Bug 1301581 - Back port of bz 1163891 required as rpc.mountd can be blocked by a bad client
Back port of bz 1163891 required as rpc.mountd can be blocked by a bad client
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nfs-utils (Show other bugs)
6.7
x86_64 Linux
urgent Severity urgent
: rc
: ---
Assigned To: Steve Dickson
Yongcheng Yang
: ZStream
: 1205573 (view as bug list)
Depends On:
Blocks: 1269194 1350702
  Show dependency treegraph
 
Reported: 2016-01-25 07:43 EST by Rinku
Modified: 2017-03-21 07:23 EDT (History)
10 users (show)

See Also:
Fixed In Version: nfs-utils-1.2.3-71.el6
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1350702 (view as bug list)
Environment:
Last Closed: 2017-03-21 07:23:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 6 Yongcheng Yang 2016-04-18 22:23:39 EDT
*** Bug 1205573 has been marked as a duplicate of this bug. ***
Comment 11 Dave Wysochanski 2016-06-22 11:28:23 EDT
I'm not sure about a hotfix for this bug.  The first patch header states it is 'experimental'.  Are we sure these 3 patches won't have side-effects?  I have not reviewed the 3 patches carefully in detail.

Might be more appropriate for a Z-stream.  SteveD - what do you think - should these be safe or do we need some QE before releasing?

commit e4569a0961ff9f059b9ae71327d291cf95399597
Author: Bodo Stroesser <bstroesser@ts.fujitsu.com>
Date:   Wed Nov 12 09:43:29 2014 -0500

    rpc.mountd: set libtirpc nonblocking mode to avoid DOS
    
    This patch is experimental. In works fine in that it removes the
    vulnerability against a DOS attack. rpc.mountd can be blocked by
    a bad client, that sends many RPC requests but never reads the
    responses. This might happen intentionally or caused by a wrong
    network config (MTU). The patch switches on the nonblocking
    mode of libtirpc. In that mode writes can block for a max of 2 seconds.
    Attackers are forced to send requests slower, as libtirpc will close
    a connection if it finds two requests to read at the same time.
    
    Reviewed-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Bodo Stroesser <bstroesser@ts.fujitsu.com>
    Signed-off-by: Steve Dickson <steved@redhat.com>
Comment 12 Steve Dickson 2016-06-27 07:27:54 EDT
(In reply to Dave Wysochanski from comment #11)
> I'm not sure about a hotfix for this bug.  The first patch header states it
> is 'experimental'.  Are we sure these 3 patches won't have side-effects?  I
> have not reviewed the 3 patches carefully in detail.
> 
> Might be more appropriate for a Z-stream.  SteveD - what do you think -
> should these be safe or do we need some QE before releasing?
> 
> commit e4569a0961ff9f059b9ae71327d291cf95399597
> Author: Bodo Stroesser <bstroesser@ts.fujitsu.com>
> Date:   Wed Nov 12 09:43:29 2014 -0500
> 
>     rpc.mountd: set libtirpc nonblocking mode to avoid DOS
>     
Its been in place for a number of years and its in RHEL 7
so I'm thinking the three are fairly stable.

I agree with going through the Z-stream process allowing 
QE to do some testing...
Comment 16 Yongcheng Yang 2016-11-01 03:19:52 EDT
Moving to VERIFIED according to test logs of Comment #15.

Also include this automatic case as regression test in the future.
Comment 18 errata-xmlrpc 2017-03-21 07:23:11 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0741.html

Note You need to log in before you can comment on or make changes to this bug.