_DIRECT write to an NFS file where the user buffer starts with a valid mapped page and contains an unmapped page, will crash in this way. I haven't followed the code, but O_DIRECT reads with similar user buffers will probably also crash albeit in different ways. Details: when nfs_get_user_pages() calls get_user_pages(), it detects and correctly handles get_user_pages() returning an error, which happens if the first page covered by the user buffer's address range is unmapped. However, if the first page is mapped but some subsequent page isn't, get_user_pages() will return a positive number which is less than the number of pages requested (this behaviour is sort of analagous to a short write() call and appears to be intentional). nfs_get_user_pages() doesn't detect this and hands off the array of pages (whose last few elements are random rubbish from the newly allocated array memory) to it's caller, whence they go to nfs_direct_write_seg(), which then totally ignores the nr_pages it's given, and calculates its own idea of how many pages are in the array from the user buffer length. Needless to say, when it comes to transmit those uninitialised page* pointers, we see a crash in the network stack. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--fs/nfs/direct.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c
index 04ab2fc360e..4e9b3a1b36c 100644
--- a/fs/nfs/direct.c
+++ b/fs/nfs/direct.c
@@ -57,6 +57,7 @@
57#define NFSDBG_FACILITY NFSDBG_VFS 57#define NFSDBG_FACILITY NFSDBG_VFS
58#define MAX_DIRECTIO_SIZE (4096UL << PAGE_SHIFT) 58#define MAX_DIRECTIO_SIZE (4096UL << PAGE_SHIFT)
59 59
60static void nfs_free_user_pages(struct page **pages, int npages, int do_dirty);
60static kmem_cache_t *nfs_direct_cachep; 61static kmem_cache_t *nfs_direct_cachep;
61 62
62/* 63/*
@@ -107,6 +108,15 @@ nfs_get_user_pages(int rw, unsigned long user_addr, size_t size,
107 page_count, (rw == READ), 0, 108 page_count, (rw == READ), 0,
108 *pages, NULL); 109 *pages, NULL);
109 up_read(&current->mm->mmap_sem); 110 up_read(&current->mm->mmap_sem);
111 /*
112 * If we got fewer pages than expected from get_user_pages(),
113 * the user buffer runs off the end of a mapping; return EFAULT.
114 */
115 if (result >= 0 && result < page_count) {
116 nfs_free_user_pages(*pages, result, 0);
117 *pages = NULL;
118 result = -EFAULT;
119 }
110 } 120 }
111 return result; 121 return result;
112} 122}