Bug 74070 - Remote DoS in 2.6 nfsacl extension
Bug#: 74070 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: normal Priority: P2
Resolution: INVALID Assigned To: security@gentoo.org Reported By: jaervosz@gentoo.org
Component: Kernel
URL:  http://acl.bestbits.at/pipermail/acl-devel/2005-January/001816.html
Summary: Remote DoS in 2.6 nfsacl extension
Keywords:  
Status Whiteboard: [2.6 maintainerPatching]
Opened: 2004-12-11 00:47 0000
Description:   Opened: 2004-12-11 00:47 0000 
the sunrpc-multiple-programs patch, which is part of the nfsacl protocol
extension for 2.6 kernels, contains a bug that crashes the kernel nfs
deamon with a NULL pointer access when a client requests an unknown
program number. The incremental fix from Olaf Kirch (thanks) is as
follows:


Index: linux-2.6.5/net/sunrpc/svc.c
===================================================================
--- linux-2.6.5.orig/net/sunrpc/svc.c   2004-11-19 11:22:19.000000000 +0100
+++ linux-2.6.5/net/sunrpc/svc.c        2004-12-10 15:48:40.000000000 +0100
@@ -450,7 +450,7 @@ err_bad_auth:
 err_bad_prog:
 #ifdef RPC_PARANOIA
        if (prog != 100227 || serv->sv_program->pg_prog != 100003)
-               printk("svc: unknown program %d (me %d)\n", prog, progp->pg_prog);
+               printk("svc: unknown program %d (me %d)\n", prog, serv->sv_program->pg_prog);
        /* else it is just a Solaris client seeing if ACLs are supported */
 #endif
        serv->sv_stats->rpcbadfmt++;


The version found at http://acl.bestbits.at/nfsacl/2.6.9-rc2/ includes
this fix. I will announce this on acl-devel@bestbits.at next week.

The 2.4 kernel patches are not affected.

------- Comment #1 From Thierry Carrez (RETIRED) 2005-01-13 04:21:37 0000 ------- 
Now public

------- Comment #2 From Adam Mondl (RETIRED) 2005-01-14 01:10:25 0000 ------- 
Fixed in ~x86 hardened-dev-sources-2.6.10-r2

------- Comment #3 From Daniel Drake 2005-01-19 03:43:46 0000 ------- 
gentoo-dev-sources is done
the patch is here: http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.07/dist/1150_sunrpc-nfsacl.patch

------- Comment #4 From Thierry Carrez (RETIRED) 2005-03-16 03:16:44 0000 ------- 
Mass-Ccing kern-sec@gentoo.org to make sure Kernel Security guys know about all
of these...

------- Comment #5 From Tim Yamin (RETIRED) 2005-04-07 05:15:48 0000 ------- 
Created an attachment (id=55551) [details]
Patch

------- Comment #6 From Tim Yamin (RETIRED) 2005-04-07 05:17:19 0000 ------- 
Following sources still need patching:

hppa-sources: Adding GMSoft...
mips-sources: Adding Kumba...
pegasos-sources: Adding dholm...
rsbac-sources: Adding kang...

------- Comment #7 From Guillaume Destuynder (RETIRED) 2005-04-08 02:37:55 0000 ------- 
rsbac-sources fixed in rsbac-sources-2.6.11-r2

------- Comment #8 From Joshua Kinard 2005-04-23 22:21:57 0000 ------- 
mips-sources fixed.

------- Comment #9 From Daniel Drake 2005-06-22 06:53:49 0000 ------- 
This patch can be dropped. It only applies to the multiple programs (Support
multiple program numbers on one RPC transport) functionality provided by the
nfsacl extention patches not yet merged upstream. Normal sunrpc users are not
affected.

------- Comment #10 From Tim Yamin (RETIRED) 2005-07-21 12:18:20 0000 ------- 
Closing bug as per comment #9.