Bug 138098 - CAN-2004-0946 buffer overflow in rquotad
CAN-2004-0946 buffer overflow in rquotad
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: nfs-utils (Show other bugs)
fc2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, 1, rh90, rh73, 2,
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-04 11:41 EST by Josh Bressers
Modified: 2007-04-18 13:14 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-25 09:55:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2004-11-04 11:41:31 EST
Description of problem:

struct dqblk
  {
    u_int32_t dqb_bhardlimit;   /* absolute limit on disk blks alloc */
    u_int32_t dqb_bsoftlimit;   /* preferred limit on disk blks */
    u_int32_t dqb_curblocks;    /* current block count */
    u_int32_t dqb_ihardlimit;   /* maximum # allocated inodes */
    u_int32_t dqb_isoftlimit;   /* preferred inode limit */
    u_int32_t dqb_curinodes;    /* current # allocated inodes */
    time_t dqb_btime;           /* time limit for excessive disk use */
    time_t dqb_itime;           /* time limit for excessive files */
  };

struct rquota {
        int rq_bsize;
        bool_t rq_active;
        u_int rq_bhardlimit;
        u_int rq_bsoftlimit;
        u_int rq_curblocks;
        u_int rq_fhardlimit;
        u_int rq_fsoftlimit;
        u_int rq_curfiles;
        u_int rq_btimeleft;
        u_int rq_ftimeleft;
};

rquota_server.c line 171 has the following memcpy:

memcpy((caddr_t *)&result.getquota_rslt_u.gqr_rquota.rq_bhardlimit,
                (caddr_t *)&dq_dqb, sizeof(struct dqblk));
                                                                     
                                                     
the goal of the memcpy is to copy the 8 fields from struct dqblk to 
the last 8 fields of the struct quota.
That is, 6 ints and 2 time_t's get copied to 8 ints.
On 32 bit machines, that's ok (but ugly) since a time_t is also a 32
bit value; on 64 bit machines time_t is 64 bit though, thus buffer
overflowing the stack.



My analysis of this issue says it may be able for a remote NFS user to
exploit this, but it won't be easy.  In order to exploit this issue,
the attacker has to control the time they poll rquotad to a very
precise interval, which could lead to a 16 byte overflow on a 64 bit
system.  The ability execute anything of value in those 16 bytes is
questionable, since ideally the attacker doesn't have unrestricted
access to the server.  In theory the attacker will be able to control
64 total bytes of data.



This issue should also affect FC3
Comment 1 Josh Bressers 2005-01-18 13:53:22 EST
Lifting embargo, ping on this issue?
Comment 2 Matthew Miller 2005-04-11 18:20:02 EDT
[Bulk move of FC2 bugs to Fedora Legacy. See
<http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00020.html>.]
Comment 3 Matthew Miller 2005-04-12 00:44:37 EDT
This appears to be fixed in FC3 -- I think it's
nfs-utils-1.0.6-rquotad-overflow.patch and this changelog entry:

* Sat Nov 20 2004 Steve Dickson <SteveD@RedHat.com>
- Replaced a memcopy with explicit assignments
  in getquotainfo() of rquotad to fix potential overflow
  that can occur on 64bit machines. (bz 138068)

Not sure if the bugzilla number there is a typo and meant to refer to this one,
since bug #138068 is restricted.

Anyway, the nfs-utils update in FC2 updates/testing does *not* appear to address
this. (It jumps straight past all of the updates FC3 got between May 18 and Dec
02 -- some of the changes there might not be good for FC2, but some of them,
like this one, appear to be worth fixing.)
Comment 4 Steve Dickson 2005-04-12 11:49:59 EDT
bz 138068 is not a typo... I'm not sure why its restricted but
definitely a valid bz number...

The nfs-utils-1.0.6-46  is the correct rpm version. Please
ensure you are using that version or higher version
Comment 5 Matthew Miller 2005-04-12 11:57:01 EDT
FC3 updates has nfs-utils-1.0.6-52 -- would it be appropriate to jump to that
for FC2 too? Thanks for your help.
Comment 6 Marc Deslauriers 2005-04-20 19:37:44 EDT
This issue probably affects other FL releases also.
Comment 7 Jeff Sheltren 2005-11-14 19:38:36 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've created updated packages to fix this issue.

http://www.cs.ucsb.edu/~jeff/legacy/nfs-utils/

rh73:
ef642e4180ce73bed914ee79ef605d8770e661f6  nfs-utils-0.3.3-6.73.2.legacy.src.rpm
rh9:
e5d89b25526783659b54fd0dd85b4a89d51a57c3  nfs-utils-1.0.1-3.9.2.legacy.src.rpm
fc1:
af024e6fcd8c853798b9880aa0b960c06a34e5f9  nfs-utils-1.0.6-1.2.legacy.src.rpm
fc2:
af76cee72b6f9ce6d0fb062471ecc376f41ba2ee  nfs-utils-1.0.6-22.1.legacy.src.rpm

The rh73 patch comes from RHEL2, the rest use the RHEL3 patch.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDeS6EKe7MLJjUbNMRAvg6AJ9VCMbHZ/TD7Vj+gEe/qRp8QxQFNgCgmDrL
5R+BpKktazH+cuLU3ga/BE0=
=V8cR
-----END PGP SIGNATURE-----
Comment 8 Pekka Savola 2005-11-16 01:55:08 EST
Does this also fix the following?

