NetBSD Problem Report #35562
From khorben@defora.org Wed Feb 7 20:32:22 2007
Return-Path: <khorben@defora.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id 24F1163BB12
for <gnats-bugs@gnats.NetBSD.org>; Wed, 7 Feb 2007 20:32:22 +0000 (UTC)
Message-Id: <45CA3798.8070207@defora.org>
Date: Wed, 07 Feb 2007 21:33:28 +0100
From: Pierre Pronchery <khorben@defora.org>
Reply-To: khorben@defora.org
To: gnats-bugs@NetBSD.org
Subject: Potential denial of service when listing files on an NFS share
>Number: 35562
>Category: security
>Synopsis: Potential denial of service when listing files on an NFS share
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: elad
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Feb 07 20:35:00 +0000 2007
>Closed-Date: Thu Jan 10 09:50:32 +0000 2008
>Last-Modified: Thu Jan 10 09:50:32 +0000 2008
>Originator: khorben@defora.org
>Release: NetBSD 4.0_BETA2
>Organization:
>Environment:
System: NetBSD syn 4.0_BETA2 NetBSD 4.0_BETA2 (GENERIC.MPACPI) #6: Sat
Jan 13 21:42:07 CET 2007
khorben@syn:/usr/obj/sys/arch/i386/compile/GENERIC.MPACPI i386
Architecture: i386
Machine: i386
>Description:
The opendir() call in NetBSD's libc has a special case for NFS. This
source code is from src/lib/libc/gen/opendir.c:
1 /* $NetBSD: opendir.c,v 1.31 [...] */
[...]
119 nfsdir = !(strncmp(sfb.f_fstypename, MOUNT_NFS, MFSNAMELEN));
120
121 if (unionstack || nfsdir) {
[...]
143 retry:
[...]
149 do {
[...]
168 /*
169 * For NFS: EINVAL means a bad cookie error
170 * from the server. Keep trying to get a
171 * consistent view, in this case this means
172 * starting all over again.
173 */
174 if (n == -1 && errno == EINVAL && nfsdir) {
175 free(buf);
176 lseek(fd, (off_t)0, SEEK_SET);
177 goto retry;
178 }
This means that as apparently, in the following cases:
- an attacker spoofs a reply from the NFS server (trivial on a local LAN
when UDP is used);
- an attacker keeps modifying files on the server;
- the server itself is malicious or compromised.
I apologize if this is a known and acknowledged behavior, either in NFS
or in NetBSD's implementation.
>How-To-Repeat:
I could not confirm this vulnerability as of today.
>Fix:
I think a maximum number of iterations could help here.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: elad@netbsd.org
State-Changed-When: Tue, 08 Jan 2008 11:47:53 +0000
State-Changed-Why:
fvdl@ and yamt@ agree that this isn't a security issue
Responsible-Changed-From-To: security-officer->elad
Responsible-Changed-By: elad@netbsd.org
Responsible-Changed-When: Thu, 10 Jan 2008 09:46:35 +0000
Responsible-Changed-Why:
fvdl@ suggests a counter might be useful.
State-Changed-From-To: closed->open
State-Changed-By: elad@netbsd.org
State-Changed-When: Thu, 10 Jan 2008 09:46:35 +0000
State-Changed-Why:
fvdl@ suggests a counter might be useful.
From: Elad Efrat <elad@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: PR/35562 CVS commit: src/lib/libc/gen
Date: Thu, 10 Jan 2008 09:49:05 +0000 (UTC)
Module Name: src
Committed By: elad
Date: Thu Jan 10 09:49:05 UTC 2008
Modified Files:
src/lib/libc/gen: opendir.c
Log Message:
PR/35562: khorben at defora dot org: Potential denial of service when
listing files on an NFS share
Limit the number of retries as suggested in the PR.
Reviewed by and okay fvdl@.
To generate a diff of this commit:
cvs rdiff -r1.32 -r1.33 src/lib/libc/gen/opendir.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: elad@netbsd.org
State-Changed-When: Thu, 10 Jan 2008 09:50:32 +0000
State-Changed-Why:
fixed in opendir.c rev 1.33
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.