| From: Dave Wysochanski <dwysocha@redhat.com> |
| Date: Tue, 29 May 2018 17:47:30 -0400 |
| Subject: NFSv4: Fix possible 1-byte stack overflow in |
| nfs_idmap_read_and_verify_message |
| |
| commit d68894800ec5712d7ddf042356f11e36f87d7f78 upstream. |
| |
| In nfs_idmap_read_and_verify_message there is an incorrect sprintf '%d' |
| that converts the __u32 'im_id' from struct idmap_msg to 'id_str', which |
| is a stack char array variable of length NFS_UINT_MAXLEN == 11. |
| If a uid or gid value is > 2147483647 = 0x7fffffff, the conversion |
| overflows into a negative value, for example: |
| crash> p (unsigned) (0x80000000) |
| $1 = 2147483648 |
| crash> p (signed) (0x80000000) |
| $2 = -2147483648 |
| The '-' sign is written to the buffer and this causes a 1 byte overflow |
| when the NULL byte is written, which corrupts kernel stack memory. If |
| CONFIG_CC_STACKPROTECTOR_STRONG is set we see a stack-protector panic: |
| |
| [11558053.616565] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa05b8a8c |
| [11558053.639063] CPU: 6 PID: 9423 Comm: rpc.idmapd Tainted: G W ------------ T 3.10.0-514.el7.x86_64 #1 |
| [11558053.641990] Hardware name: Red Hat OpenStack Compute, BIOS 1.10.2-3.el7_4.1 04/01/2014 |
| [11558053.644462] ffffffff818c7bc0 00000000b1f3aec1 ffff880de0f9bd48 ffffffff81685eac |
| [11558053.646430] ffff880de0f9bdc8 ffffffff8167f2b3 ffffffff00000010 ffff880de0f9bdd8 |
| [11558053.648313] ffff880de0f9bd78 00000000b1f3aec1 ffffffff811dcb03 ffffffffa05b8a8c |
| [11558053.650107] Call Trace: |
| [11558053.651347] [<ffffffff81685eac>] dump_stack+0x19/0x1b |
| [11558053.653013] [<ffffffff8167f2b3>] panic+0xe3/0x1f2 |
| [11558053.666240] [<ffffffff811dcb03>] ? kfree+0x103/0x140 |
| [11558053.682589] [<ffffffffa05b8a8c>] ? idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4] |
| [11558053.689710] [<ffffffff810855db>] __stack_chk_fail+0x1b/0x30 |
| [11558053.691619] [<ffffffffa05b8a8c>] idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4] |
| [11558053.693867] [<ffffffffa00209d6>] rpc_pipe_write+0x56/0x70 [sunrpc] |
| [11558053.695763] [<ffffffff811fe12d>] vfs_write+0xbd/0x1e0 |
| [11558053.702236] [<ffffffff810acccc>] ? task_work_run+0xac/0xe0 |
| [11558053.704215] [<ffffffff811fec4f>] SyS_write+0x7f/0xe0 |
| [11558053.709674] [<ffffffff816964c9>] system_call_fastpath+0x16/0x1b |
| |
| Fix this by calling the internally defined nfs_map_numeric_to_string() |
| function which properly uses '%u' to convert this __u32. For consistency, |
| also replace the one other place where snprintf is called. |
| |
| Signed-off-by: Dave Wysochanski <dwysocha@redhat.com> |
| Reported-by: Stephen Johnston <sjohnsto@redhat.com> |
| Fixes: cf4ab538f1516 ("NFSv4: Fix the string length returned by the idmapper") |
| Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> |
| [bwh: Backported to 3.16: adjust filename] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| fs/nfs/idmap.c | 5 +++-- |
| 1 file changed, 3 insertions(+), 2 deletions(-) |
| |
| --- a/fs/nfs/idmap.c |
| +++ b/fs/nfs/idmap.c |
| @@ -339,7 +339,7 @@ static ssize_t nfs_idmap_lookup_name(__u |
| int id_len; |
| ssize_t ret; |
| |
| - id_len = snprintf(id_str, sizeof(id_str), "%u", id); |
| + id_len = nfs_map_numeric_to_string(id, id_str, sizeof(id_str)); |
| ret = nfs_idmap_get_key(id_str, id_len, type, buf, buflen, idmap); |
| if (ret < 0) |
| return -EINVAL; |
| @@ -636,7 +636,8 @@ static int nfs_idmap_read_and_verify_mes |
| if (strcmp(upcall->im_name, im->im_name) != 0) |
| break; |
| /* Note: here we store the NUL terminator too */ |
| - len = sprintf(id_str, "%d", im->im_id) + 1; |
| + len = 1 + nfs_map_numeric_to_string(im->im_id, id_str, |
| + sizeof(id_str)); |
| ret = nfs_idmap_instantiate(key, authkey, id_str, len); |
| break; |
| case IDMAP_CONV_IDTONAME: |