62524 2004-09-01 09:16 0000 Kernel: sys-kernel/* remote denial-of-service (GENERIC-MAP-NOMATCH) 2009-07-12 19:44:55 0000 1 1 1 Unclassified Gentoo Security Kernel unspecified All All RESOLVED FIXED http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commit;h=8cc423214cd76091611f167b3f2695295b814186 [linux <2.6.9] P2 normal --- 1 jaervosz@gentoo.org security@gentoo.org gregkh@gentoo.org hanno@gentoo.org hardened-kernel@gentoo.org kang@gentoo.org scox@sig11.org jaervosz@gentoo.org 2004-09-01 09:16:10 0000 Suse just released the following. 1) problem description, brief discussion Various signedness issues and integer overflows have been fixed within kNFSd and the XDR decode functions of kernel 2.6. These bugs can be triggered remotely by sending a package with a trusted source IP address and a write request with a size greater then 2^31. The result will be a kernel Oops, it is unknown if this bug is otherwise exploitable yet. Kernel 2.4 nfsd code is different but may suffer from the same vulnerability. Additionally a local denial-of-service condition via /dev/ptmx, which affects kernel 2.6 only has been fixed. Thanks to Jan Engelhardt for reporting this issue to us. vorlon@gentoo.org 2004-09-02 12:42:11 0000 Reply to the SuSe announcement on bugtraq from Paul Starzetz <paul starzetz de> http://www.securityfocus.com/archive/1/373887 : The iSEC people have read the nfsd code from 2.4 and it seems to be vulnerable too, however only authenticated clients could reach the problematic places at all. Having a writeable NFS share is probably a bad idea anyway... plasmaroo@gentoo.org 2004-09-06 12:34:03 0000 Created an attachment (id=39082) 2.4 NFS Patch plasmaroo@gentoo.org 2004-09-06 12:34:37 0000 Created an attachment (id=39083) 2.6 /dev/ptmx Patch plasmaroo@gentoo.org 2004-09-06 12:37:03 0000 Created an attachment (id=39084) 2.6 /dev/ptmx Patch plasmaroo@gentoo.org 2004-09-06 12:46:29 0000 Greg, can you have a look upstream regarding this XDR issue for 2.6 - I can't confirm whether it is affected or not, and does this needs fixing upstream? Or was this XDR issue fixed by the recent signed->unsigned transitions? gregkh@gentoo.org 2004-09-17 16:32:10 0000 I'm pretty sure this is already fixed in the latest 2.6.8.1 kernel release, right? plasmaroo@gentoo.org 2004-09-18 02:44:09 0000 Well, there don't seem to be any changes suggesting that - looking through SuSE's patches, it seems that they are patching a backported NFS rather than the one present by 2.6.5... Hence the dilemma of whether the upstream source is vulnerable. koon@gentoo.org 2004-11-09 08:33:51 0000 Moving to newly-created kernel-specific category plasmaroo@gentoo.org 2004-11-09 14:35:40 0000 Ok, all patched. The following are externally maintained, so I'm CCing