Date: Thu, 05 Nov 2009 13:29:24 +0800 From: Eugene Teo <eugeneteo@...nel.sg> To: oss-security@...ts.openwall.com CC: "Steven M. Christey" <coley@...us.mitre.org> Subject: CVE request: kernel: NULL pointer dereference in nfs4_proc_lock() Quote from upstream commit: "We just had a case in which a buggy server occasionally returns the wrong attributes during an OPEN call. While the client does catch this sort of condition in nfs4_open_done(), and causes the nfs4_atomic_open() to return -EISDIR, the logic in nfs_atomic_lookup() is broken, since it causes a fallback to an ordinary lookup instead of just returning the error. When the buggy server then returns a regular file for the fallback lookup, the VFS allows the open, and bad things start to happen, since the open file doesn't have any associated NFSv4 state. The fix is firstly to return the EISDIR/ENOTDIR errors immediately, and secondly to ensure that we are always careful when dereferencing the nfs_open_context state pointer." Upstream commit: http://git.kernel.org/linus/d953126a28f97e (v2.6.31-rc4) Steps to reproduce the issue/backtraces: https://bugzilla.redhat.com/show_bug.cgi?id=529227#c0 References: http://www.spinics.net/linux/lists/linux-nfs/msg03357.html https://bugzilla.redhat.com/show_bug.cgi?id=529227 Thanks, Eugene
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.