Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 228964 - CVE-2007-0772 NFSACLv2 ACCESS remote DoS
Summary: CVE-2007-0772 NFSACLv2 ACCESS remote DoS
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
: ---
Assignee: Chandrasekar Kannan
QA Contact: Brian Brock
URL:
Whiteboard: impact=low,source=vendorsec,reported=...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-02-16 09:23 UTC by Marcel Holtmann
Modified: 2015-01-04 23:24 UTC (History)
5 users (show)

Fixed In Version: RHEL-4.5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-02-22 22:47:20 UTC


Attachments (Terms of Use)
Proposed patch (deleted)
2007-02-20 19:45 UTC, Peter Staubach
no flags Details | Diff
Proposed patch (deleted)
2007-02-21 15:47 UTC, Peter Staubach
no flags Details | Diff

Description Marcel Holtmann 2007-02-16 09:23:28 UTC
The knfsd code handling the NFSACLv2 ACCESS call has a bogus release handler
defined for it.  Anything that sends a proper NFSACLv2 ACCESS call over the wire
to a NFSACLv2-aware NFS server can cause downstream release-ing code to chomp on
the wrong hunk of memory and potentially lead to a panic. It's not clear that
this code path has been tested much, and the problem has been in Linux kernels
since June 2005:

http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a257cdd0e2179630d3201c32ba14d7fcb3c3a055

It was discovered at Connectathon 2007, largely thanks to much detective work by
Greg Banks at SGI.

Some workarounds are to either disable NFSv2 entirely, or disable ACLs entirely
(CONFIG_NFSD_V2_ACL=n -and- CONFIG_NFSD_V3_ACL=n).  The "no_acl" export option
isn't sufficient, as the first NFSACL call that the client sends to probe
whether ACLs work will trigger the bug before the flag is checked.  And, just
turning off CONFIG_NFSD_V2_ACL is insuffient, as it's paired with
CONFIG_NFSD_V3_ACL checks in a lot of places.

Comment 2 Lubomir Kundrak 2007-02-20 19:43:43 UTC
No longer embargoed.

Comment 6 Peter Staubach 2007-02-21 15:47:49 UTC
Created attachment 148491 [details]
Proposed patch

The previously attached patch was not the correct patch.  A new patch
has been attached which is tested and correct.

Please note that RHEL-4.5 and RHEL-5.0 are not susceptible to this
issue because they have the NFS_ACL v2 support completed disabled.

If desired, with this patch, the NFS_ACL v2 support could be reenabled
in the config-generic file.


Note You need to log in before you can comment on or make changes to this bug.