Bug 747106 - (CVE-2011-4131) CVE-2011-4131 kernel: nfs4_getfacl decoding kernel oops
CVE-2011-4131 kernel: nfs4_getfacl decoding kernel oops
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
Jian Li
impact=moderate,public=20111105,repor...
: Security
Depends On: 753227 753228 753230 753231 753232 753236 761378
Blocks: 746922 767288 784298
  Show dependency treegraph
 
Reported: 2011-10-18 16:18 EDT by Petr Matousek
Modified: 2016-11-08 10:48 EST (History)
25 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-24 01:29:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Matousek 2011-10-18 16:18:37 EDT
nfs4_getfacl decoding causes a kernel Oops when a server returns more than 2 GETATTR bitmap words in response to the FATTR4_ACL attribute request.

While the NFS client only asks for one attribute (FATTR4_ACL) in the first bitmap word, the NFSv4 protocol allows for the server to return unbounded
bitmaps.

Upstream commit:
e5012d1f3861d18c7f3814e757c1c3ab3741dbcd - incomplete, handles only the case when 2 words are expected and 3 are returned

Proposed complete upstream patch:
http://www.spinics.net/lists/linux-nfs/msg25288.html

Acknowledgements:

Red Hat would like to thank Andy Adamson for reporting this issue.
Comment 7 Petr Matousek 2011-11-11 11:37:42 EST
Statement:

This issue does not affect the Linux kernel as shipped with Red Hat Enterprise Linux 4 as it does not provide support for NFS ACLs. This issue does not affect the Linux kernel as shipped with Red Hat Enterprise Linux 5. This has been addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2012-0333.html. Future kernel updates in Red Hat Enterprise Linux 6 may address this issue.
Comment 8 Petr Matousek 2011-11-11 11:57:58 EST
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 753236]
Comment 9 Jeff Layton 2011-11-22 10:16:28 EST
At this point, I'm waiting to see if Trond plans to take the patch. Once he confirms that I'll backport it for RHEL5 and 6.
Comment 10 Eugene Teo (Security Response) 2011-11-30 01:55:25 EST
(In reply to comment #9)
> At this point, I'm waiting to see if Trond plans to take the patch. Once he
> confirms that I'll backport it for RHEL5 and 6.

Jeff, what's the status? Are they using the patch for the upstream kernel?
Comment 11 Jeff Layton 2011-11-30 06:13:26 EST
I've handed this bug off to Sachin who has found a bug in the upstream patch.
Comment 19 errata-xmlrpc 2012-02-23 15:22:58 EST
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0333 https://rhn.redhat.com/errata/RHSA-2012-0333.html
Comment 28 Petr Matousek 2012-05-15 02:54:35 EDT
Complete fix consists of the following upstream Linux kernel commits:

bf118a342f10dafe44b14451a1392c3254629a1f
20e0fa98b751facf9a1101edaefbc19c82616a68
5794d21ef4639f0e33440927bb903f9598c21e92
5a00689930ab975fdd1b37b034475017e460cf2a
Comment 29 errata-xmlrpc 2012-06-20 03:58:26 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0862 https://rhn.redhat.com/errata/RHSA-2012-0862.html
Comment 31 errata-xmlrpc 2012-12-04 15:33:15 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.2 EUS - Server Only

Via RHSA-2012:1541 https://rhn.redhat.com/errata/RHSA-2012-1541.html

Note You need to log in before you can comment on or make changes to this bug.