Bug 1301581
Summary: | Back port of bz 1163891 required as rpc.mountd can be blocked by a bad client | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Rinku <rkothiya> | |
Component: | nfs-utils | Assignee: | Steve Dickson <steved> | |
Status: | CLOSED ERRATA | QA Contact: | Yongcheng Yang <yoyang> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 6.7 | CC: | cww, djeffery, dwysocha, eguan, fs-qe, mkolaja, ngalvin, sbhat, steved, yoyang | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | nfs-utils-1.2.3-71.el6 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1350702 (view as bug list) | Environment: | ||
Last Closed: | 2017-03-21 11:23:11 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1269194, 1350702 |
Comment 6
Yongcheng Yang
2016-04-19 02:23:39 UTC
I'm not sure about a hotfix for this bug. The first patch header states it is 'experimental'. Are we sure these 3 patches won't have side-effects? I have not reviewed the 3 patches carefully in detail. Might be more appropriate for a Z-stream. SteveD - what do you think - should these be safe or do we need some QE before releasing? commit e4569a0961ff9f059b9ae71327d291cf95399597 Author: Bodo Stroesser <bstroesser.com> Date: Wed Nov 12 09:43:29 2014 -0500 rpc.mountd: set libtirpc nonblocking mode to avoid DOS This patch is experimental. In works fine in that it removes the vulnerability against a DOS attack. rpc.mountd can be blocked by a bad client, that sends many RPC requests but never reads the responses. This might happen intentionally or caused by a wrong network config (MTU). The patch switches on the nonblocking mode of libtirpc. In that mode writes can block for a max of 2 seconds. Attackers are forced to send requests slower, as libtirpc will close a connection if it finds two requests to read at the same time. Reviewed-by: NeilBrown <neilb> Signed-off-by: Bodo Stroesser <bstroesser.com> Signed-off-by: Steve Dickson <steved> (In reply to Dave Wysochanski from comment #11) > I'm not sure about a hotfix for this bug. The first patch header states it > is 'experimental'. Are we sure these 3 patches won't have side-effects? I > have not reviewed the 3 patches carefully in detail. > > Might be more appropriate for a Z-stream. SteveD - what do you think - > should these be safe or do we need some QE before releasing? > > commit e4569a0961ff9f059b9ae71327d291cf95399597 > Author: Bodo Stroesser <bstroesser.com> > Date: Wed Nov 12 09:43:29 2014 -0500 > > rpc.mountd: set libtirpc nonblocking mode to avoid DOS > Its been in place for a number of years and its in RHEL 7 so I'm thinking the three are fairly stable. I agree with going through the Z-stream process allowing QE to do some testing... Moving to VERIFIED according to test logs of Comment #15. Also include this automatic case as regression test in the future. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0741.html |