Bug 138063 - CAN-2004-0946 buffer overflow in rquotad
Summary: CAN-2004-0946 buffer overflow in rquotad
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: nfs-utils (Show other bugs)
(Show other bugs)
Version: 2.1
Hardware: All Linux
Target Milestone: ---
Assignee: Brian Stein
QA Contact: Ben Levenson
Whiteboard: embargo=20041117:14,impact=moderate
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2004-11-04 11:19 UTC by Brian Stein
Modified: 2013-03-01 05:14 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-01-12 18:48:07 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:014 normal SHIPPED_LIVE Important: nfs-utils security update 2005-01-12 05:00:00 UTC

Description Arjan van de Ven 2004-11-04 11:19:32 UTC
Description of problem:

struct dqblk
    u_int32_t dqb_bhardlimit;   /* absolute limit on disk blks alloc */
    u_int32_t dqb_bsoftlimit;   /* preferred limit on disk blks */
    u_int32_t dqb_curblocks;    /* current block count */
    u_int32_t dqb_ihardlimit;   /* maximum # allocated inodes */
    u_int32_t dqb_isoftlimit;   /* preferred inode limit */
    u_int32_t dqb_curinodes;    /* current # allocated inodes */
    time_t dqb_btime;           /* time limit for excessive disk use */
    time_t dqb_itime;           /* time limit for excessive files */

struct rquota {
        int rq_bsize;
        bool_t rq_active;
        u_int rq_bhardlimit;
        u_int rq_bsoftlimit;
        u_int rq_curblocks;
        u_int rq_fhardlimit;
        u_int rq_fsoftlimit;
        u_int rq_curfiles;
        u_int rq_btimeleft;
        u_int rq_ftimeleft;

rquota_server.c line 171 has the following memcpy:

memcpy((caddr_t *)&result.getquota_rslt_u.gqr_rquota.rq_bhardlimit,
                (caddr_t *)&dq_dqb, sizeof(struct dqblk));
the goal of the memcpy is to copy the 8 fields from struct dqblk to 
the last 8 fields of the struct quota.
That is, 6 ints and 2 time_t's get copied to 8 ints.
On 32 bit machines, that's ok (but ugly) since a time_t is also a 32
bit value; on 64 bit machines time_t is 64 bit though, thus buffer
overflowing the stack.

This information should be assumed to be public.

Comment 1 Mark J. Cox 2004-11-04 13:25:29 UTC
Found by Arjan; suggested embaro on advisories Nov17 1400UTC

Comment 2 Josh Bressers 2004-11-04 15:40:55 UTC
My analysis of this issue says it may be able for a remote NFS user to
exploit this, but it won't be easy.  In order to exploit this issue,
the attacker has to control the time they poll rquotad to a very
precise interval, which could lead to a 16 byte overflow on a 64 bit
system.  The ability execute anything of value in those 16 bytes is
questionable, since ideally the attacker doesn't have unrestricted
access to the server.  In theory the attacker will be able to control
64 total bytes of data.

Comment 3 Josh Bressers 2004-11-04 16:27:17 UTC
This issue also affects RHEL2.1

Comment 4 Steve Dickson 2004-11-11 20:09:31 UTC
This should be fixed in nfs-utils-0.3.3-10.src.rpm

Comment 5 Mark J. Cox 2005-01-12 09:37:40 UTC
Removing security sensitive tag

Comment 6 Josh Bressers 2005-01-12 18:48:07 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.