From: Andrew Deason <adeason@sinenomine.net>
Date: Fri, 10 Jan 2020 18:40:15 +0000 (-0600)
Subject: OPENAFS-SA-2024-001: afs: Throttle PAG creation in afs_genpag()
X-Git-Tag: openafs-stable-1_8_13~21
X-Git-Url: https://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=57b655e4837d8660ebcc25d95efb09118adaff07

OPENAFS-SA-2024-001: afs: Throttle PAG creation in afs_genpag()

CVE-2024-10394

Currently, we only throttle PAG creation in afs_setpag(). But there
are several callers that call setpag() directly, not via afs_setpag;
notably _settok_setParentPag in afs_pioctl.c. When setpag() is called
with a PAG value of -1, it generates a new PAG internally without any
throttling. So, those callers effectively bypass the PAG throttling
mechanism, which allows a calling user to create PAGs without any
delay.

To avoid this, move our afs_pag_wait call from afs_setpag() to
afs_genpag(), which all code uses to generate a new PAG value. This
ensures that PAG creation is always throttled for unprivileged users.

FIXES 135062

Reviewed-on: https://gerrit.openafs.org/15907
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 0358648dbed7656e7bda30f6f0ea6e8e01bf6527)

Change-Id: I7f8f475a913c6f62ca2c7a6fb00239e51a8a8c62
Reviewed-on: https://gerrit.openafs.org/15928
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
---

diff --git a/src/afs/afs_osi_pag.c b/src/afs/afs_osi_pag.c
index 80b0cc3..ec0a0dd 100644
--- a/src/afs/afs_osi_pag.c
+++ b/src/afs/afs_osi_pag.c
@@ -185,6 +185,11 @@ afs_pag_wait(afs_ucred_t *acred)
 afs_int32
 afs_genpag(afs_ucred_t *acred, afs_uint32 *apag)
 {
+    afs_int32 code;
+    code = afs_pag_wait(acred);
+    if (code) {
+	return code;
+    }
     *apag = genpagval();
     return 0;
 }
@@ -221,11 +226,6 @@ afs_setpag(void)
 
     AFS_STATCNT(afs_setpag);
 
-    code = afs_pag_wait(acred);
-    if (code) {
-	goto done;
-    }
-
     code = afs_genpag(acred, &pag);
     if (code) {
 	goto done;
