Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 72113 - net-fs/nfs-utils: buffer overflow on 64bit arches and remote DoS
Summary: net-fs/nfs-utils: buffer overflow on 64bit arches and remote DoS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa+] lewk
Depends on:
Reported: 2004-11-22 11:28 UTC by solar (RETIRED)
Modified: 2004-12-13 19:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description solar (RETIRED) gentoo-dev 2004-11-22 11:28:55 UTC
This info comes from Josh Bressers at redhat.
This one was found by Arjan van de Ven.

struct dqblk
    u_int32_t dqb_bhardlimit;   /* absolute limit on disk blks alloc */
    u_int32_t dqb_bsoftlimit;   /* preferred limit on disk blks */
    u_int32_t dqb_curblocks;    /* current block count */
    u_int32_t dqb_ihardlimit;   /* maximum # allocated inodes */
    u_int32_t dqb_isoftlimit;   /* preferred inode limit */
    u_int32_t dqb_curinodes;    /* current # allocated inodes */
    time_t dqb_btime;           /* time limit for excessive disk use */
    time_t dqb_itime;           /* time limit for excessive files */

struct rquota {
        int rq_bsize;
        bool_t rq_active;
        u_int rq_bhardlimit;
        u_int rq_bsoftlimit;
        u_int rq_curblocks;
        u_int rq_fhardlimit;
        u_int rq_fsoftlimit;
        u_int rq_curfiles;
        u_int rq_btimeleft;
        u_int rq_ftimeleft;

rquota_server.c line 171 has the following memcpy:

memcpy((caddr_t *)&result.getquota_rslt_u.gqr_rquota.rq_bhardlimit,
                (caddr_t *)&dq_dqb, sizeof(struct dqblk));

the goal of the memcpy is to copy the 8 fields from struct dqblk to
the last 8 fields of the struct quota.
That is, 6 ints and 2 time_t's get copied to 8 ints.
On 32 bit machines, that's ok (but ugly) since a time_t is also a 32
bit value; on 64 bit machines time_t is 64 bit though, thus buffer
overflowing the stack.

This information should be assumed to be public.

This issue has been assigned the CVE id CAN-2004-0946.

Comment 1 solar (RETIRED) gentoo-dev 2004-11-22 11:33:10 UTC
I've put a patched -r5 into portage after talking with rphillips. 
He will do the initial testing then unmask for ~arch before calling for arch maintainers to test.

These are the keywords right now.

KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc x86"

Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2004-11-29 06:22:41 UTC
These two keyword entries exist in the ebuild atm and this has been sitting in cvs for a week now.

KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86"

rphillips, is this ready for arches to test and mark stable yet?
Comment 3 Ryan Phillips (RETIRED) gentoo-dev 2004-12-02 22:15:09 UTC
Yes, looks good here.

Comment 4 Luke Macken (RETIRED) gentoo-dev 2004-12-03 07:51:49 UTC
archs, please mark nfs-utils-1.0.6-r5 stable.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-12-03 08:42:47 UTC
Only 64-bit arches are affected... don't forget to enumerate arches on that GLSA
Comment 6 Mike Doty (RETIRED) gentoo-dev 2004-12-04 09:00:33 UTC
stable on amd64, allthough the 2nd "-*" keyword masks it
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2004-12-04 11:52:34 UTC
stable on ppc64. There are two KEYWORDS lines. The KEYWORDS="-*" line should be removed?

Comment 8 Hardave Riar (RETIRED) gentoo-dev 2004-12-04 18:37:03 UTC
Marked stable on mips, will take effect once the second KEYWORDS line is removed.
Comment 9 solar (RETIRED) gentoo-dev 2004-12-04 22:18:44 UTC
Please the next arch to mark anything please remove the KEYWORDS=-* so it can atleast hit ~arches
Comment 10 SpanKY gentoo-dev 2004-12-05 01:34:02 UTC
hppa/ia64/s390 stable
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2004-12-05 07:21:18 UTC
Stable on alpha.
Comment 12 Jason Wever (RETIRED) gentoo-dev 2004-12-05 10:25:42 UTC
Stable on sparc and removed the KEYWORDS="-*" line.
Comment 13 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-06 01:16:40 UTC
back to ebuild status...
Ubuntu has reported another vulnerability in USN 36-1

a remote DoS vulnerability seems to exist in utils/statd/statd.c (a patch has reportedly been supplied by SGI)

The Ubuntu changelog reads:

+  * SECURITY UPDATE: fix remote Denial of Service, fix buffer overflow on 64
+    bit architectures
+  * utils/statd/statd.c (patch from SGI):
+    - main(): ignore SIGPIPE to continue to run even if a peer prematurely
+      closes his TCP connection
+    - drop_privs(): fix uninitialized st.st_gid value when running as root
+      (not exploitable, but using random group ids might be confusing)
+    - CAN-2004-1014
+  * utils/rquotad/rquota_server.c (Arjan van de Ven):
+    - getquotainfo(): do not use memcpy() to copy
+      values from struct dqblk to struct rquota; on 64 bit architectures time_t
+      is 64 bits wide, but the target fields are only 32 bit, thus causing a
+      buffer overflow
+    - CAN-2004-0946
+    - NOTE: rpc.quotad is not shipped in the debs by default (this is
+      contained in the package "quota" which is not affected by this)
+ -- Martin Pitt <>  Wed,  1 Dec 2004 14:34:34 +0100

