Commit 64a38e84 authored by Dave Wysochanski's avatar Dave Wysochanski Committed by J. Bruce Fields
Browse files

SUNRPC: Track writers of the 'channel' file to improve cache_listeners_exist 



The sunrpc cache interface is susceptible to being fooled by a rogue
process just reading a 'channel' file.  If this happens the kernel
may think a valid daemon exists to service the cache when it does not.
For example, the following may fool the kernel:
cat /proc/net/rpc/auth.unix.gid/channel

Change the tracking of readers to writers when considering whether a
listener exists as all valid daemon processes either open a channel
file O_RDWR or O_WRONLY.  While this does not prevent a rogue process
from "stealing" a message from the kernel, it does at least improve
the kernels perception of whether a valid process servicing the cache
exists.

Signed-off-by: default avatarDave Wysochanski <dwysocha@redhat.com>
Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
parent 609488bc

include/linux/sunrpc/cache.h

+3 −3
Original line number Diff line number Diff line
@@ -107,9 +107,9 @@ struct cache_detail { 
	/* fields for communication over channel */

	struct list_head	queue;



	atomic_t		readers;		/* how many time is /chennel open */

	time_t			last_close;		/* if no readers, when did last close */

	time_t			last_warn;		/* when we last warned about no readers */

	atomic_t		writers;		/* how many time is /channel open */

	time_t			last_close;		/* if no writers, when did last close */

	time_t			last_warn;		/* when we last warned about no writers */



	union {

		struct proc_dir_entry	*procfs;

net/sunrpc/cache.c

+8 −4
Original line number Diff line number Diff line
@@ -373,7 +373,7 @@ void sunrpc_init_cache_detail(struct cache_detail *cd) 
	spin_lock(&cache_list_lock);

	cd->nextcheck = 0;

	cd->entries = 0;

	atomic_set(&cd->readers, 0);

	atomic_set(&cd->writers, 0);

	cd->last_close = 0;

	cd->last_warn = -1;

	list_add(&cd->others, &cache_list);
@@ -1029,11 +1029,13 @@ static int cache_open(struct inode *inode, struct file *filp, 
		}

		rp->offset = 0;

		rp->q.reader = 1;

		atomic_inc(&cd->readers);



		spin_lock(&queue_lock);

		list_add(&rp->q.list, &cd->queue);

		spin_unlock(&queue_lock);

	}

	if (filp->f_mode & FMODE_WRITE)

		atomic_inc(&cd->writers);

	filp->private_data = rp;

	return 0;

}
@@ -1062,8 +1064,10 @@ static int cache_release(struct inode *inode, struct file *filp, 
		filp->private_data = NULL;

		kfree(rp);



	}

	if (filp->f_mode & FMODE_WRITE) {

		atomic_dec(&cd->writers);

		cd->last_close = seconds_since_boot();

		atomic_dec(&cd->readers);

	}

	module_put(cd->owner);

	return 0;
@@ -1171,7 +1175,7 @@ static void warn_no_listener(struct cache_detail *detail) 


static bool cache_listeners_exist(struct cache_detail *detail)

{

	if (atomic_read(&detail->readers))

	if (atomic_read(&detail->writers))

		return true;

	if (detail->last_close == 0)

		/* This cache was never opened */

CRA Git | Maintained and supported by SUSTech CRA and CCSE