74070 2004-12-11 00:47 0000 Remote DoS in 2.6 nfsacl extension 2005-07-21 12:18:20 0000 1 Unclassified Gentoo Security Kernel unspecified All All RESOLVED INVALID http://acl.bestbits.at/pipermail/acl-devel/2005-January/001816.html [2.6 maintainerPatching] P2 normal --- 1 jaervosz@gentoo.org security@gentoo.org dholm@gentoo.org gmsoft@gentoo.org kang@gentoo.org kern-sec@gentoo.org jaervosz@gentoo.org 2004-12-11 00:47:50 0000 the sunrpc-multiple-programs patch, which is part of the nfsacl protocol extension for 2.6 kernels, contains a bug that crashes the kernel nfs deamon with a NULL pointer access when a client requests an unknown program number. The incremental fix from Olaf Kirch (thanks) is as follows: Index: linux-2.6.5/net/sunrpc/svc.c =================================================================== --- linux-2.6.5.orig/net/sunrpc/svc.c 2004-11-19 11:22:19.000000000 +0100 +++ linux-2.6.5/net/sunrpc/svc.c 2004-12-10 15:48:40.000000000 +0100 @@ -450,7 +450,7 @@ err_bad_auth: err_bad_prog: #ifdef RPC_PARANOIA if (prog != 100227 || serv->sv_program->pg_prog != 100003) - printk("svc: unknown program %d (me %d)\n", prog, progp->pg_prog); + printk("svc: unknown program %d (me %d)\n", prog, serv->sv_program->pg_prog); /* else it is just a Solaris client seeing if ACLs are supported */ #endif serv->sv_stats->rpcbadfmt++; The version found at http://acl.bestbits.at/nfsacl/2.6.9-rc2/ includes this fix. I will announce this on acl-devel@bestbits.at next week. The 2.4 kernel patches are not affected. koon@gentoo.org 2005-01-13 04:21:37 0000 Now public tocharian@gentoo.org 2005-01-14 01:10:25 0000 Fixed in ~x86 hardened-dev-sources-2.6.10-r2 dsd@gentoo.org 2005-01-19 03:43:46 0000 gentoo-dev-sources is done the patch is here: http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.07/dist/1150_sunrpc-nfsacl.patch koon@gentoo.org 2005-03-16 03:16:44 0000 Mass-Ccing kern-sec@gentoo.org to make sure Kernel Security guys know about all of these... plasmaroo@gentoo.org 2005-04-07 05:15:48 0000 Created an attachment (id=55551) Patch plasmaroo@gentoo.org 2005-04-07 05:17:19 0000 Following sources still need patching: hppa-sources: Adding GMSoft... mips-sources: Adding Kumba... pegasos-sources: Adding dholm... rsbac-sources: Adding kang... kang@gentoo.org 2005-04-08 02:37:55 0000 rsbac-sources fixed in rsbac-sources-2.6.11-r2 kumba@gentoo.org 2005-04-23 22:21:57 0000 mips-sources fixed. dsd@gentoo.org 2005-06-22 06:53:49 0000 This patch can be dropped. It only applies to the multiple programs (Support multiple program numbers on one RPC transport) functionality provided by the nfsacl extention patches not yet merged upstream. Normal sunrpc users are not affected. plasmaroo@gentoo.org 2005-07-21 12:18:20 0000 Closing bug as per comment #9. 55551 2005-04-07 05:15 0000 Patch 74070.patch text/plain LS0tIGxpbnV4LTIuNi4xMC9uZXQvc3VucnBjL3N2Yy5jLm9yaWcJMjAwNS0wMS0xOCAwMzoxODow OC4yMzUzNjI5OTIgKzAwMDAKKysrIGxpbnV4LTIuNi4xMC9uZXQvc3VucnBjL3N2Yy5jCTIwMDUt MDEtMTggMDM6MTg6MjguNTMyMjc3MzkyICswMDAwCkBAIC00NDYsNyArNDQ2LDcgQEAgZXJyX2Jh ZF9hdXRoOgogZXJyX2JhZF9wcm9nOgogI2lmZGVmIFJQQ19QQVJBTk9JQQogCWlmIChwcm9nICE9 IDEwMDIyNyB8fCBwcm9ncC0+cGdfcHJvZyAhPSAxMDAwMDMpCi0JCXByaW50aygic3ZjOiB1bmtu b3duIHByb2dyYW0gJWQgKG1lICVkKVxuIiwgcHJvZywgcHJvZ3AtPnBnX3Byb2cpOworCQlwcmlu dGsoInN2YzogdW5rbm93biBwcm9ncmFtICVkIChtZSAlZClcbiIsIHByb2csIHNlcnYtPnN2X3By b2dyYW0tPnBnX3Byb2cpOwogCS8qIGVsc2UgaXQgaXMganVzdCBhIFNvbGFyaXMgY2xpZW50IHNl ZWluZyBpZiBBQ0xzIGFyZSBzdXBwb3J0ZWQgKi8KICNlbmRpZgogCXNlcnYtPnN2X3N0YXRzLT5y cGNiYWRmbXQrKzsK