Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 74070

Summary: Remote DoS in 2.6 nfsacl extension
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: KernelAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: dholm, gmsoft, kang, security-kernel
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://acl.bestbits.at/pipermail/acl-devel/2005-January/001816.html
Whiteboard: [2.6 maintainerPatching]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Patch none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-11 00:47:50 UTC
the sunrpc-multiple-programs patch, which is part of the nfsacl protocol
extension for 2.6 kernels, contains a bug that crashes the kernel nfs
deamon with a NULL pointer access when a client requests an unknown
program number. The incremental fix from Olaf Kirch (thanks) is as
follows:


Index: linux-2.6.5/net/sunrpc/svc.c
===================================================================
--- linux-2.6.5.orig/net/sunrpc/svc.c   2004-11-19 11:22:19.000000000 +0100
+++ linux-2.6.5/net/sunrpc/svc.c        2004-12-10 15:48:40.000000000 +0100
@@ -450,7 +450,7 @@ err_bad_auth:
 err_bad_prog:
 #ifdef RPC_PARANOIA
        if (prog != 100227 || serv->sv_program->pg_prog != 100003)
-               printk("svc: unknown program %d (me %d)\n", prog, progp->pg_prog);
+               printk("svc: unknown program %d (me %d)\n", prog, serv->sv_program->pg_prog);
        /* else it is just a Solaris client seeing if ACLs are supported */
 #endif
        serv->sv_stats->rpcbadfmt++;


The version found at http://acl.bestbits.at/nfsacl/2.6.9-rc2/ includes
this fix. I will announce this on acl-devel@bestbits.at next week.

The 2.4 kernel patches are not affected.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-01-13 04:21:37 UTC
Now public
Comment 2 Adam Mondl (RETIRED) gentoo-dev 2005-01-14 01:10:25 UTC
Fixed in ~x86 hardened-dev-sources-2.6.10-r2
Comment 3 Daniel Drake (RETIRED) gentoo-dev 2005-01-19 03:43:46 UTC
gentoo-dev-sources is done
the patch is here: http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.07/dist/1150_sunrpc-nfsacl.patch

Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-03-16 03:16:44 UTC
Mass-Ccing kern-sec@gentoo.org to make sure Kernel Security guys know about all
of these...
Comment 5 Tim Yamin (RETIRED) gentoo-dev 2005-04-07 05:15:48 UTC
Created attachment 55551 [details, diff]
Patch
Comment 6 Tim Yamin (RETIRED) gentoo-dev 2005-04-07 05:17:19 UTC
Following sources still need patching:

hppa-sources: Adding GMSoft...
mips-sources: Adding Kumba...
pegasos-sources: Adding dholm...
rsbac-sources: Adding kang...
Comment 7 Guillaume Destuynder (RETIRED) gentoo-dev 2005-04-08 02:37:55 UTC
rsbac-sources fixed in rsbac-sources-2.6.11-r2
Comment 8 Joshua Kinard gentoo-dev 2005-04-23 22:21:57 UTC
mips-sources fixed.
Comment 9 Daniel Drake (RETIRED) gentoo-dev 2005-06-22 06:53:49 UTC
This patch can be dropped. It only applies to the multiple programs (Support
multiple program numbers on one RPC transport) functionality provided by the
nfsacl extention patches not yet merged upstream. Normal sunrpc users are not
affected.
Comment 10 Tim Yamin (RETIRED) gentoo-dev 2005-07-21 12:18:20 UTC
Closing bug as per comment #9.