Bug 747106 (CVE-2011-4131) - CVE-2011-4131 kernel: nfs4_getfacl decoding kernel oops
Summary: CVE-2011-4131 kernel: nfs4_getfacl decoding kernel oops
Status: CLOSED ERRATA
Alias: CVE-2011-4131
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Jian Li
URL:
Whiteboard: impact=moderate,public=20111105,repor...
Keywords: Security
Depends On: 753227 753228 753230 753231 753232 753236 761378
Blocks: 746922 767288 784298
TreeView+ depends on / blocked
 
Reported: 2011-10-18 20:18 UTC by Petr Matousek
Modified: 2018-11-30 21:56 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-24 05:29:31 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0333 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2012-02-24 01:21:35 UTC
Red Hat Product Errata RHSA-2012:0862 normal SHIPPED_LIVE Moderate: Red Hat Enterprise Linux 6 kernel security, bug fix and enhancement update 2012-06-20 12:55:00 UTC
Red Hat Product Errata RHSA-2012:1541 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2012-12-05 01:31:10 UTC

Description Petr Matousek 2011-10-18 20:18:37 UTC
nfs4_getfacl decoding causes a kernel Oops when a server returns more than 2 GETATTR bitmap words in response to the FATTR4_ACL attribute request.

While the NFS client only asks for one attribute (FATTR4_ACL) in the first bitmap word, the NFSv4 protocol allows for the server to return unbounded
bitmaps.

Upstream commit:
e5012d1f3861d18c7f3814e757c1c3ab3741dbcd - incomplete, handles only the case when 2 words are expected and 3 are returned

Proposed complete upstream patch:
http://www.spinics.net/lists/linux-nfs/msg25288.html

Acknowledgements:

Red Hat would like to thank Andy Adamson for reporting this issue.

Comment 7 Petr Matousek 2011-11-11 16:37:42 UTC
Statement:

This issue does not affect the Linux kernel as shipped with Red Hat Enterprise Linux 4 as it does not provide support for NFS ACLs. This issue does not affect the Linux kernel as shipped with Red Hat Enterprise Linux 5. This has been addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2012-0333.html. Future kernel updates in Red Hat Enterprise Linux 6 may address this issue.

Comment 8 Petr Matousek 2011-11-11 16:57:58 UTC
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 753236]

Comment 9 Jeff Layton 2011-11-22 15:16:28 UTC
At this point, I'm waiting to see if Trond plans to take the patch. Once he confirms that I'll backport it for RHEL5 and 6.

Comment 10 Eugene Teo (Security Response) 2011-11-30 06:55:25 UTC
(In reply to comment #9)
> At this point, I'm waiting to see if Trond plans to take the patch. Once he
> confirms that I'll backport it for RHEL5 and 6.

Jeff, what's the status? Are they using the patch for the upstream kernel?

Comment 11 Jeff Layton 2011-11-30 11:13:26 UTC
I've handed this bug off to Sachin who has found a bug in the upstream patch.

Comment 19 errata-xmlrpc 2012-02-23 20:22:58 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0333 https://rhn.redhat.com/errata/RHSA-2012-0333.html

Comment 28 Petr Matousek 2012-05-15 06:54:35 UTC
Complete fix consists of the following upstream Linux kernel commits:

bf118a342f10dafe44b14451a1392c3254629a1f
20e0fa98b751facf9a1101edaefbc19c82616a68
5794d21ef4639f0e33440927bb903f9598c21e92
5a00689930ab975fdd1b37b034475017e460cf2a

Comment 29 errata-xmlrpc 2012-06-20 07:58:26 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0862 https://rhn.redhat.com/errata/RHSA-2012-0862.html

Comment 31 errata-xmlrpc 2012-12-04 20:33:15 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.2 EUS - Server Only

Via RHSA-2012:1541 https://rhn.redhat.com/errata/RHSA-2012-1541.html


Note You need to log in before you can comment on or make changes to this bug.