<br><br><div class="gmail_quote">On Thu, Apr 29, 2010 at 9:29 AM, Jeff Layton <span dir="ltr"><<a href="mailto:jlayton@samba.org">jlayton@samba.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="h5">On Thu, 29 Apr 2010 22:12:16 +0800<br>
Eugene Teo <<a href="mailto:eugeneteo@kernel.sg">eugeneteo@kernel.sg</a>> wrote:<br>
<br>
> On Thu, Apr 29, 2010 at 9:51 PM, Shirish Pargaonkar<br>
> <<a href="mailto:shirishpargaonkar@gmail.com">shirishpargaonkar@gmail.com</a>> wrote:<br>
> > On Thu, Apr 29, 2010 at 6:16 AM, Jeff Layton <<a href="mailto:jlayton@samba.org">jlayton@samba.org</a>> wrote:<br>
> >> On Thu, 29 Apr 2010 15:56:02 +0530<br>
> >> Suresh Jayaraman <<a href="mailto:sjayaraman@suse.de">sjayaraman@suse.de</a>> wrote:<br>
> >><br>
> >>> On 04/09/2010 01:28 AM, Jeff Layton wrote:<br>
> >>> > On Thu, 8 Apr 2010 14:40:47 -0500<br>
> >>> > Shirish Pargaonkar <<a href="mailto:shirishpargaonkar@gmail.com">shirishpargaonkar@gmail.com</a>> wrote:<br>
> >>> ><br>
> >>> >> On Thu, Apr 8, 2010 at 2:34 PM, Jeff Layton <<a href="mailto:jlayton@samba.org">jlayton@samba.org</a>> wrote:<br>
> >>> >>> On Wed, �7 Apr 2010 11:19:10 -0500<br>
> >>> >>> <a href="mailto:shirishpargaonkar@gmail.com">shirishpargaonkar@gmail.com</a> wrote:<br>
> >>> >>><br>
> >>> >>>> While creating a file on a server which supports unix extensions<br>
> >>> >>>> such as Samba, if a file is being created which does not supply<br>
> >>> >>>> nameidata (i.e. nd is null), cifs client can oops when calling<br>
> >>> >>>> cifs_posix_open.<br>
> >>> >>>><br>
> >>> >>>> Signed-off-by: Shirish Pargaonkar <<a href="mailto:shirishpargaonkar@gmail.com">shirishpargaonkar@gmail.com</a>><br>
> >>> >>>> Reported-by: Eugene Teo <<a href="mailto:eugeneteo@kernel.sg">eugeneteo@kernel.sg</a>><br>
> >>><br>
> >>> ><br>
> >>> > We'll need to take this patch in the interim though to fix the<br>
> >>> > immediate oops.<br>
> >>> ><br>
> >>><br>
> >>> Do we need to Cc -stable as well as the issue seem to be reproducible on<br>
> >>> kernel versions > 2.6.29-rc6?<br>
> >>><br>
> >>> Thanks,<br>
> >>><br>
> >><br>
> >> Can someone clarify how to reproduce this oops? I think that the only<br>
> >> place where this function gets called with NULL nameidata is from nfsd<br>
> >> and the export ops for cifs are just stubs. Has this actually been seen<br>
> >> in the field or was it just found via inspection?<br>
> >><br>
> >> --<br>
> >> Jeff Layton <<a href="mailto:jlayton@samba.org">jlayton@samba.org</a>><br>
> ><br>
> > As far as I know, by inspection.<br>
> > Eugene, can you please comment on this?<br>
><br>
> It was found by inspection. Did not attempt to reproduce the issue.<br>
><br>
> Eugene<br>
><br>
<br>
</div></div>Ok. I don't think this is actually exploitable. Certainly something<br>
that should be fixed in case CIFS ever is exportable via nfsd, but not<br>
worthy of a CVE.<br>
<br></blockquote><div><br>Yes - that is what we talked about earlier. Looks like nfs client<br>has the same problem too (dereferences, potentially null nd)<br>but in practice can't get there (nfsd over nfs)<br> </div>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On a related note... the sb->s_export_ops ought to be NULL in all cases<br>
until CIFS actually has export ops that are functional. The current<br>
situation probably tricks nfsd into thinking that CIFS is exportable<br>
when it really isn't. That's likely to be very confusing for users.<br>
<font color="#888888"><br>
</font></blockquote></div><br>I don't think it matters much, the use case is nfs server<br>reexporting resources over cifs mounts on servers that don't<br> have nfs (via a cifs mount) - not sure if it is worth just<br>
doing this in smb2 (where we have persistent file ids anyway,<br>which may be useful for this) or should do it in both<br clear="all"><br>-- <br>Thanks,<br><br>Steve<br>