>>>>> " " == Chris Evans <chris@ferret.lmh.ox.ac.uk> writes:
> Hi,
> In the recent NFS merges into 2.3.99-pre, I noticed what
> appears (by inspection) to be a serious security flaw. Please
> examine the following code (patch) fragment
> +xdr_decode_fhstatus3(struct rpc_rqst *req, u32 *p, struct
> mnt_fhstatus *res) +{
> + memset((u8 *)res, 0, sizeof(*res));
> + if ((res->status = ntohl(*p++)) == 0) {
> + int size = ntohl(*p++);
> + if (size <= NFS3_FHSIZE) {
> + res->fh->size = size;
> + memcpy(res->fh->data, p, res->fh->size);
> + } else
> + res->status = -EBADHANDLE;
> + }
> "int size" should definitely be unsigned! Otherwise, if the
> value "-1" arrives over the untrusted network, it will pass the
> NFS3_FHSIZE check and proceed to attempt a memcpy() of size
> (unsigned)-1, i.e. 4Gb. This will upset the kernel :)
Serious security flaw? Well...
That particular code is only meant to be used for mounting the NFSROOT
partition, so if you receive an illegal file handle, your client isn't
going to boot whether or not the memcpy messes up.
That said, there's no reason why we shouldn't do it right. I'll send
in the patch to Linus once he's finished moving...
Cheers,
Trond
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:16 EST