the sunrpc-multiple-programs patch, which is part of the nfsacl protocol extension for 2.6 kernels, contains a bug that crashes the kernel nfs deamon with a NULL pointer access when a client requests an unknown program number. The incremental fix from Olaf Kirch (thanks) is as follows: Index: linux-2.6.5/net/sunrpc/svc.c =================================================================== --- linux-2.6.5.orig/net/sunrpc/svc.c 2004-11-19 11:22:19.000000000 +0100 +++ linux-2.6.5/net/sunrpc/svc.c 2004-12-10 15:48:40.000000000 +0100 @@ -450,7 +450,7 @@ err_bad_auth: err_bad_prog: #ifdef RPC_PARANOIA if (prog != 100227 || serv->sv_program->pg_prog != 100003) - printk("svc: unknown program %d (me %d)\n", prog, progp->pg_prog); + printk("svc: unknown program %d (me %d)\n", prog, serv->sv_program->pg_prog); /* else it is just a Solaris client seeing if ACLs are supported */ #endif serv->sv_stats->rpcbadfmt++; The version found at http://acl.bestbits.at/nfsacl/2.6.9-rc2/ includes this fix. I will announce this on acl-devel@bestbits.at next week. The 2.4 kernel patches are not affected.
Now public
Fixed in ~x86 hardened-dev-sources-2.6.10-r2
gentoo-dev-sources is done the patch is here: http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.07/dist/1150_sunrpc-nfsacl.patch
Mass-Ccing kern-sec@gentoo.org to make sure Kernel Security guys know about all of these...
Created attachment 55551 [details, diff] Patch
Following sources still need patching: hppa-sources: Adding GMSoft... mips-sources: Adding Kumba... pegasos-sources: Adding dholm... rsbac-sources: Adding kang...
rsbac-sources fixed in rsbac-sources-2.6.11-r2
mips-sources fixed.
This patch can be dropped. It only applies to the multiple programs (Support multiple program numbers on one RPC transport) functionality provided by the nfsacl extention patches not yet merged upstream. Normal sunrpc users are not affected.
Closing bug as per comment #9.
