Bug 183416 - DoS attack possible via nfsservctl
Summary: DoS attack possible via nfsservctl
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Peter Staubach
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks: 181409
TreeView+ depends on / blocked
 
Reported: 2006-02-28 22:15 UTC by Peter Staubach
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RHSA-2006-0575
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-08-10 22:28:50 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Proposed patch (774 bytes, patch)
2006-03-01 16:04 UTC, Peter Staubach
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0575 0 normal SHIPPED_LIVE Important: Updated kernel packages available for Red Hat Enterprise Linux 4 Update 4 2006-08-10 04:00:00 UTC

Description Peter Staubach 2006-02-28 22:15:29 UTC
Description of problem:

There is a denial of service attack possible using the nfsservctl()
system call.  When it is invoked with an incorrect version number in
the arguments, it prints a message and returns an error.

Version-Release number of selected component (if applicable):


How reproducible:

Very reproducible.

Steps to Reproduce:
1. Invoke the nfsservctl() system with anything but 0x201 as the version
   number in the first argument.
  
Actual results:

The kernel prints the message, "nfsd: incompatible version in syscall.",
and returns an error.

Expected results:

Just the error return.

Additional info:

Comment 1 Peter Staubach 2006-03-01 16:04:02 UTC
Created attachment 125474 [details]
Proposed patch

Comment 2 Peter Staubach 2006-03-01 16:05:48 UTC
The solution is to not print the message.  It is only of vague usefulness
anyway.

Also cleaned up the error handling in the compat version of the nfsservctl()
system call.  It was attempting to proceed, even if the attempts to copy in
the arguments from the user level had failed.

Comment 3 Jason Baron 2006-04-18 17:11:07 UTC
committed in stream U4 build 34.18. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/ However, there is a *serious* slab
corruption issue with this kernel, and thus it should not be released to
customers under any circumstances. I'll update this bug when the kernel is
stable again.


Comment 5 Jason Baron 2006-04-19 19:43:36 UTC
We've identified the corruption as specfic to x86-64 smp kernel builds 34.16 and
34.17. All other builds are safe for consumption.


Comment 8 Red Hat Bugzilla 2006-08-10 22:28:51 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0575.html



Note You need to log in before you can comment on or make changes to this bug.