[nfs-utils] statd: fix use-after-free in monitor list if insertion fails

Message ID	d93ed8c0-0f17-4671-a852-8cea6330f5ba@redhat.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-nfs-owner@kernel.org> To: linux-nfs@vger.kernel.org From: Frank Sorenson <sorenson@redhat.com> Subject: [nfs-utils PATCH] statd: fix use-after-free in monitor list if insertion fails Message-ID: <d93ed8c0-0f17-4671-a852-8cea6330f5ba@redhat.com> Date: Sat, 1 Sep 2018 01:07:21 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk
Series	[nfs-utils] statd: fix use-after-free in monitor list if insertion fails \| expand [nfs-utils] statd: fix use-after-free in monitor list if insertion fails

Message ID

d93ed8c0-0f17-4671-a852-8cea6330f5ba@redhat.com (mailing list archive)

State

New, archived

Headers

To: linux-nfs@vger.kernel.org
From: Frank Sorenson <sorenson@redhat.com>
Subject: [nfs-utils PATCH] statd: fix use-after-free in monitor list if
 insertion fails
Message-ID: <d93ed8c0-0f17-4671-a852-8cea6330f5ba@redhat.com>
Date: Sat, 1 Sep 2018 01:07:21 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.5.2
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk

Series

[nfs-utils] statd: fix use-after-free in monitor list if insertion fails | expand

If nsm_insert_monitored_host() fails while saving the record to stable storage, we can't just assume the entry was new. Existing records must be removed from the list before being freed. Signed-off-by: Frank Sorenson <sorenson@redhat.com>

Comments

Chuck Lever Sept. 5, 2018, 2:10 p.m. UTC | #1

> On Sep 1, 2018, at 2:07 AM, Frank Sorenson <sorenson@redhat.com> wrote:
> 
> If nsm_insert_monitored_host() fails while saving the record to
> stable storage, we can't just assume the entry was new. Existing
> records must be removed from the list before being freed.
> 
> Signed-off-by: Frank Sorenson <sorenson@redhat.com>

Reviewed-by: Chuck Lever <chuck.lever@oracle.com>


> diff --git a/utils/statd/monitor.c b/utils/statd/monitor.c
> index 45c4346..9400048 100644
> --- a/utils/statd/monitor.c
> +++ b/utils/statd/monitor.c
> @@ -197,7 +197,7 @@ sm_mon_1_svc(struct mon *argp, struct svc_req *rqstp)
> 
> 	if (!nsm_insert_monitored_host(dnsname,
> 				(struct sockaddr *)(char *)&my_addr, argp)) {
> -		nlist_free(NULL, clnt);
> +		nlist_free(existing ? &rtnl : NULL, clnt);
> 		goto failure;
> 	}
> 

--
Chuck Lever

Steve Dickson Sept. 6, 2018, 2:24 p.m. UTC | #2

On 09/01/2018 02:07 AM, Frank Sorenson wrote:
> If nsm_insert_monitored_host() fails while saving the record to
> stable storage, we can't just assume the entry was new. Existing
> records must be removed from the list before being freed.
> 
> Signed-off-by: Frank Sorenson <sorenson@redhat.com>
Committed.... 

steved.
> 
> diff --git a/utils/statd/monitor.c b/utils/statd/monitor.c
> index 45c4346..9400048 100644
> --- a/utils/statd/monitor.c
> +++ b/utils/statd/monitor.c
> @@ -197,7 +197,7 @@ sm_mon_1_svc(struct mon *argp, struct svc_req *rqstp)
>  
>  	if (!nsm_insert_monitored_host(dnsname,
>  				(struct sockaddr *)(char *)&my_addr, argp)) {
> -		nlist_free(NULL, clnt);
> +		nlist_free(existing ? &rtnl : NULL, clnt);
>  		goto failure;
>  	}
>  
>

diff --git a/utils/statd/monitor.c b/utils/statd/monitor.c
index 45c4346..9400048 100644
--- a/utils/statd/monitor.c
+++ b/utils/statd/monitor.c
@@ -197,7 +197,7 @@  sm_mon_1_svc(struct mon *argp, struct svc_req *rqstp)
 
 	if (!nsm_insert_monitored_host(dnsname,
 				(struct sockaddr *)(char *)&my_addr, argp)) {
-		nlist_free(NULL, clnt);
+		nlist_free(existing ? &rtnl : NULL, clnt);
 		goto failure;
 	}

[nfs-utils] statd: fix use-after-free in monitor list if insertion fails

Commit Message

Comments

Patch