[Midnightbsd-cvs] src [6633] U stable/0.4/sys/fs/nfsserver: 0.4-RELEASE-p9

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Wed Apr 9 07:48:25 EDT 2014 

Revision: 6633
          http://svnweb.midnightbsd.org/src/?rev=6633
Author:   laffer1
Date:     2014-04-09 07:48:24 -0400 (Wed, 09 Apr 2014)
Log Message:
-----------
0.4-RELEASE-p9

Fix a security issue affecting NFS server where a trusted client can deadlock the server.

Modified Paths:
--------------
    stable/0.4/UPDATING
    stable/0.4/sys/conf/newvers.sh
    stable/0.4/sys/fs/nfsserver/nfs_nfsdserv.c

Property Changed:
----------------
    stable/0.4/sys/fs/nfsserver/nfs_nfsdcache.c
    stable/0.4/sys/fs/nfsserver/nfs_nfsdkrpc.c
    stable/0.4/sys/fs/nfsserver/nfs_nfsdport.c
    stable/0.4/sys/fs/nfsserver/nfs_nfsdserv.c

Modified: stable/0.4/UPDATING
===================================================================
--- stable/0.4/UPDATING	2014-04-09 11:46:01 UTC (rev 6632)
+++ stable/0.4/UPDATING	2014-04-09 11:48:24 UTC (rev 6633)
@@ -1,6 +1,10 @@
 Updating Information for MidnightBSD users.
 
 20140409:
+	0.4-RELEASE-p9
+
+	Fix an issue allowing an attacker to deadlock the NFS Server from a trusted client.
+
 	0.4-RELEASE-p8
 
 	Fix a security issue in OpenSSL [CVE-2014-0076]

Modified: stable/0.4/sys/conf/newvers.sh
===================================================================
--- stable/0.4/sys/conf/newvers.sh	2014-04-09 11:46:01 UTC (rev 6632)
+++ stable/0.4/sys/conf/newvers.sh	2014-04-09 11:48:24 UTC (rev 6633)
@@ -33,7 +33,7 @@
 
 TYPE="MidnightBSD"
 REVISION="0.4"
-BRANCH="RELEASE-p8"
+BRANCH="RELEASE-p9"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Index: stable/0.4/sys/fs/nfsserver/nfs_nfsdcache.c
===================================================================
--- stable/0.4/sys/fs/nfsserver/nfs_nfsdcache.c	2014-04-09 11:46:01 UTC (rev 6632)
+++ stable/0.4/sys/fs/nfsserver/nfs_nfsdcache.c	2014-04-09 11:48:24 UTC (rev 6633)

Property changes on: stable/0.4/sys/fs/nfsserver/nfs_nfsdcache.c
___________________________________________________________________
Deleted: cvs2svn:cvs-rev
## -1 +0,0 ##
-1.2
\ No newline at end of property
Index: stable/0.4/sys/fs/nfsserver/nfs_nfsdkrpc.c
===================================================================
--- stable/0.4/sys/fs/nfsserver/nfs_nfsdkrpc.c	2014-04-09 11:46:01 UTC (rev 6632)
+++ stable/0.4/sys/fs/nfsserver/nfs_nfsdkrpc.c	2014-04-09 11:48:24 UTC (rev 6633)

Property changes on: stable/0.4/sys/fs/nfsserver/nfs_nfsdkrpc.c
___________________________________________________________________
Deleted: cvs2svn:cvs-rev
## -1 +0,0 ##
-1.2
\ No newline at end of property
Index: stable/0.4/sys/fs/nfsserver/nfs_nfsdport.c
===================================================================
--- stable/0.4/sys/fs/nfsserver/nfs_nfsdport.c	2014-04-09 11:46:01 UTC (rev 6632)
+++ stable/0.4/sys/fs/nfsserver/nfs_nfsdport.c	2014-04-09 11:48:24 UTC (rev 6633)

Property changes on: stable/0.4/sys/fs/nfsserver/nfs_nfsdport.c
___________________________________________________________________
Deleted: cvs2svn:cvs-rev
## -1 +0,0 ##
-1.3
\ No newline at end of property
Modified: stable/0.4/sys/fs/nfsserver/nfs_nfsdserv.c
===================================================================
--- stable/0.4/sys/fs/nfsserver/nfs_nfsdserv.c	2014-04-09 11:46:01 UTC (rev 6632)
+++ stable/0.4/sys/fs/nfsserver/nfs_nfsdserv.c	2014-04-09 11:48:24 UTC (rev 6633)
@@ -1446,10 +1446,23 @@
 		nfsvno_relpathbuf(&fromnd);
 		goto out;
 	}
+	/*
+	 * Unlock dp in this code section, so it is unlocked before
+	 * tdp gets locked. This avoids a potential LOR if tdp is the
+	 * parent directory of dp.
+	 */
 	if (nd->nd_flag & ND_NFSV4) {
 		tdp = todp;
 		tnes = *toexp;
-		tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred, p, 0);
+		if (dp != tdp) {
+			NFSVOPUNLOCK(dp, 0);
+			tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred,
+			    p, 0);	/* Might lock tdp. */
+		} else {
+			tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred,
+			    p, 1);
+			NFSVOPUNLOCK(dp, 0);
+		}
 	} else {
 		tfh.nfsrvfh_len = 0;
 		error = nfsrv_mtofh(nd, &tfh);
@@ -1470,10 +1483,12 @@
 			tnes = *exp;
 			tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred,
 			    p, 1);
+			NFSVOPUNLOCK(dp, 0);
 		} else {
+			NFSVOPUNLOCK(dp, 0);
 			nd->nd_cred->cr_uid = nd->nd_saveduid;
 			nfsd_fhtovp(nd, &tfh, LK_EXCLUSIVE, &tdp, &tnes, NULL,
-			    0, p);
+			    0, p);	/* Locks tdp. */
 			if (tdp) {
 				tdirfor_ret = nfsvno_getattr(tdp, &tdirfor,
 				    nd->nd_cred, p, 1);
@@ -1488,7 +1503,7 @@
 		if (error) {
 			if (tdp)
 				vrele(tdp);
-			vput(dp);
+			vrele(dp);
 			nfsvno_relpathbuf(&fromnd);
 			nfsvno_relpathbuf(&tond);
 			goto out;
@@ -1503,7 +1518,7 @@
 		}
 		if (tdp)
 			vrele(tdp);
-		vput(dp);
+		vrele(dp);
 		nfsvno_relpathbuf(&fromnd);
 		nfsvno_relpathbuf(&tond);
 		goto out;
@@ -1512,7 +1527,7 @@
 	/*
 	 * Done parsing, now down to business.
 	 */
-	nd->nd_repstat = nfsvno_namei(nd, &fromnd, dp, 1, exp, p, &fdirp);
+	nd->nd_repstat = nfsvno_namei(nd, &fromnd, dp, 0, exp, p, &fdirp);
 	if (nd->nd_repstat) {
 		if (nd->nd_flag & ND_NFSV3) {
 			nfsrv_wcc(nd, fdirfor_ret, &fdirfor, fdiraft_ret,


Property changes on: stable/0.4/sys/fs/nfsserver/nfs_nfsdserv.c
___________________________________________________________________
Deleted: cvs2svn:cvs-rev
## -1 +0,0 ##
-1.2
\ No newline at end of property

More information about the Midnightbsd-cvs mailing list