Bug 62524 - Kernel: sys-kernel/* remote denial-of-service (GENERIC-MAP-NOMATCH)
Bug#: 62524 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jaervosz@gentoo.org
Component: Kernel
URL:  http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commit;h=8cc423214cd76091611f167b3f2695295b814186
Summary: Kernel: sys-kernel/* remote denial-of-service (GENERIC-MAP-NOMATCH)
Keywords:  
Status Whiteboard: [linux <2.6.9]
Opened: 2004-09-01 09:16 0000
Description:   Opened: 2004-09-01 09:16 0000 
Suse just released the following. 

1) problem description, brief discussion

    Various signedness issues and integer overflows have been fixed within
    kNFSd and the XDR decode functions of kernel 2.6.
    These bugs can be triggered remotely by sending a package with a trusted
    source IP address and a write request with a size greater then 2^31.
    The result will be a kernel Oops, it is unknown if this bug is otherwise
    exploitable yet.
    Kernel 2.4 nfsd code is different but may suffer from the same
    vulnerability.
    Additionally a local denial-of-service condition via /dev/ptmx, which
    affects kernel 2.6 only has been fixed. Thanks to Jan Engelhardt for
    reporting this issue to us.

------- Comment #1 From Matthias Geerdsen 2004-09-02 12:42:11 0000 ------- 
Reply to the SuSe announcement on bugtraq from  Paul Starzetz <paul starzetz
de>
http://www.securityfocus.com/archive/1/373887 :

The iSEC people have read the nfsd code from 2.4 and it seems to be 
vulnerable too, however only authenticated clients could reach the 
problematic places at all. Having a writeable NFS share is probably a 
bad idea anyway...

------- Comment #2 From Tim Yamin (RETIRED) 2004-09-06 12:34:03 0000 ------- 
Created an attachment (id=39082) [details]
2.4 NFS Patch

------- Comment #3 From Tim Yamin (RETIRED) 2004-09-06 12:34:37 0000 ------- 
Created an attachment (id=39083) [details]
2.6 /dev/ptmx Patch

------- Comment #4 From Tim Yamin (RETIRED) 2004-09-06 12:37:03 0000 ------- 
Created an attachment (id=39084) [details]
2.6 /dev/ptmx Patch

------- Comment #5 From Tim Yamin (RETIRED) 2004-09-06 12:46:29 0000 ------- 
Greg, can you have a look upstream regarding this XDR issue for 2.6 - I can't
confirm whether it is affected or not, and does this needs fixing upstream? Or
was this XDR issue fixed by the recent signed->unsigned transitions?

------- Comment #6 From Greg Kroah-Hartman 2004-09-17 16:32:10 0000 ------- 
I'm pretty sure this is already fixed in the latest 2.6.8.1 kernel release,
right?

------- Comment #7 From Tim Yamin (RETIRED) 2004-09-18 02:44:09 0000 ------- 
Well, there don't seem to be any changes suggesting that - looking through
SuSE's patches, it seems that they are patching a backported NFS rather than
the one present by 2.6.5... Hence the dilemma of whether the upstream source is
vulnerable.

------- Comment #8 From Thierry Carrez (RETIRED) 2004-11-09 08:33:51 0000 ------- 
Moving to newly-created kernel-specific category

------- Comment #9 From Tim Yamin (RETIRED) 2004-11-09 14:35:40 0000 ------- 
Ok, all patched. The following are externally maintained, so I'm CCing the
relevant maintainers. Patches are attached on this bug.

grsec-sources -- Adding solar.
hardened-dev-sources -- Adding Gentoo/Hardened team.
hardened-sources -- Adding scox.
hppa(-dev)-sources -- Adding GMSoft.
mips-sources -- Adding `Kumba.
openmosix-sources -- Adding cluster herd.
rsbac(-dev)-sources -- Adding kang.
selinux-sources -- Adding pebenito.
sparc-sources -- Adding Joker.

------- Comment #10 From solar 2004-11-10 00:16:41 0000 ------- 
Is there a CAN- number for this one yet?

------- Comment #11 From solar 2004-11-10 00:19:59 0000 ------- 
patches clean.. Sending linux-2.4.27-nfs3-xdr.patch.bz2 to the mirrors so
others can grab it via SRC_URI so we don't end up with alot of kernels with
{FILESDIR}/same-patch-as-all-other-2.4.kernels

------- Comment #12 From solar 2004-11-10 00:47:37 0000 ------- 
grsec-sources patched. 
Old ebuilds removed. 
All arches assumed stable. 
Removing myself from CC:

------- Comment #13 From Konstantin Arkhipov 2004-11-10 01:30:11 0000 ------- 
openmosix-sources patched.

------- Comment #14 From Christian Birchinger 2004-11-10 09:26:41 0000 ------- 
Fixed in sparc-sources-2.4.27-r2

------- Comment #15 From Chris PeBenito 2004-11-10 09:48:42 0000 ------- 
selinux-sources p.mask'ed as it will be removed soon

------- Comment #16 From Joshua Kinard 2004-11-19 18:08:08 0000 ------- 
mips-sources updated.

------- Comment #17 From Guillaume Destuynder (RETIRED) 2004-11-24 01:46:40 0000 ------- 
- hardened-dev-sources updated
- rsbac-dev-sources updated

------- Comment #18 From Guy Martin 2004-11-24 09:38:47 0000 ------- 
hppa-(dev-)sources done.

------- Comment #19 From Adam Mondl (RETIRED) 2004-11-28 10:32:02 0000 ------- 
hardened-sources bumped to 2.4.28

------- Comment #20 From Guillaume Destuynder (RETIRED) 2004-11-28 15:51:11 0000 ------- 
rsba-sources bumped to 2.4.28

------- Comment #21 From Tim Yamin (RETIRED) 2005-01-15 14:36:00 0000 ------- 
All kernels fixed, closing bug; notifications are being migrated away from
GLSAs for kernels, more news coming soon so stay tuned :-]

------- Comment #22 From Robert Buchholz 2009-05-03 12:58:11 0000 ------- 
http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commit;h=8cc423214cd76091611f167b3f2695295b814186