kernel_optimize_test/net/sunrpc/auth_gss
Dave Wysochanski 518416a75c SUNRPC: Handle 0 length opaque XDR object data properly
[ Upstream commit e4a7d1f7707eb44fd953a31dd59eff82009d879c ]

When handling an auth_gss downcall, it's possible to get 0-length
opaque object for the acceptor.  In the case of a 0-length XDR
object, make sure simple_get_netobj() fills in dest->data = NULL,
and does not continue to kmemdup() which will set
dest->data = ZERO_SIZE_PTR for the acceptor.

The trace event code can handle NULL but not ZERO_SIZE_PTR for a
string, and so without this patch the rpcgss_context trace event
will crash the kernel as follows:

[  162.887992] BUG: kernel NULL pointer dereference, address: 0000000000000010
[  162.898693] #PF: supervisor read access in kernel mode
[  162.900830] #PF: error_code(0x0000) - not-present page
[  162.902940] PGD 0 P4D 0
[  162.904027] Oops: 0000 [#1] SMP PTI
[  162.905493] CPU: 4 PID: 4321 Comm: rpc.gssd Kdump: loaded Not tainted 5.10.0 #133
[  162.908548] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[  162.910978] RIP: 0010:strlen+0x0/0x20
[  162.912505] Code: 48 89 f9 74 09 48 83 c1 01 80 39 00 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee c3 0f 1f 80 00 00 00 00 <80> 3f 00 74 10 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 31
[  162.920101] RSP: 0018:ffffaec900c77d90 EFLAGS: 00010202
[  162.922263] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000fffde697
[  162.925158] RDX: 000000000000002f RSI: 0000000000000080 RDI: 0000000000000010
[  162.928073] RBP: 0000000000000010 R08: 0000000000000e10 R09: 0000000000000000
[  162.930976] R10: ffff8e698a590cb8 R11: 0000000000000001 R12: 0000000000000e10
[  162.933883] R13: 00000000fffde697 R14: 000000010034d517 R15: 0000000000070028
[  162.936777] FS:  00007f1e1eb93700(0000) GS:ffff8e6ab7d00000(0000) knlGS:0000000000000000
[  162.940067] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  162.942417] CR2: 0000000000000010 CR3: 0000000104eba000 CR4: 00000000000406e0
[  162.945300] Call Trace:
[  162.946428]  trace_event_raw_event_rpcgss_context+0x84/0x140 [auth_rpcgss]
[  162.949308]  ? __kmalloc_track_caller+0x35/0x5a0
[  162.951224]  ? gss_pipe_downcall+0x3a3/0x6a0 [auth_rpcgss]
[  162.953484]  gss_pipe_downcall+0x585/0x6a0 [auth_rpcgss]
[  162.955953]  rpc_pipe_write+0x58/0x70 [sunrpc]
[  162.957849]  vfs_write+0xcb/0x2c0
[  162.959264]  ksys_write+0x68/0xe0
[  162.960706]  do_syscall_64+0x33/0x40
[  162.962238]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  162.964346] RIP: 0033:0x7f1e1f1e57df

Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-02-13 13:55:12 +01:00
..
auth_gss_internal.h SUNRPC: Handle 0 length opaque XDR object data properly 2021-02-13 13:55:12 +01:00
auth_gss.c SUNRPC: Move simple_get_bytes and simple_get_netobj into private header 2021-02-13 13:55:12 +01:00
gss_generic_token.c
gss_krb5_crypto.c SUNRPC: remove RC4-HMAC-MD5 support from KerberosV 2020-09-11 14:39:15 +10:00
gss_krb5_keys.c mm, treewide: rename kzfree() to kfree_sensitive() 2020-08-07 11:33:22 -07:00
gss_krb5_mech.c SUNRPC: Move simple_get_bytes and simple_get_netobj into private header 2021-02-13 13:55:12 +01:00
gss_krb5_seal.c SUNRPC: remove RC4-HMAC-MD5 support from KerberosV 2020-09-11 14:39:15 +10:00
gss_krb5_seqnum.c SUNRPC: remove RC4-HMAC-MD5 support from KerberosV 2020-09-11 14:39:15 +10:00
gss_krb5_unseal.c SUNRPC: remove RC4-HMAC-MD5 support from KerberosV 2020-09-11 14:39:15 +10:00
gss_krb5_wrap.c Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2020-10-13 08:50:16 -07:00
gss_mech_switch.c
gss_rpc_upcall.c
gss_rpc_upcall.h
gss_rpc_xdr.c
gss_rpc_xdr.h
Makefile
svcauth_gss.c SUNRPC: fix copying of multiple pages in gss_read_proxy_verf() 2020-10-20 13:21:30 -04:00
trace.c SUNRPC: remove duplicate include 2020-08-19 13:19:42 -04:00