Bug 228964

Summary: CVE-2007-0772 NFSACLv2 ACCESS remote DoS
Product: Red Hat Enterprise Linux 4 Reporter: Marcel Holtmann <holtmann>
Component: kernelAssignee: Chandrasekar Kannan <ckannan>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: low Docs Contact:
Priority: medium    
Version: 4.0CC: benl, jbaron, security-response-team, staubach, steved
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,source=vendorsec,reported=20070212,embargo=yes,public=20070220
Fixed In Version: RHEL-4.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-22 22:47:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed patch
none
Proposed patch none

Description Marcel Holtmann 2007-02-16 09:23:28 UTC 
The knfsd code handling the NFSACLv2 ACCESS call has a bogus release handler
defined for it.  Anything that sends a proper NFSACLv2 ACCESS call over the wire
to a NFSACLv2-aware NFS server can cause downstream release-ing code to chomp on
the wrong hunk of memory and potentially lead to a panic. It's not clear that
this code path has been tested much, and the problem has been in Linux kernels
since June 2005:

http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a257cdd0e2179630d3201c32ba14d7fcb3c3a055

It was discovered at Connectathon 2007, largely thanks to much detective work by
Greg Banks at SGI.

Some workarounds are to either disable NFSv2 entirely, or disable ACLs entirely
(CONFIG_NFSD_V2_ACL=n -and- CONFIG_NFSD_V3_ACL=n).  The "no_acl" export option
isn't sufficient, as the first NFSACL call that the client sends to probe
whether ACLs work will trigger the bug before the flag is checked.  And, just
turning off CONFIG_NFSD_V2_ACL is insuffient, as it's paired with
CONFIG_NFSD_V3_ACL checks in a lot of places.
Comment 2 Lubomir Kundrak 2007-02-20 19:43:43 UTC 
No longer embargoed.
Comment 6 Peter Staubach 2007-02-21 15:47:49 UTC 
Created attachment 148491 [details]
Proposed patch

The previously attached patch was not the correct patch.  A new patch
has been attached which is tested and correct.

Please note that RHEL-4.5 and RHEL-5.0 are not susceptible to this
issue because they have the NFS_ACL v2 support completed disabled.

If desired, with this patch, the NFS_ACL v2 support could be reenabled
in the config-generic file.