[SRU][F][PATCH 0/1] CVE-2024-49974

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Tue Jan 28 10:28:43 UTC 2025 

[Impact]

NFSD: Limit the number of concurrent async COPY operations

Nothing appears to limit the number of concurrent async COPY
operations that clients can start. In addition, AFAICT each async
COPY can copy an unlimited number of 4MB chunks, so can run for a
long time. Thus IMO async COPY can become a DoS vector.

Add a restriction mechanism that bounds the number of concurrent
background COPY operations. Start simple and try to be fair -- this
patch implements a per-namespace limit.

An async COPY request that occurs while this limit is exceeded gets
NFS4ERR_DELAY. The requesting client can choose to send the request
again after a delay or fall back to a traditional read/write style
copy.

[Fix]

Oracular: Fixed via upstream stable updates (LP: #2089052)
Noble: Fixed via upstream stable updates (LP: #2089884)
Jammy: Fixed via upstream stable updates (LP: #2095283)
Focal: Backported from mainline
Bionic: Not affected
Xenial: Not affected
Trusty: Not affected

[Test Case]

Compile and boot tested.
Stress tested a nfs share using stress-ng.

Server side:
$ sudo exportfs -v
/srv/nfs/testdir
		<world>(rw,wdelay,root_squash,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)
$ sudo dmesg | tail
[   97.859444] RPC: Registered named UNIX socket transport module.
[   97.859445] RPC: Registered udp transport module.
[   97.859446] RPC: Registered tcp transport module.
[   97.859446] RPC: Registered tcp NFSv4.1 backchannel transport module.
[   97.871592] Installing knfsd (copyright (C) 1996 okir at monad.swb.de).
[   99.596971] NFSD: Using UMH upcall client tracking operations.
[   99.596973] NFSD: starting 90-second grace period (net f0000098)
$ sudo cat /proc/fs/nfsd/versions
-2 +3 +4 +4.1 +4.2

Client side:
$ nfsstat -m
/mnt/nfs from xxx.xxx.xxx.xxx:/srv/nfs/testdir
 Flags:	rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys
$ cd /mnt/nfs
$ sudo stress-ng --hdd 8 --timeout 600s --metrics-brief
stress-ng: info:  [2822] setting to a 600 second (10 mins, 0.00 secs) run per stressor
stress-ng: info:  [2822] dispatching hogs: 8 hdd
stress-ng: info:  [2822] successful run completed in 600.35s (10 mins, 0.35 secs)
stress-ng: info:  [2822] stressor       bogo ops real time  usr time  sys time   bogo ops/s     bogo ops/s
stress-ng: info:  [2822]                           (secs)    (secs)    (secs)   (real time) (usr+sys time)
stress-ng: info:  [2822] hdd            11829248    600.33    279.89    430.13     19704.55       16660.44

[Where problems could occur]

The fix affects the NFS server subsystem, specifically the
implementation of the asynchronous COPY operation. An issue with this
fix may lead to instability in handling client file copy requests.

[Notes]

The backport is not straightforward, primarily due to considerations
related to the cleanup logic of nfsd4_copy(). In Focal, the async_copy
structure is correctly initialized only if the call to
nfs4_init_cp_state() succeeds (see commit message of 81e722978ad210).
Before initialization, the function exits via the out: label (freeing
async_copy if necessary), whereas after initialization, it exits via the
out_errL label. The key distinction between exiting via out: and exiting
via out_err: lies in the invocation of cleanup_async_copy().

Upstream, the execution flow for cleanup has undergone significant
changes, now almost always passing through cleanup_async_copy(). This
function has been modified to differentiate between an initialized and
an uninitialized async_copy structure, thanks to the changes introduced
by commit 81e722978ad210.

The patch has been backported, considering the cleanup logic implemented
in Focal.

It is also worth noting that upstream, the fix commit aadc3bbea163b has
two follow-ups (63fab04cbd0f9 and 8286f8b622990). These follow-ups
introduce fixes that are required only for the upstream cleanup logic
and are not relevant to the logic implemented in Focal. The two
follow-ups have not been backported.

Chuck Lever (1):
  NFSD: Limit the number of concurrent async COPY operations

 fs/nfsd/netns.h     | 1 +
 fs/nfsd/nfs4proc.c  | 9 +++++++++
 fs/nfsd/nfs4state.c | 1 +
 fs/nfsd/xdr4.h      | 1 +
 4 files changed, 12 insertions(+)

-- 
2.43.0

More information about the kernel-team mailing list