the relevant maintainers. Patches are attached on this bug. grsec-sources -- Adding solar. hardened-dev-sources -- Adding Gentoo/Hardened team. hardened-sources -- Adding scox. hppa(-dev)-sources -- Adding GMSoft. mips-sources -- Adding `Kumba. openmosix-sources -- Adding cluster herd. rsbac(-dev)-sources -- Adding kang. selinux-sources -- Adding pebenito. sparc-sources -- Adding Joker. solar@gentoo.org 2004-11-10 00:16:41 0000 Is there a CAN- number for this one yet? solar@gentoo.org 2004-11-10 00:19:59 0000 patches clean.. Sending linux-2.4.27-nfs3-xdr.patch.bz2 to the mirrors so others can grab it via SRC_URI so we don't end up with alot of kernels with {FILESDIR}/same-patch-as-all-other-2.4.kernels solar@gentoo.org 2004-11-10 00:47:37 0000 grsec-sources patched. Old ebuilds removed. All arches assumed stable. Removing myself from CC: voxus@gentoo.org 2004-11-10 01:30:11 0000 openmosix-sources patched. joker@gentoo.org 2004-11-10 09:26:41 0000 Fixed in sparc-sources-2.4.27-r2 pebenito@gentoo.org 2004-11-10 09:48:42 0000 selinux-sources p.mask'ed as it will be removed soon kumba@gentoo.org 2004-11-19 18:08:08 0000 mips-sources updated. kang@gentoo.org 2004-11-24 01:46:40 0000 - hardened-dev-sources updated - rsbac-dev-sources updated gmsoft@gentoo.org 2004-11-24 09:38:47 0000 hppa-(dev-)sources done. tocharian@gentoo.org 2004-11-28 10:32:02 0000 hardened-sources bumped to 2.4.28 kang@gentoo.org 2004-11-28 15:51:11 0000 rsba-sources bumped to 2.4.28 plasmaroo@gentoo.org 2005-01-15 14:36:00 0000 All kernels fixed, closing bug; notifications are being migrated away from GLSAs for kernels, more news coming soon so stay tuned :-] rbu@gentoo.org 2009-05-03 12:58:11 0000 http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commit;h=8cc423214cd76091611f167b3f2695295b814186 39082 2004-09-06 12:34 0000 2.4 NFS Patch 2.4-XDRWrapFix.patch text/plain IyBUaGlzIGlzIGEgQml0S2VlcGVyIGdlbmVyYXRlZCBkaWZmIC1OcnUgc3R5bGUgcGF0Y2guCiMK IyBDaGFuZ2VTZXQKIyAgIDIwMDQvMDgvMTYgMTQ6NTA6MDQtMDM6MDAgbmVpbGJAY3NlLnVuc3cu ZWR1LmF1IAojICAgW1BBVENIXSBGaXhlZCBwb3NzaWJseSB4ZHIgcGFyc2luZyBlcnJvciBpZiB3 cml0ZSBzaXplIGV4Y2VlZCAyXjMxCiMgICAKIyAgIHhkcl9hcmdzaXplX2NoZWNrIG5lZWRzIHRv IGNvcGUgd2l0aCB0aGUgcG9zc2liaWxpdHkgdGhhdCB0aGUKIyAgIHBvaW50ZXIgaGFzIHdyYXBw ZWQgYW5kIGNvdWxkIGJlIGJlbG93IGJ1Zi0+YmFzZS4KIyAgIAojICAgU2lnbmVkLW9mZi1ieTog TmVpbCBCcm93biA8bmVpbGJAY3NlLnVuc3cuZWR1LmF1PgojICAgCiMgICAjIyMgRGlmZnN0YXQg b3V0cHV0CiMgICAgLi9mcy9uZnNkL25mczN4ZHIuYyAgICAgICAgIHwgICAgMiArLQojICAgIC4v aW5jbHVkZS9saW51eC9uZnNkL3hkcjMuaCB8ICAgIDIgKy0KIyAgICAyIGZpbGVzIGNoYW5nZWQs IDIgaW5zZXJ0aW9ucygrKSwgMiBkZWxldGlvbnMoLSkKIyAKIyBmcy9uZnNkL25mczN4ZHIuYwoj ICAgMjAwNC8wOC8xNCAwMDoyMzowNi0wMzowMCBuZWlsYkBjc2UudW5zdy5lZHUuYXUgKzEgLTEK IyAgIEZpeGVkIHBvc3NpYmx5IHhkciBwYXJzaW5nIGVycm9yIGlmIHdyaXRlIHNpemUgZXhjZWVk