• Trond Myklebust's avatar
    [PATCH] NFS: Fix a potential panic in O_DIRECT · 143f412e
    Trond Myklebust authored
    Based on an original patch by Mike O'Connor and Greg Banks of SGI.
    
    Mike states:
    
    A normal user can panic an NFS client and cause a local DoS with
    'judicious'(?) use of O_DIRECT.  Any O_DIRECT write to an NFS file where the
    user buffer starts with a valid mapped page and contains an unmapped page,
    will crash in this way.  I haven't followed the code, but O_DIRECT reads with
    similar user buffers will probably also crash albeit in different ways.
    
    Details: when nfs_get_user_pages() calls get_user_pages(), it detects and
    correctly handles get_user_pages() returning an error, which happens if the
    first page covered by the user buffer's address range is unmapped.  However,
    if the first page is mapped but some subsequent page isn't, get_user_pages()
    will return a positive number which is less than the number of pages requested
    (this behaviour is sort of analagous to a short write() call and appears to be
    intentional).  nfs_get_user_pages() doesn't detect this and hands off the
    array of pages (whose last few elements are random rubbish from the newly
    allocated array memory) to it's caller, whence they go to
    nfs_direct_write_seg(), which then totally ignores the nr_pages it's given,
    and calculates its own idea of how many pages are in the array from the user
    buffer length.  Needless to say, when it comes to transmit those uninitialised
    page* pointers, we see a crash in the network stack.
    Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    143f412e
direct.c 22.2 KB