Bug 747106 (CVE-2011-4131)

Summary: CVE-2011-4131 kernel: nfs4_getfacl decoding kernel oops
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Jian Li <jiali>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anton, arozansk, bfields, bhu, davids, dhoward, dhowells, fhrbata, jiali, jkacur, jlayton, jwest, kernel-mgr, lgoncalv, lwang, nmurray, plougher, rt-maint, rwheeler, security-response-team, sforsber, sprabhu, steved, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-24 05:29:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 753227, 753228, 753230, 753231, 753232, 753236, 761378    
Bug Blocks: 746922, 767288, 784298    

Description Petr Matousek 2011-10-18 20:18:37 UTC 
nfs4_getfacl decoding causes a kernel Oops when a server returns more than 2 GETATTR bitmap words in response to the FATTR4_ACL attribute request.

While the NFS client only asks for one attribute (FATTR4_ACL) in the first bitmap word, the NFSv4 protocol allows for the server to return unbounded
bitmaps.

Upstream commit:
e5012d1f3861d18c7f3814e757c1c3ab3741dbcd - incomplete, handles only the case when 2 words are expected and 3 are returned

Proposed complete upstream patch:
http://www.spinics.net/lists/linux-nfs/msg25288.html

Acknowledgements:

Red Hat would like to thank Andy Adamson for reporting this issue.
Comment 7 Petr Matousek 2011-11-11 16:37:42 UTC 
Statement:

This issue does not affect the Linux kernel as shipped with Red Hat Enterprise Linux 4 as it does not provide support for NFS ACLs. This issue does not affect the Linux kernel as shipped with Red Hat Enterprise Linux 5. This has been addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2012-0333.html. Future kernel updates in Red Hat Enterprise Linux 6 may address this issue.
Comment 8 Petr Matousek 2011-11-11 16:57:58 UTC 
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 753236]
Comment 9 Jeff Layton 2011-11-22 15:16:28 UTC 
At this point, I'm waiting to see if Trond plans to take the patch. Once he confirms that I'll backport it for RHEL5 and 6.
Comment 10 Eugene Teo (Security Response) 2011-11-30 06:55:25 UTC 
(In reply to comment #9)
> At this point, I'm waiting to see if Trond plans to take the patch. Once he
> confirms that I'll backport it for RHEL5 and 6.

Jeff, what's the status? Are they using the patch for the upstream kernel?
Comment 11 Jeff Layton 2011-11-30 11:13:26 UTC 
I've handed this bug off to Sachin who has found a bug in the upstream patch.
Comment 19 errata-xmlrpc 2012-02-23 20:22:58 UTC 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0333 https://rhn.redhat.com/errata/RHSA-2012-0333.html
Comment 28 Petr Matousek 2012-05-15 06:54:35 UTC 
Complete fix consists of the following upstream Linux kernel commits:

bf118a342f10dafe44b14451a1392c3254629a1f
20e0fa98b751facf9a1101edaefbc19c82616a68
5794d21ef4639f0e33440927bb903f9598c21e92
5a00689930ab975fdd1b37b034475017e460cf2a
Comment 29 errata-xmlrpc 2012-06-20 07:58:26 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0862 https://rhn.redhat.com/errata/RHSA-2012-0862.html
Comment 31 errata-xmlrpc 2012-12-04 20:33:15 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.2 EUS - Server Only

Via RHSA-2012:1541 https://rhn.redhat.com/errata/RHSA-2012-1541.html