Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 138063 - CAN-2004-0946 buffer overflow in rquotad
CAN-2004-0946 buffer overflow in rquotad
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: nfs-utils (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Brian Stein
Ben Levenson
: Security
Depends On:
  Show dependency treegraph
Reported: 2004-11-04 06:19 EST by Brian Stein
Modified: 2013-03-01 00:14 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-01-12 13:48:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:014 normal SHIPPED_LIVE Important: nfs-utils security update 2005-01-12 00:00:00 EST

  None (edit)
Description Arjan van de Ven 2004-11-04 06:19:32 EST
Description of problem:

struct dqblk
    u_int32_t dqb_bhardlimit;   /* absolute limit on disk blks alloc */
    u_int32_t dqb_bsoftlimit;   /* preferred limit on disk blks */
    u_int32_t dqb_curblocks;    /* current block count */
    u_int32_t dqb_ihardlimit;   /* maximum # allocated inodes */
    u_int32_t dqb_isoftlimit;   /* preferred inode limit */
    u_int32_t dqb_curinodes;    /* current # allocated inodes */
    time_t dqb_btime;           /* time limit for excessive disk use */
    time_t dqb_itime;           /* time limit for excessive files */

struct rquota {
        int rq_bsize;
        bool_t rq_active;
        u_int rq_bhardlimit;
        u_int rq_bsoftlimit;
        u_int rq_curblocks;
        u_int rq_fhardlimit;
        u_int rq_fsoftlimit;
        u_int rq_curfiles;
        u_int rq_btimeleft;
        u_int rq_ftimeleft;

rquota_server.c line 171 has the following memcpy:

memcpy((caddr_t *)&result.getquota_rslt_u.gqr_rquota.rq_bhardlimit,
                (caddr_t *)&dq_dqb, sizeof(struct dqblk));
the goal of the memcpy is to copy the 8 fields from struct dqblk to 
the last 8 fields of the struct quota.
That is, 6 ints and 2 time_t's get copied to 8 ints.
On 32 bit machines, that's ok (but ugly) since a time_t is also a 32
bit value; on 64 bit machines time_t is 64 bit though, thus buffer
overflowing the stack.

This information should be assumed to be public.
Comment 1 Mark J. Cox 2004-11-04 08:25:29 EST
Found by Arjan; suggested embaro on advisories Nov17 1400UTC
Comment 2 Josh Bressers 2004-11-04 10:40:55 EST
My analysis of this issue says it may be able for a remote NFS user to
exploit this, but it won't be easy.  In order to exploit this issue,
the attacker has to control the time they poll rquotad to a very
precise interval, which could lead to a 16 byte overflow on a 64 bit
system.  The ability execute anything of value in those 16 bytes is
questionable, since ideally the attacker doesn't have unrestricted
access to the server.  In theory the attacker will be able to control
64 total bytes of data.
Comment 3 Josh Bressers 2004-11-04 11:27:17 EST
This issue also affects RHEL2.1
Comment 4 Steve Dickson 2004-11-11 15:09:31 EST
This should be fixed in nfs-utils-0.3.3-10.src.rpm
Comment 5 Mark J. Cox 2005-01-12 04:37:40 EST
Removing security sensitive tag
Comment 6 Josh Bressers 2005-01-12 13:48:07 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.