Bug 618841
Summary: | Denial of service attack in Kerberized NFS (v3 and v4) | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Jonathan Manton <jmanton> |
Component: | kernel | Assignee: | nfs-maint |
kernel sub component: | Storage | QA Contact: | Red Hat Kernel QE team <kernel-qe> |
Status: | CLOSED WONTFIX | Docs Contact: | |
Severity: | unspecified | ||
Priority: | low | CC: | bfields, jmanton, johnh |
Version: | 5.5 | ||
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-02 13:17:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jonathan Manton
2010-07-27 20:46:33 UTC
This bug exists in the newest mainline kernel (2.6.35) as well. When sunrpc formats the upcall to the user space daemon (svcgssd), it does it in ASCII. This is done in a function called qword_addhex() in net/sunrpc/cache.c. The buffer passed in to qword_addhex() is set to be PAGE_SIZE, which on my kernel is 4096. Each byte encoded takes two bytes in ASCII. So it tries to encode the upcall, fails, and returns a -1 value. What ends up happening is that each nfsd process continuously tries to process the RPC request (checking the cache), without pause. Ultimately what this means is that the current system silently fails (and hangs the NFS server for 30 seconds) if the GSSAPI token is 2048 bytes or larger. Note this is one of the things that should be fixed by switch to gss-proxy, kernel code for which will probably land in 3.10. So the general workaround I've used for this against AD is to set userAccountControl such that the PAC is not included in the ticket (NO_AUTH_DATA_REQUIRED), thus reducing the size and keeping it below this threshold. In general, that seems like a perfectly acceptable workaround. But I'm not clear what the solution is if other services on the same machine require the PAC to be present to function properly. Samba and winbind seem keen to have the PAC, and misbehave somewhat when it's not present, but I can't believe that NFS and Samba together on a fileserver authenticated against AD is an unusual situation. Any suggestions? Will this solution landing in 3.10 actually have any bearing on it being backported to RHEL 5 or 6 (or even 7)? This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug. Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support). |