IDJeMzEKIyAKIyBpbmNsdWRlL2xpbnV4L25mc2QveGRyMy5oCiMgICAyMDA0LzA4LzE1IDIwOjQ4 OjQzLTAzOjAwIG5laWxiQGNzZS51bnN3LmVkdS5hdSArMSAtMQojICAgRml4ZWQgcG9zc2libHkg eGRyIHBhcnNpbmcgZXJyb3IgaWYgd3JpdGUgc2l6ZSBleGNlZWQgMl4zMQojIApkaWZmIC1OcnUg YS9mcy9uZnNkL25mczN4ZHIuYyBiL2ZzL25mc2QvbmZzM3hkci5jCi0tLSBhL2ZzL25mc2QvbmZz M3hkci5jCTIwMDQtMDktMDYgMTE6MjA6MjggLTA3OjAwCisrKyBiL2ZzL25mc2QvbmZzM3hkci5j CTIwMDQtMDktMDYgMTE6MjA6MjggLTA3OjAwCkBAIC0yNzMsNyArMjczLDcgQEAKIHsKIAlzdHJ1 Y3Qgc3ZjX2J1ZgkqYnVmID0gJnJxc3RwLT5ycV9hcmdidWY7CiAKLQlyZXR1cm4gcCAtIGJ1Zi0+ YmFzZSA8PSBidWYtPmJ1ZmxlbjsKKwlyZXR1cm4gcCA+PSBidWYtPmJhc2UgJiYgcCA8PSBidWYt PmJhc2UgKyBidWYtPmJ1ZmxlbiA7CiB9CiAKIHN0YXRpYyBpbmxpbmUgaW50CmRpZmYgLU5ydSBh L2luY2x1ZGUvbGludXgvbmZzZC94ZHIzLmggYi9pbmNsdWRlL2xpbnV4L25mc2QveGRyMy5oCi0t LSBhL2luY2x1ZGUvbGludXgvbmZzZC94ZHIzLmgJMjAwNC0wOS0wNiAxMToyMDoyOCAtMDc6MDAK KysrIGIvaW5jbHVkZS9saW51eC9uZnNkL3hkcjMuaAkyMDA0LTA5LTA2IDExOjIwOjI4IC0wNzow MApAQCAtNDEsNyArNDEsNyBAQAogCV9fdTMyCQkJY291bnQ7CiAJaW50CQkJc3RhYmxlOwogCV9f dTggKgkJCWRhdGE7Ci0JaW50CQkJbGVuOworCV9fdTMyCQkJbGVuOwogfTsKIAogc3RydWN0IG5m c2QzX2NyZWF0ZWFyZ3Mgewo= 39083 2004-09-06 12:34 0000 2.6 /dev/ptmx Patch 2.6-devpts-refcount.patch text/plain SW5kZXg6IGxpbnV4LTIuNi41L2ZzL2RldnB0cy9pbm9kZS5jCj09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIGxpbnV4 LTIuNi41Lm9yaWcvZnMvZGV2cHRzL2lub2RlLmMKKysrIGxpbnV4LTIuNi41L2ZzL2RldnB0cy9p bm9kZS5jCkBAIC0xNzgsOSArMTc4LDEzIEBAIHN0cnVjdCB0dHlfc3RydWN0ICpkZXZwdHNfZ2V0 X3R0eShpbnQgbnUKIHsKIAlzdHJ1Y3QgZGVudHJ5ICpkZW50cnkgPSBnZXRfbm9kZShudW1iZXIp OwogCXN0cnVjdCB0dHlfc3RydWN0ICp0dHk7Ci0KLQl0dHkgPSAoSVNfRVJSKGRlbnRyeSkgfHwg IWRlbnRyeS0+ZF9pbm9kZSkgPyBOVUxMIDoKLQkJCWRlbnRyeS0+ZF9pbm9kZS0+dS5nZW5lcmlj X2lwOworCQorCXR0eSA9IE5VTEw7CisJaWYgKCFJU19FUlIoZGVudHJ5KSkgeworCQlpZiAoZGVu dHJ5LT5kX2lub2RlKQorCQkJdHR5ID0gZGVudHJ5LT5kX2lub2RlLT51LmdlbmVyaWNfaXA7CisJ CWRwdXQoZGVudHJ5KTsKKwl9CiAKIAl1cCgmZGV2cHRzX3Jvb3QtPmRfaW5vZGUtPmlfc2VtKTsK IAo= 39084 2004-09-06 12:37 0000 2.6 /dev/ptmx Patch 2.6-devpts-refcount.patch text/plain SW5kZXg6IGxpbnV4LTIuNi41L2ZzL2RldnB0cy9pbm9kZS5jCj09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIGxpbnV4 LTIuNi41Lm9yaWcvZnMvZGV2cHRzL2lub2RlLmMKKysrIGxpbnV4LTIuNi41L2ZzL2RldnB0cy9p bm9kZS5jCkBAIC0xNzgsOSArMTc4LDEzIEBAIHN0cnVjdCB0dHlfc3RydWN0ICpkZXZwdHNfZ2V0 X3R0eShpbnQgbnUKIHsKIAlzdHJ1Y3QgZGVudHJ5ICpkZW50cnkgPSBnZXRfbm9kZShudW1iZXIp OwogCXN0cnVjdCB0dHlfc3RydWN0ICp0dHk7Ci0KLQl0dHkgPSAoSVNfRVJSKGRlbnRyeSkgfHwg IWRlbnRyeS0+ZF9pbm9kZSkgPyBOVUxMIDoKLQkJCWRlbnRyeS0+ZF9pbm9kZS0+dS5nZW5lcmlj X2lwOworCQorCXR0eSA9IE5VTEw7CisJaWYgKCFJU19FUlIoZGVudHJ5KSkgeworCQlpZiAoZGVu dHJ5LT5kX2lub2RlKQorCQkJdHR5ID0gZGVudHJ5LT5kX2lub2RlLT51LmdlbmVyaWNfaXA7CisJ CWRwdXQoZGVudHJ5KTsKKwl9CiAKIAl1cCgmZGV2cHRzX3Jvb3QtPmRfaW5vZGUtPmlfc2VtKTsK IAo=