lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 31 Jul 2007 09:59:16 -0400
From:	Steve Dickson <SteveD@...hat.com>
To:	Stefan Walter <stefan.walter@....ethz.ch>
CC:	linux-kernel@...r.kernel.org
Subject: Re: rpc.mountd crashes when extensively using netgroups

Stefan Walter wrote:
> 
> We do this on a much larger scale though. The bug we ran into is
> in line 96 in utils/mountd/auth.c. The strcpy can corrupt
> memory when it copies the string returned by client_compose() to
> my_client.m_hostname which has a fixed size of 1024 bytes. 
> For our example above, client_compose() returns "@joe,@jane"
> for any machine in the offices_1 netgroup. Unfortunately we have
> a machine to which roughly 150 netgroups like @joe or @jane
> export to and client_compose() returns a string over 1300 bytes
> long and rpc.mountd nicely segfaults.
>  
> To prevent the crash is of course trivial: Inserting a simple
> 'if (strlen(n) > 1024) return NULL;' before line 96 does the job.
Does the attached patch help?

> 
> There are however two issues for which we could not find an easy
> solution:
> 
>  1. For every client rpc.mountd and the kernel seem to exchange
>     and use lists with _all_ netgroups used in exports that are
>     relevant for granting permission to some share for a particular
>     client. We could imagine two optimizations here:
> 
>        * Resolve netgroups and only put the (member) netgroups that
>          contained the host name that would be used to authorize
>          a mount in the list.
> 
>        * Use the list of mounted paths per client and only put the
>          netgroup(s) used to export paths that are actually mounted
>          on a client. 
These sound reasonable...


>  
>  2. Using a fixed size for NFSCLNT_IDMAX does not scale. Mounting
>     shares on a client for which the 'if' clause of the quick fix
>     becomes true will not be possible. We thought about enlarging
>     NFSCLNT_IDMAX and using a custom kernel but dropped the idea. 
True...

> 
> Our ultimate goal is to get Red Hat fix the code in nfs-utils 1.0.6
> that is used in RHEL4. A first step would be to get a suitable fix in
> the current nfs-utils. 
Please open up bugs on all three of these issues and
we'll see what can done...

steved.


View attachment "mountd-netgroup.patch" of type "text/x-patch" (764 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