Bug 612028 - (CVE-2010-2521) CVE-2010-2521 kernel: nfsd4: bug in read_buf
CVE-2010-2521 kernel: nfsd4: bug in read_buf
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,reported=20100707,pu...
: Security
Depends On: 612030 612031 612032 612033 612034 612035 645207 645208
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-07 01:44 EDT by Eugene Teo (Security Response)
Modified: 2016-04-22 09:26 EDT (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-22 09:26:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2010-07-07 01:44:15 EDT
Description of problem:
When read_buf is called to move over to the next page in the pagelist of an NFSv4 request, it sets argp->end to essentially a random number, certainly not an address within the page which argp->p now points to.  So subsequent calls to READ_BUF will think there is much more than a page of spare space (the cast to u32 ensures an unsigned comparison) so we can expect to fall off the end of the second page.
    
We never encountered this in testing because typically the only operations which use more than two pages are write-like operations, which have their own decoding logic. Something like a getattr after a write may cross a page boundary, but it would be very unusual for it to cross another boundary after that.

Upstream commit:
http://git.kernel.org/linus/2bc3c1179c781b359d4f2f3439cb3df72afc17fc
Comment 1 Eugene Teo (Security Response) 2010-07-07 01:46:00 EDT
Introduced in commit 89fc0a31 (v2.5.49) and 099e99f0 (v2.6.0-test3). Fixed in v2.6.34-rc6.
Comment 3 Eugene Teo (Security Response) 2010-07-07 01:49:51 EDT
Statement:

This issue did not affect the versions of the Linux kernel as shipped with Red
Hat Enterprise Linux 3 as it did not include support for Network File System (NFS) version 4. Future updates in Red Hat Enterprise 4, 5, and Red Hat Enterprise MRG may address this flaw.
Comment 10 errata-xmlrpc 2010-08-05 12:47:53 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0606 https://rhn.redhat.com/errata/RHSA-2010-0606.html
Comment 11 errata-xmlrpc 2010-08-10 14:01:40 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0610 https://rhn.redhat.com/errata/RHSA-2010-0610.html
Comment 12 errata-xmlrpc 2010-08-17 11:53:05 EDT
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2010:0631 https://rhn.redhat.com/errata/RHSA-2010-0631.html
Comment 13 John Kacur 2010-08-26 14:33:04 EDT
This is not an issue for mrg-1.3 [bug #612031]
since we are based on a stable release that already includes this fix.
Comment 16 errata-xmlrpc 2010-11-16 14:08:57 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.3.Z - Server Only

Via RHSA-2010:0893 https://rhn.redhat.com/errata/RHSA-2010-0893.html
Comment 17 errata-xmlrpc 2010-11-23 10:19:28 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.4.Z - Server Only

Via RHSA-2010:0907 https://rhn.redhat.com/errata/RHSA-2010-0907.html

Note You need to log in before you can comment on or make changes to this bug.