1. 09 6月, 2018 1 次提交
    • D
      Fix 16-byte memory leak in gssp_accept_sec_context_upcall · 0070ed3d
      Dave Wysochanski 提交于
      There is a 16-byte memory leak inside sunrpc/auth_gss on an nfs server when
      a client mounts with 'sec=krb5' in a simple mount / umount loop.  The leak
      is seen by either monitoring the kmalloc-16 slab or with kmemleak enabled
      
      unreferenced object 0xffff92e6a045f030 (size 16):
        comm "nfsd", pid 1096, jiffies 4294936658 (age 761.110s)
        hex dump (first 16 bytes):
          2a 86 48 86 f7 12 01 02 02 00 00 00 00 00 00 00  *.H.............
        backtrace:
          [<000000004b2b79a7>] gssx_dec_buffer+0x79/0x90 [auth_rpcgss]
          [<000000002610ac1a>] gssx_dec_accept_sec_context+0x215/0x6dd [auth_rpcgss]
          [<000000004fd0e81d>] rpcauth_unwrap_resp+0xa9/0xe0 [sunrpc]
          [<000000002b099233>] call_decode+0x1e9/0x840 [sunrpc]
          [<00000000954fc846>] __rpc_execute+0x80/0x3f0 [sunrpc]
          [<00000000c83a961c>] rpc_run_task+0x10d/0x150 [sunrpc]
          [<000000002c2cdcd2>] rpc_call_sync+0x4d/0xa0 [sunrpc]
          [<000000000b74eea2>] gssp_accept_sec_context_upcall+0x196/0x470 [auth_rpcgss]
          [<000000003271273f>] svcauth_gss_proxy_init+0x188/0x520 [auth_rpcgss]
          [<000000001cf69f01>] svcauth_gss_accept+0x3a6/0xb50 [auth_rpcgss]
      
      If you map the above to code you'll see the following call chain
        gssx_dec_accept_sec_context
          gssx_dec_ctx  (missing from kmemleak output)
            gssx_dec_buffer(xdr, &ctx->mech)
      
      Inside gssx_dec_buffer there is 'kmemdup' where we allocate memory for
      any gssx_buffer (buf) and store into buf->data.  In the above instance,
      'buf == &ctx->mech).
      
      Further up in the chain in gssp_accept_sec_context_upcall we see ctx->mech
      is part of a stack variable 'struct gssx_ctx rctxh'.  Now later inside
      gssp_accept_sec_context_upcall after gssp_call, there is a number of
      memcpy and kfree statements, but there is no kfree(rctxh.mech.data)
      after the memcpy into data->mech_oid.data.
      
      With this patch applied and the same mount / unmount loop, the kmalloc-16
      slab is stable and kmemleak enabled no longer shows the above backtrace.
      Signed-off-by: NDave Wysochanski <dwysocha@redhat.com>
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      0070ed3d
  2. 14 7月, 2017 4 次提交
  3. 15 5月, 2017 4 次提交
  4. 25 11月, 2015 1 次提交
    • J
      nfsd4: fix gss-proxy 4.1 mounts for some AD principals · 414ca017
      J. Bruce Fields 提交于
      The principal name on a gss cred is used to setup the NFSv4.0 callback,
      which has to have a client principal name to authenticate to.
      
      That code wants the name to be in the form servicetype@hostname.
      rpc.svcgssd passes down such names (and passes down no principal name at
      all in the case the principal isn't a service principal).
      
      gss-proxy always passes down the principal name, and passes it down in
      the form servicetype/hostname@REALM.  So we've been munging the name
      gss-proxy passes down into the format the NFSv4.0 callback code expects,
      or throwing away the name if we can't.
      
      Since the introduction of the MACH_CRED enforcement in NFSv4.1, we've
      also been using the principal name to verify that certain operations are
      done as the same principal as was used on the original EXCHANGE_ID call.
      
      For that application, the original name passed down by gss-proxy is also
      useful.
      
