SUNRPC: Fix a Oops when destroying the RPCSEC_GSS credential cache
Commit07d02a67b7causes a use-after free in the RPCSEC_GSS credential destroy code, because the call to get_rpccred() in gss_destroying_context() will now always fail to increment the refcount. While we could just replace the get_rpccred() with a refcount_set(), that would have the unfortunate consequence of resurrecting a credential in the credential cache for which we are in the process of destroying the RPCSEC_GSS context. Rather than do this, we choose to make a copy that is never added to the cache and use that to destroy the context. Fixes:07d02a67b7("SUNRPC: Simplify lookup code") Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
This commit is contained in:
Trond Myklebust
parent
a1aa09be21
commit
a652a4bc21
|
|
@ -1239,36 +1239,59 @@ gss_create(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt)
|
|||
return &gss_auth->rpc_auth;
|
||||
}
|
||||
|
||||
static struct gss_cred *
|
||||
gss_dup_cred(struct gss_auth *gss_auth, struct gss_cred *gss_cred)
|
||||
{
|
||||
struct gss_cred *new;
|
||||
|
||||
/* Make a copy of the cred so that we can reference count it */
|
||||
new = kzalloc(sizeof(*gss_cred), GFP_NOIO);
|
||||
if (new) {
|
||||
struct auth_cred acred = {
|
||||
.uid = gss_cred->gc_base.cr_uid,
|
||||
};
|
||||
struct gss_cl_ctx *ctx =
|
||||
rcu_dereference_protected(gss_cred->gc_ctx, 1);
|
||||
|
||||
rpcauth_init_cred(&new->gc_base, &acred,
|
||||
&gss_auth->rpc_auth,
|
||||
&gss_nullops);
|
||||
new->gc_base.cr_flags = 1UL << RPCAUTH_CRED_UPTODATE;
|
||||
new->gc_service = gss_cred->gc_service;
|
||||
new->gc_principal = gss_cred->gc_principal;
|
||||
kref_get(&gss_auth->kref);
|
||||
rcu_assign_pointer(new->gc_ctx, ctx);
|
||||
gss_get_ctx(ctx);
|
||||
}
|
||||
return new;
|
||||
}
|
||||
|
||||
/*
|
||||
* gss_destroying_context will cause the RPCSEC_GSS to send a NULL RPC call
|
||||
* gss_send_destroy_context will cause the RPCSEC_GSS to send a NULL RPC call
|
||||
* to the server with the GSS control procedure field set to
|
||||
* RPC_GSS_PROC_DESTROY. This should normally cause the server to release
|
||||
* all RPCSEC_GSS state associated with that context.
|
||||
*/
|
||||
static int
|
||||
gss_destroying_context(struct rpc_cred *cred)
|
||||
static void
|
||||
gss_send_destroy_context(struct rpc_cred *cred)
|
||||
{
|
||||
struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base);
|
||||
struct gss_auth *gss_auth = container_of(cred->cr_auth, struct gss_auth, rpc_auth);
|
||||
struct gss_cl_ctx *ctx = rcu_dereference_protected(gss_cred->gc_ctx, 1);
|
||||
struct gss_cred *new;
|
||||
struct rpc_task *task;
|
||||
|
||||
if (test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) == 0)
|
||||
return 0;
|
||||
new = gss_dup_cred(gss_auth, gss_cred);
|
||||
if (new) {
|
||||
ctx->gc_proc = RPC_GSS_PROC_DESTROY;
|
||||
|
||||
ctx->gc_proc = RPC_GSS_PROC_DESTROY;
|
||||
cred->cr_ops = &gss_nullops;
|
||||
task = rpc_call_null(gss_auth->client, &new->gc_base,
|
||||
RPC_TASK_ASYNC|RPC_TASK_SOFT);
|
||||
if (!IS_ERR(task))
|
||||
rpc_put_task(task);
|
||||
|
||||
/* Take a reference to ensure the cred will be destroyed either
|
||||
* by the RPC call or by the put_rpccred() below */
|
||||
get_rpccred(cred);
|
||||
|
||||
task = rpc_call_null(gss_auth->client, cred, RPC_TASK_ASYNC|RPC_TASK_SOFT);
|
||||
if (!IS_ERR(task))
|
||||
rpc_put_task(task);
|
||||
|
||||
put_rpccred(cred);
|
||||
return 1;
|
||||
put_rpccred(&new->gc_base);
|
||||
}
|
||||
}
|
||||
|
||||
/* gss_destroy_cred (and gss_free_ctx) are used to clean up after failure
|
||||
|
|
@ -1330,8 +1353,8 @@ static void
|
|||
gss_destroy_cred(struct rpc_cred *cred)
|
||||
{
|
||||
|
||||
if (gss_destroying_context(cred))
|
||||
return;
|
||||
if (test_and_clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) != 0)
|
||||
gss_send_destroy_context(cred);
|
||||
gss_destroy_nullcred(cred);
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue