[Full-Disclosure] Remote Linux Kernel < 2.4.21 DoS in XDR routine. (fwd)

From: Jared Stanbrough (jareds_at_pdx.edu)
Date: 07/30/03

  • Next message: Len Rose: "[Full-Disclosure] [secure@security.sfbay.sun.com: Re: Samba version numbers]" 
    To: full-disclosure@lists.netsys.com
Date: Tue, 29 Jul 2003 17:34:35 -0700 (PDT)

    ---------- Forwarded message ----------
    Date: Tue, 29 Jul 2003 12:55:34 -0700 (PDT)
    From: Jared Stanbrough <jareds@pdx.edu>
    To: bugtraq@securityfocus.com
    Subject: Remote Linux Kernel < 2.4.21 DoS in XDR routine.

    Hello all,

    I have discovered a signed/unsigned issue in a routine responsible for
    demarshalling XDR data for NFSv3 procedure calls. As far as I can tell,
    this bug has existed since NFSv3 support was integrated. It has been
    silently fixed in 2.4.21.

    The bug is in the decode_fh routine of fs/nfsd/nfs3xdr.c under the kernel
    source tree.

    Vulnerable code:

    static inline u32 *
    decode_fh(u32 *p, struct svc_fh *fhp)
    {
            int size;
            fh_init(fhp, NFS3_FHSIZE);
            size = ntohl(*p++);
            if (size > NFS3_FHSIZE)
                    return NULL;

            memcpy(&fhp->fh_handle.fh_base, p, size);
            fhp->fh_handle.fh_size = size;
            return p + XDR_QUADLEN(size);
    }

    Where p is a packet of attacker controlled XDR data. If size is made to be
    negative, the sanity check is passed and the malicious value is passed to
    memcpy. Due to the behavior of the kernel's memcpy, this will cause a very
    large copy in kernel space, resulting in an instant kernel panic.

    The attached code is a POC of this vulnerability. It requires that the
    vulnerable host has an exported directory available to the attacker. This
    is probably not the only way to manifest this bug, however.

    If you have any questions, please feel free to contact me.

    Cheers,

    Jared Stanbrough <jareds@pdx.edu>

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Len Rose: "[Full-Disclosure] [secure@security.sfbay.sun.com: Re: Samba version numbers]"

    Relevant Pages

    • Remote Linux Kernel < 2.4.21 DoS in XDR routine.
      ... demarshalling XDR data for NFSv3 procedure calls. ... The bug is in the decode_fh routine of fs/nfsd/nfs3xdr.c under the kernel ... Where p is a packet of attacker controlled XDR data. ... The attached code is a POC of this vulnerability. ...
      (Bugtraq)
    • VL: Remote Linux Kernel < 2.4.21 DoS in XDR routine.
      ... Remote Linux Kernel < 2.4.21 DoS in XDR routine. ... The attached code is a POC of this vulnerability. ...
      (Vuln-Dev)
    • Re: [BUG] 2.6.23-rc3-mm1 Kernel panic - not syncing: Cant create pid_1 cachep
      ... Following Kernel panic is raised while booting up with 2.6.23-rc3-mm1 kernel. ... Initializing HighMem for node 0 ... virtual kernel memory layout: ... Calibrating delay using timer specific routine.. ...
      (Linux-Kernel)
    • Re: kernel mode equivalent of strrchr
      ... How much text processing is done in the kernel? ... routine useful, but you can just do it by scanning for a character saving ... string search routines documented in the DDK. ... string functions safe so you don't create your own unsafe routine. ...
      (microsoft.public.development.device.drivers)
    • Re: kernel mode equivalent of strrchr
      ... How much text processing is done in the kernel? ... routine useful, but you can just do it by scanning for a character saving ... string search routines documented in the DDK. ... >> string functions safe so you don't create your own unsafe routine. ...
      (microsoft.public.development.device.drivers)