      Lack of that name in some cases was causing some kerberized NFSv4.1
      mount failures in an Active Directory environment.
      
      This fix only works in the gss-proxy case.  The fix for legacy
      rpc.svcgssd would be more involved, and rpc.svcgssd already has other
      problems in the AD case.
      Reported-and-tested-by: NJames Ralston <ralston@pobox.com>
      Acked-by: NSimo Sorce <simo@redhat.com>
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      414ca017
  5. 18 2月, 2015 1 次提交
    • D
      svcrpc: fix memory leak in gssp_accept_sec_context_upcall · a1d1e9be
      David Ramos 提交于
      Our UC-KLEE tool found a kernel memory leak of 512 bytes (on x86_64) for
      each call to gssp_accept_sec_context_upcall()
      (net/sunrpc/auth_gss/gss_rpc_upcall.c). Since it appears that this call
      can be triggered by remote connections (at least, from a cursory a
      glance at the call chain), it may be exploitable to cause kernel memory
      exhaustion. We found the bug in kernel 3.16.3, but it appears to date
      back to commit 9dfd87da (2013-08-20).
      
      The gssp_accept_sec_context_upcall() function performs a pair of calls
      to gssp_alloc_receive_pages() and gssp_free_receive_pages().  The first
      allocates memory for arg->pages.  The second then frees the pages
      pointed to by the arg->pages array, but not the array itself.
      Reported-by: NDavid A. Ramos <daramos@stanford.edu>
      Fixes: 9dfd87da ("rpc: fix huge kmalloc's in gss-proxy”)
      Signed-off-by: NDavid A. Ramos <daramos@stanford.edu>
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      a1d1e9be
  6. 07 1月, 2014 1 次提交
  7. 09 10月, 2013 1 次提交
  8. 06 9月, 2013 2 次提交
  9. 01 8月, 2013 2 次提交
  10. 30 4月, 2013 1 次提交
  11. 26 4月, 2013 2 次提交
    • S
      SUNRPC: Use gssproxy upcall for server RPCGSS authentication. · 030d794b
      Simo Sorce 提交于
      The main advantge of this new upcall mechanism is that it can handle
      big tickets as seen in Kerberos implementations where tickets carry
      authorization data like the MS-PAC buffer with AD or the Posix Authorization
      Data being discussed in IETF on the krbwg working group.
      
      The Gssproxy program is used to perform the accept_sec_context call on the
      kernel's behalf. The code is changed to also pass the input buffer straight
      to upcall mechanism to avoid allocating and copying many pages as tokens can
      be as big (potentially more in future) as 64KiB.
      Signed-off-by: NSimo Sorce <simo@redhat.com>
      [bfields: containerization, negotiation api]
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      030d794b
    • S
      SUNRPC: Add RPC based upcall mechanism for RPCGSS auth · 1d658336
      Simo Sorce 提交于
      This patch implements a sunrpc client to use the services of the gssproxy
      userspace daemon.
      
      In particular it allows to perform calls in user space using an RPC
      call instead of custom hand-coded upcall/downcall messages.
      
      Currently only accept_sec_context is implemented as that is all is needed for
      the server case.
      
      File server modules like NFS and CIFS can use full gssapi services this way,
      once init_sec_context is also implemented.
      
      For the NFS server case this code allow to lift the limit of max 2k krb5
      tickets. This limit is prevents legitimate kerberos deployments from using krb5
      authentication with the Linux NFS server as they have normally ticket that are
      many kilobytes large.
      
      It will also allow to lift the limitation on the size of the credential set
      (uid,gid,gids) passed down from user space for users that have very many groups
      associated. Currently the downcall mechanism used by rpc.svcgssd is limited
      to around 2k secondary groups of the 65k allowed by kernel structures.
      Signed-off-by: NSimo Sorce <simo@redhat.com>
      [bfields: containerization, concurrent upcalls, misc. fixes and cleanup]
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      1d658336