Bug 612028 (CVE-2010-2521)

Summary: CVE-2010-2521 kernel: nfsd4: bug in read_buf
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bhu, bressers, dhoward, eguan, esammons, jkacur, jolsa, lgoncalv, lwang, plyons, rkhan, tao, vgoyal, williams, yanwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-22 13:26:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 612030, 612031, 612032, 612033, 612034, 612035, 645207, 645208    
Bug Blocks:    

Description Eugene Teo (Security Response) 2010-07-07 05:44:15 UTC 
Description of problem:
When read_buf is called to move over to the next page in the pagelist of an NFSv4 request, it sets argp->end to essentially a random number, certainly not an address within the page which argp->p now points to.  So subsequent calls to READ_BUF will think there is much more than a page of spare space (the cast to u32 ensures an unsigned comparison) so we can expect to fall off the end of the second page.
    
We never encountered this in testing because typically the only operations which use more than two pages are write-like operations, which have their own decoding logic. Something like a getattr after a write may cross a page boundary, but it would be very unusual for it to cross another boundary after that.

Upstream commit:
http://git.kernel.org/linus/2bc3c1179c781b359d4f2f3439cb3df72afc17fc
Comment 1 Eugene Teo (Security Response) 2010-07-07 05:46:00 UTC 
Introduced in commit 89fc0a31 (v2.5.49) and 099e99f0 (v2.6.0-test3). Fixed in v2.6.34-rc6.
Comment 3 Eugene Teo (Security Response) 2010-07-07 05:49:51 UTC 
Statement:

This issue did not affect the versions of the Linux kernel as shipped with Red
Hat Enterprise Linux 3 as it did not include support for Network File System (NFS) version 4. Future updates in Red Hat Enterprise 4, 5, and Red Hat Enterprise MRG may address this flaw.
Comment 10 errata-xmlrpc 2010-08-05 16:47:53 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0606 https://rhn.redhat.com/errata/RHSA-2010-0606.html
Comment 11 errata-xmlrpc 2010-08-10 18:01:40 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0610 https://rhn.redhat.com/errata/RHSA-2010-0610.html
Comment 12 errata-xmlrpc 2010-08-17 15:53:05 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2010:0631 https://rhn.redhat.com/errata/RHSA-2010-0631.html
Comment 13 John Kacur 2010-08-26 18:33:04 UTC 
This is not an issue for mrg-1.3 [bug #612031]
since we are based on a stable release that already includes this fix.
Comment 16 errata-xmlrpc 2010-11-16 19:08:57 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.3.Z - Server Only

Via RHSA-2010:0893 https://rhn.redhat.com/errata/RHSA-2010-0893.html
Comment 17 errata-xmlrpc 2010-11-23 15:19:28 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.4.Z - Server Only

Via RHSA-2010:0907 https://rhn.redhat.com/errata/RHSA-2010-0907.html