From 912c6e22cf82aa5bb63e5f27a3a39490e758f7ab Mon Sep 17 00:00:00 2001
From: Trond Myklebust <trond.myklebust@hammerspace.com>
Date: Thu, 6 Jan 2022 18:24:02 -0500
Subject: [PATCH] NFSv4: Handle case where the lookup of a directory fails
If the application sets the O_DIRECTORY flag, and tries to open a
regular file, nfs_atomic_open() will punt to doing a regular lookup.
If the server then returns a regular file, we will happily return a
file descriptor with uninitialised open state.
The fix is to return the expected ENOTDIR error in these cases.
Reported-by: Lyu Tao <tao.lyu@epfl.ch>
Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
[Fix merge conflict in nfs_atomic_open().]
Reference: CVE-2022-24448
Signed-off-by: Masami Ichikawa(CIP) <masami.ichikawa@cybertrust.co.jp>
---
fs/nfs/dir.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
@@ -1577,6 +1577,19 @@ out:
no_open:
res = nfs_lookup(dir, dentry, lookup_flags);
+ if (!res) {
+ inode = d_inode(dentry);
+ if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
+ !S_ISDIR(inode->i_mode))
+ res = ERR_PTR(-ENOTDIR);
+ } else if (!IS_ERR(res)) {
+ inode = d_inode(res);
+ if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
+ !S_ISDIR(inode->i_mode)) {
+ dput(res);
+ res = ERR_PTR(-ENOTDIR);
+ }
+ }
err = PTR_ERR(res);
if (IS_ERR(res))
goto out;
--
2.35.1
Hi ! It's this week's CVE report. This week reported 5 new CVEs. * New CVEs CVE-2021-3894: sctp: local DoS: unprivileged user can cause BUG() CVSS v3 score is not provided A local unprivileged user can cause local DoS by sctp subsystem. The commit a2d859e3fc97 ("sctp: account stream padding length for reconf chunk") may fix this issue. Fixed status Not fixed yet. CVE-2022-0487: Use after free in moxart_remove CVSS v3 score is not provided UAF bug was found in moxart_remove() in drivers/mmc/host/moxart-mmc.c. The mainline was fixed. Stable kernels are being reviewed. Apply patch bd2db32 ("moxart: fix potential use-after-free on remove path") to 4.4 needs to a bit modify code. However, it seems no CIP member enables CONFIG_MMC_MOXART. Fixed status mainline: [bd2db32e7c3e35bd4d9b8bbff689434a50893546] CVE-2022-0492: cgroup-v1: Require capabilities to set release_agent CVSS v3 score is not provided There was a bug in cgroups v1 release_agent feature to escalate privilege and bypass namespace isolation. The mainline and 5.X series were fixed but failed to applied the fix to all 4.X series. This issue is affected to 2.6.24-rc1 or later version. Applying the commit 24f6008 ("cgroup-v1: Require capabilities to set release_agent") depends on the following commits. - a3ff937 ("prefix-handling analogues of errorf() and friends ") This commit was introduced at 5.6-rc1. It added invalfc macro to include/linux/fs_context.h. 5.4 uses cg_invalf macro which calls invalfc in it. - 8d2451f ("https://github.com/torvalds/linux/commit/8d2451f4994fa60a57617282bab91b98266a00b1"). This commit was introduced at 5.1-rc1. It added cgroup1_parse_param(). So 4.X series do other way to fix this issue (e.g. https://lore.kernel.org/stable/20220209191248.652388187@linuxfoundation.org/). 4.9, 4.14, and 4.19 are being reviewed. 4.X series use struct cgroup_namespace to get namespace object which was introduced at 4.6-rc1. So fixing 4.4 needs the other way to get namespace object instead of struct cgroup_namespace. Fixed status mainline: [24f6008564183aa120d07c03d9289519c2fe02af] stable/5.10: [1fc3444cda9a78c65b769e3fa93455e09ff7a0d3] stable/5.15: [4b1c32bfaa02255a5df602b41587174004996477] stable/5.16: [9c9dbb954e618e3d9110f13cc02c5db1fb73ea5d] stable/5.4: [0e8283cbe4996ae046cd680b3ed598a8f2b0d5d8] CVE-2022-24448: NFSv4: Handle case where the lookup of a directory fails CVSS v3 score is not provided Server returns uninitialized data in the file descriptor in nfs_atomic_open(). The mainline and stable kernels are fixed. I attached 0001-NFSv4-Handle-case-where-the-lookup-of-a-directory-fa.patch for 4.4.y. Fixed status mainline: [ac795161c93699d600db16c1a8cc23a65a1eceaf] stable/4.14: [516f348b759f6a92819820a3f56d678458e22cc8] stable/4.19: [b00b4c6faad0f21e443fb1584f7a8ea222beb0de] stable/4.9: [8788981e120694a82a3672e062fe4ea99446634a] stable/5.10: [ce8c552b88ca25d775ecd0a0fbef4e0e03de9ed2] stable/5.15: [4c36ca387af4a9b5d775e46a6cb9dc2d151bf057] stable/5.16: [f0583af88e7dd413229ea5e670a0db36fdf34ba2] stable/5.4: [0dfacee40021dcc0a9aa991edd965addc04b9370] CVE-2022-0480: memcg: enable accounting for file lock caches CVSS v3 score is not provided A user can cause host memory exhaustion becase of memcg doesn't limit the number of POSIX file locks. This issues was fixed in 5.15-rc1. Patch cannot be applied to 4.4 because this fix uses SLAB_ACCOUNT flag which was introduced by commit 230e9fc ("slab: add SLAB_ACCOUNT flag ") at 4.5-rc1 is not backported to 4.4. Fixed status mainline: [0f12156dff2862ac54235fc72703f18770769042] * Updated CVEs CVE-2018-25020: bpf: fix truncated jump targets on heavy expansions This issue was fixed in 4.17-rc7. 4.14 was fixed this week. Fixed status mainline: [050fad7c4534c13c8eb1d9c2ba66012e014773cb] stable/4.14: [6824208b59a4727b8a8653f83d8e685584d04606] Currently tracking CVEs CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core Specifications 4.0 through 5.2 There is no fix information. CVE-2020-26555: BR/EDR pin code pairing broken No fix information CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning No fix information. CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh Provisioning Leads to MITM No fix information. CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning No fix information. CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning No fix information. Regards,