CVE-2004-1014 	statd in nfs-utils 1.257 and earlier does not ignore the SIGPIPE
signal, which allows remote attackers to cause a denial of service (server
process crash) via a TCP connection that is prematurely terminated.


http://www.redhat.com/support/errata/RHSA-2005-014.html
Comment 9 Jeff Sheltren 2005-11-16 06:07:33 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The rh73, rh9, and fc1 packages are already patched for CVE-2004-1014
see bug #152871. The fc2 package was not patched, so I have created
a new package for fc2:

http://www.cs.ucsb.edu/~jeff/legacy/nfs-utils/nfs-utils-1.0.6-22.2.legacy.src.rpm

ae2c6b29fb9442153f7825d755d0d11cd0e25de9  nfs-utils-1.0.6-22.2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDexNRKe7MLJjUbNMRAgQ3AJ4y1TSIi7nYFCL1PlAeC6KDqk9zQQCfdagO
JdTNNHAcmKIYd+s1XrfxRdg=
=d36G
-----END PGP SIGNATURE-----
Comment 10 Pekka Savola 2005-11-16 08:50:28 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches have identical SHA1sums with those from RHEL

+PUBLISH RHL73, RHL9, FC1, FC2

ef642e4180ce73bed914ee79ef605d8770e661f6  nfs-utils-0.3.3-6.73.2.legacy.src.rpm
e5d89b25526783659b54fd0dd85b4a89d51a57c3  nfs-utils-1.0.1-3.9.2.legacy.src.rpm
af024e6fcd8c853798b9880aa0b960c06a34e5f9  nfs-utils-1.0.6-1.2.legacy.src.rpm
ae2c6b29fb9442153f7825d755d0d11cd0e25de9  nfs-utils-1.0.6-22.2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFDezm4GHbTkzxSL7QRAvpKAJkBZWWJwkNuWNZArCBGIDn+wJ+/HQCff2U5
T6QAblYdAfpOgOJk7h+ZuA8=
=3/SY
-----END PGP SIGNATURE-----
Comment 11 Marc Deslauriers 2005-11-17 21:12:23 EST
isn't this a 64-bit only issue? Why are we fixing this?
Comment 12 David Eisenstein 2005-12-13 01:22:00 EST
Are we not going to be supporting 64-bit for any of the FC's?
Comment 13 Marc Deslauriers 2006-02-11 11:32:53 EST
Packages were released to updates-testing.
Comment 14 Pekka Savola 2006-02-14 01:32:17 EST
New policy: automatic accept after two weeks if no negative feedback.

Comment 15 Donald Maner 2006-02-23 17:13:46 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I performed QA on the following packages:

rh73:
fc563f70e9f2b5eeafb51b9444469689185ef504  nfs-utils-0.3.3-6.73.2.legacy.i386.rpm

rh9:
45c4f3a310d3090271f0d0798cae1e3148ab8299  nfs-utils-1.0.1-3.9.2.legacy.i386.rpm

fc1:
1c96ae93420683ad79b675b205ecb5d6ddb61ef4  nfs-utils-1.0.6-1.2.legacy.i386.rpm

fc2:
2063735e17273d7967c8fa1f3649ab86921c910e  nfs-utils-1.0.6-22.2.legacy.i386.rpm

I mounted an ext3 partition and set a 100000 block hard quota.  I then mounted
the partition from a fc4 machine over NFS.  I was unable to go past the hard
quota, and I was able to view the quota remotly using "quota <username>".

+VERIFY rh73,rh9,fc1,fc2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFD/jTspxMPKJzn2lIRAh5EAJ9ZCDyzJ4evZLfJ+1JJj1V+W8aI+wCdHCh2
Q73UFsOgVXnQXnZStW6ZshU=
=VaeK
-----END PGP SIGNATURE-----
Comment 16 Pekka Savola 2006-02-24 00:54:46 EST
Thanks!
Comment 17 Tres Seaver 2006-02-24 13:21:33 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages tested:

  1c96ae93420683ad79b675b205ecb5d6ddb61ef4  nfs-utils-1.0.6-1.2.legacy.i386.rpm

  - SHA1 checksum and GPG signature verified.

  - Package installed cleanly.

  - Minimal testing of utility binaries showed they run cleanly, although
    the FC1 box I run exports no NFS mounts.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD/0/V+gerLs4ltQ4RAmyWAJ9o9b001NqwlJp6c8Yd8GMwG3qHFQCg2TdN
UvHEfTpZXYKzuGo7L8j3/2o=
=JDis
-----END PGP SIGNATURE-----
Comment 18 Marc Deslauriers 2006-02-25 09:55:16 EST
Updates were released.

Note You need to log in before you can comment on or make changes to this bug.