[SRU oem-5.6 1/2] sunrpc: svcauth_gss_register_pseudoflavor must reject duplicate registrations.

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Wed Sep 16 18:07:08 UTC 2020


From: NeilBrown <neilb at suse.de>

There is no valid case for supporting duplicate pseudoflavor
registrations.
Currently the silent acceptance of such registrations is hiding a bug.
The rpcsec_gss_krb5 module registers 2 flavours but does not unregister
them, so if you load, unload, reload the module, it will happily
continue to use the old registration which now has pointers to the
memory were the module was originally loaded.  This could lead to
unexpected results.

So disallow duplicate registrations.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=206651
Cc: stable at vger.kernel.org (v2.6.12+)
Signed-off-by: NeilBrown <neilb at suse.de>
Signed-off-by: J. Bruce Fields <bfields at redhat.com>
(cherry picked from commit d47a5dc2888fd1b94adf1553068b8dad76cec96c)
CVE-2020-12656
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
---
 net/sunrpc/auth_gss/svcauth_gss.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 322fd48887f9..271f72ecb9b7 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -820,9 +820,11 @@ svcauth_gss_register_pseudoflavor(u32 pseudoflavor, char * name)
 	new->h.flavour = &svcauthops_gss;
 	new->pseudoflavor = pseudoflavor;
 
-	stat = 0;
 	test = auth_domain_lookup(name, &new->h);
-	if (test != &new->h) { /* Duplicate registration */
+	if (test != &new->h) {
+		pr_warn("svc: duplicate registration of gss pseudo flavour %s.\n",
+			name);
+		stat = -EADDRINUSE;
 		auth_domain_put(test);
 		kfree(new->h.name);
 		goto out_free_dom;
-- 
2.25.1




More information about the kernel-team mailing list