Bug 612028 (CVE-2010-2521) - CVE-2010-2521 kernel: nfsd4: bug in read_buf
Summary: CVE-2010-2521 kernel: nfsd4: bug in read_buf
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2010-2521
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 612030 612031 612032 612033 612034 612035 645207 645208
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-07 05:44 UTC by Eugene Teo (Security Response)
Modified: 2021-02-24 22:49 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-22 13:26:02 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0606 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-08-05 16:44:53 UTC
Red Hat Product Errata RHSA-2010:0610 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-08-10 18:01:15 UTC
Red Hat Product Errata RHSA-2010:0631 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2010-08-18 07:58:39 UTC
Red Hat Product Errata RHSA-2010:0893 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-11-16 19:08:47 UTC
Red Hat Product Errata RHSA-2010:0907 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-11-23 15:19:19 UTC

Description Eugene Teo (Security Response) 2010-07-07 05:44:15 UTC 
Description of problem:
When read_buf is called to move over to the next page in the pagelist of an NFSv4 request, it sets argp->end to essentially a random number, certainly not an address within the page which argp->p now points to.  So subsequent calls to READ_BUF will think there is much more than a page of spare space (the cast to u32 ensures an unsigned comparison) so we can expect to fall off the end of the second page.
    
We never encountered this in testing because typically the only operations which use more than two pages are write-like operations, which have their own decoding logic. Something like a getattr after a write may cross a page boundary, but it would be very unusual for it to cross another boundary after that.

Upstream commit:
http://git.kernel.org/linus/2bc3c1179c781b359d4f2f3439cb3df72afc17fc
Comment 1 Eugene Teo (Security Response) 2010-07-07 05:46:00 UTC 
Introduced in commit 89fc0a31 (v2.5.49) and 099e99f0 (v2.6.0-test3). Fixed in v2.6.34-rc6.
Comment 3 Eugene Teo (Security Response) 2010-07-07 05:49:51 UTC 
Statement:

This issue did not affect the versions of the Linux kernel as shipped with Red
Hat Enterprise Linux 3 as it did not include support for Network File System (NFS) version 4. Future updates in Red Hat Enterprise 4, 5, and Red Hat Enterprise MRG may address this flaw.
Comment 10 errata-xmlrpc 2010-08-05 16:47:53 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0606 https://rhn.redhat.com/errata/RHSA-2010-0606.html
Comment 11 errata-xmlrpc 2010-08-10 18:01:40 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0610 https://rhn.redhat.com/errata/RHSA-2010-0610.html
Comment 12 errata-xmlrpc 2010-08-17 15:53:05 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2010:0631 https://rhn.redhat.com/errata/RHSA-2010-0631.html
Comment 13 John Kacur 2010-08-26 18:33:04 UTC 
This is not an issue for mrg-1.3 [bug #612031]
since we are based on a stable release that already includes this fix.
Comment 16 errata-xmlrpc 2010-11-16 19:08:57 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.3.Z - Server Only

Via RHSA-2010:0893 https://rhn.redhat.com/errata/RHSA-2010-0893.html
Comment 17 errata-xmlrpc 2010-11-23 15:19:28 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.4.Z - Server Only

Via RHSA-2010:0907 https://rhn.redhat.com/errata/RHSA-2010-0907.html
Note You need to log in before you can comment on or make changes to this bug.