All their patches can be found at

net-fs, pls provide an updated ebuild with all necessary patches applied
Comment 14 Ryan Phillips (RETIRED) gentoo-dev 2004-12-06 11:19:54 UTC
I've commited -r6 to the nfs-utils directory... Arches please test and unmask.
Comment 15 Luke Macken (RETIRED) gentoo-dev 2004-12-06 11:37:28 UTC
arches, please mark -r6 stable.
Comment 16 Gustavo Zacarias (RETIRED) gentoo-dev 2004-12-06 12:09:49 UTC
sparc tasty.
Comment 17 Olivier Crete (RETIRED) gentoo-dev 2004-12-06 13:08:57 UTC
x86 stable
Comment 18 Karol Wojtaszek (RETIRED) gentoo-dev 2004-12-06 14:46:37 UTC
amd64 done
Comment 19 Bryan Østergaard (RETIRED) gentoo-dev 2004-12-06 16:52:15 UTC
-r6 stable on alpha.
Comment 20 Hardave Riar (RETIRED) gentoo-dev 2004-12-07 01:08:10 UTC
Stable on mips.
Comment 21 Jochen Maes (RETIRED) gentoo-dev 2004-12-07 02:08:26 UTC
will take a while because:  

SeJo@powke nfs-utils $ emerge nfs-utils -p

These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild  N    ] net-nds/portmap-5b-r8  
[ebuild  N    ] net-fs/nfs-utils-1.0.6-r6  

real    0m4.387s
user    0m1.673s
sys     0m0.390s
SeJo@powke nfs-utils $ emerge nfs-utils   
Calculating dependencies ...done!
>>> emerge (1 of 2) net-nds/portmap-5b-r8 to /
>>> md5 src_uri ;-) portmap_5beta.tar.gz
>>> Unpacking source...
>>> Unpacking portmap_5beta.tar.gz to /var/tmp/portage/portmap-5b-r8/work
 * Applying portmap_5beta.dif ...                                         [ ok ]
 * Applying portmap-4.0-malloc.patch ...                                  [ ok ]
 * Applying portmap-4.0-cleanup.patch ...                                 [ ok ]
 * Applying portmap-4.0-rpc_user.patch ...                                [ ok ]
 * Applying portmap-4.0-sigpipe.patch ...                                 [ ok ]
 * Applying portmap-5b-include-errno_h.patch ...                          [ ok ]
>>> Source unpacked.
gcc  -Dperror=xperror -DHOSTS_ACCESS -DCHECK_PORT  -DFACILITY=LOG_AUTH  -DIGNORE                                                                                                                        
_SIGCHLD    -Wall -O2 -pipe -mcpu=7400 -maltivec -mabi=altivec -pipe    -c -o po                                                                                                                        
rtmap.o portmap.c
portmap.c:41: warning: 'sccsid' defined but not used
gcc  -Dperror=xperror -DHOSTS_ACCESS -DCHECK_PORT  -DFACILITY=LOG_AUTH  -DIGNORE                                                                                                                        
_SIGCHLD    -Wall -O2 -pipe -mcpu=7400 -maltivec -mabi=altivec -pipe    -c -o pm                                                                                                                        
ap_check.o pmap_check.c
pmap_check.c:36: warning: 'sccsid' defined but not used
gcc  -Dperror=xperror -DHOSTS_ACCESS -DCHECK_PORT  -DFACILITY=LOG_AUTH  -DIGNORE                                                                                                                        
_SIGCHLD    -Wall -O2 -pipe -mcpu=7400 -maltivec -mabi=altivec -pipe    -c -o fr                                                                                                                        
om_local.o from_local.c
from_local.c:39: warning: 'sccsid' defined but not used
make: *** No rule to make target `//usr/lib/libwrap.a', needed by `portmap'.  St                                                                                                                        

!!! ERROR: net-nds/portmap-5b-r8 failed.
!!! Function src_compile, Line 58, Exitcode 2
!!! (no error message)
!!! If you need support, post the topmost build error, NOT this status message.

real    0m9.771s
user    0m6.365s
sys     0m3.055s
Comment 22 SpanKY gentoo-dev 2004-12-07 21:42:49 UTC
sejo: i dont know why you posted an unrelated portmap bug to a nfs-utils bug ... search bugzilla and you'll find the easy answer to that failure :P
Comment 23 Guy Martin (RETIRED) gentoo-dev 2004-12-10 05:04:42 UTC
Stable on hppa.
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2004-12-10 08:30:59 UTC
ppc, ppc64 : we need you for that GLSA to go out :)
Comment 25 Joe Jezak (RETIRED) gentoo-dev 2004-12-10 16:39:56 UTC
Marked ppc stable.
Comment 26 Markus Rothe (RETIRED) gentoo-dev 2004-12-10 23:19:53 UTC
finaly stable on ppc64

sorry that this took soooo long.. HD gave up and stage1 on new HD didn't like me :-/
Comment 27 SpanKY gentoo-dev 2004-12-11 15:29:50 UTC
arm/ia64/s390 stable
Comment 28 Thierry Carrez (RETIRED) gentoo-dev 2004-12-13 13:56:41 UTC
lewk, please send that GLSA, it's ready now... We'll send it tomorrow if you don't show up.
Comment 29 Luke Macken (RETIRED) gentoo-dev 2004-12-13 19:55:43 UTC
GLSA 200412-08