NetBSD Problem Report #35562

From khorben@defora.org  Wed Feb  7 20:32:22 2007
Return-Path: <khorben@defora.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 24F1163BB12
	for <gnats-bugs@gnats.NetBSD.org>; Wed,  7 Feb 2007 20:32:22 +0000 (UTC)
Message-Id: <45CA3798.8070207@defora.org>
Date: Wed, 07 Feb 2007 21:33:28 +0100
From: Pierre Pronchery <khorben@defora.org>
Reply-To: khorben@defora.org
To: gnats-bugs@NetBSD.org
Subject: Potential denial of service when listing files on an NFS share

>Number:         35562
>Category:       security
>Synopsis:       Potential denial of service when listing files on an NFS share
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    elad
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Feb 07 20:35:00 +0000 2007
>Closed-Date:    Thu Jan 10 09:50:32 +0000 2008
>Last-Modified:  Thu Jan 10 09:50:32 +0000 2008
>Originator:     khorben@defora.org
>Release:        NetBSD 4.0_BETA2
>Organization:
>Environment:
System: NetBSD syn 4.0_BETA2 NetBSD 4.0_BETA2 (GENERIC.MPACPI) #6: Sat
Jan 13 21:42:07 CET 2007
khorben@syn:/usr/obj/sys/arch/i386/compile/GENERIC.MPACPI i386
Architecture: i386
Machine: i386
>Description:
The opendir() call in NetBSD's libc has a special case for NFS. This
source code is from src/lib/libc/gen/opendir.c:

  1 /*      $NetBSD: opendir.c,v 1.31 [...] */
[...]
119         nfsdir = !(strncmp(sfb.f_fstypename, MOUNT_NFS, MFSNAMELEN));
120
121         if (unionstack || nfsdir) {
[...]
143 retry:
[...]
149                 do {
[...]
168                         /*
169                          * For NFS: EINVAL means a bad cookie error
170                          * from the server. Keep trying to get a
171                          * consistent view, in this case this means
172                          * starting all over again.
173                          */
174                         if (n == -1 && errno == EINVAL && nfsdir) {
175                                 free(buf);
176                                 lseek(fd, (off_t)0, SEEK_SET);
177                                 goto retry;
178                         }

This means that as apparently, in the following cases:
- an attacker spoofs a reply from the NFS server (trivial on a local LAN
  when UDP is used);
- an attacker keeps modifying files on the server;
- the server itself is malicious or compromised.

I apologize if this is a known and acknowledged behavior, either in NFS
or in NetBSD's implementation.

>How-To-Repeat:
I could not confirm this vulnerability as of today.
>Fix:
I think a maximum number of iterations could help here.

>Release-Note:

>Audit-Trail:

State-Changed-From-To: open->closed
State-Changed-By: elad@netbsd.org
State-Changed-When: Tue, 08 Jan 2008 11:47:53 +0000
State-Changed-Why:
fvdl@ and yamt@ agree that this isn't a security issue


Responsible-Changed-From-To: security-officer->elad
Responsible-Changed-By: elad@netbsd.org
Responsible-Changed-When: Thu, 10 Jan 2008 09:46:35 +0000
Responsible-Changed-Why:
fvdl@ suggests a counter might be useful.


State-Changed-From-To: closed->open
State-Changed-By: elad@netbsd.org
State-Changed-When: Thu, 10 Jan 2008 09:46:35 +0000
State-Changed-Why:
fvdl@ suggests a counter might be useful.


From: Elad Efrat <elad@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: PR/35562 CVS commit: src/lib/libc/gen
Date: Thu, 10 Jan 2008 09:49:05 +0000 (UTC)

 Module Name:	src
 Committed By:	elad
 Date:		Thu Jan 10 09:49:05 UTC 2008

 Modified Files:
 	src/lib/libc/gen: opendir.c

 Log Message:
 PR/35562: khorben at defora dot org: Potential denial of service when
  listing files on an NFS share

 Limit the number of retries as suggested in the PR.

 Reviewed by and okay fvdl@.


 To generate a diff of this commit:
 cvs rdiff -r1.32 -r1.33 src/lib/libc/gen/opendir.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: elad@netbsd.org
State-Changed-When: Thu, 10 Jan 2008 09:50:32 +0000
State-Changed-Why:
fixed in opendir.c rev 1.33


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.