* [PATCH] rpc.statd: Bind downcall socket to loopback address
@ 2011-07-30 22:43 Chuck Lever
[not found] ` <20110730224034.30227.2179.stgit-x+BlCsqV7M/wdl/1UfZZQIVfYA8g3rJ/@public.gmane.org>
0 siblings, 1 reply; 7+ messages in thread
From: Chuck Lever @ 2011-07-30 22:43 UTC (permalink / raw)
To: linux-nfs
In the past, rpc.statd posted SM_NOTIFY requests using the same socket
it used for sending downcalls to the kernel. To receive replies from
remote hosts, the socket was bound to INADDR_ANY.
With commit f113db52 "Remove notify functionality from statd in
favour of sm-notify" (Mar 20, 2007), the downcall socket is no longer
used for sending requests to remote hosts. However, the downcall
socket is still bound to INADDR_ANY. This means that any remote host
can inject data on this socket, since it is an unconnected UDP socket
listening for RPC replies.
To prevent unwanted data injection, bind this socket to loopback
instead.
BugLink:
https://bugzilla.linux-nfs.org/show_bug.cgi?id=177
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
This proposed fix hasn't yet been thoroughly tested. Comments?
utils/statd/rmtcall.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/utils/statd/rmtcall.c b/utils/statd/rmtcall.c
index 0e52fe2..4ecb03c 100644
--- a/utils/statd/rmtcall.c
+++ b/utils/statd/rmtcall.c
@@ -85,7 +85,7 @@ statd_get_socket(void)
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
- sin.sin_addr.s_addr = INADDR_ANY;
+ sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
if (bindresvport(sockfd, &sin) < 0) {
xlog(D_GENERAL, "%s: can't bind to reserved port",
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH] rpc.statd: Bind downcall socket to loopback address
@ 2011-08-01 20:13 Chuck Lever
2011-08-03 17:44 ` Steve Dickson
0 siblings, 1 reply; 7+ messages in thread
From: Chuck Lever @ 2011-08-01 20:13 UTC (permalink / raw)
To: steved; +Cc: linux-nfs
In the past, rpc.statd posted SM_NOTIFY requests using the same socket
it used for sending downcalls to the kernel. To receive replies from
remote hosts, the socket was bound to INADDR_ANY.
With commit f113db52 "Remove notify functionality from statd in
favour of sm-notify" (Mar 20, 2007), the downcall socket is no longer
used for sending requests to remote hosts. However, the downcall
socket is still bound to INADDR_ANY.
Thus a remote host can inject data on this socket since it is an
unconnected UDP socket listening for RPC replies. Thanks to f113db52,
the port number of this socket is no longer controlled by a command
line option, making it difficult to firewall.
We have demonstrated that data injection on this socket can result in
a DoS by causing rpc.statd to consume CPU and log bandwidth, but so
far we have not found a breach.
To prevent unwanted data injection, bind this socket to the loopback
address.
BugLink: https://bugzilla.linux-nfs.org/show_bug.cgi?id=177
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
Confirmed that reboot recovery still works, and that data injection
is no longer possible. This is an updated and final version of this
patch.
utils/statd/rmtcall.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/utils/statd/rmtcall.c b/utils/statd/rmtcall.c
index 0e52fe2..4ecb03c 100644
--- a/utils/statd/rmtcall.c
+++ b/utils/statd/rmtcall.c
@@ -85,7 +85,7 @@ statd_get_socket(void)
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
- sin.sin_addr.s_addr = INADDR_ANY;
+ sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
if (bindresvport(sockfd, &sin) < 0) {
xlog(D_GENERAL, "%s: can't bind to reserved port",
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PATCH] rpc.statd: Bind downcall socket to loopback address
2011-08-01 20:13 Chuck Lever
@ 2011-08-03 17:44 ` Steve Dickson
2011-08-03 21:18 ` Chuck Lever
0 siblings, 1 reply; 7+ messages in thread
From: Steve Dickson @ 2011-08-03 17:44 UTC (permalink / raw)
To: Chuck Lever, Linux NFS Mailing list
On 08/01/2011 04:13 PM, Chuck Lever wrote:
> In the past, rpc.statd posted SM_NOTIFY requests using the same socket
> it used for sending downcalls to the kernel. To receive replies from
> remote hosts, the socket was bound to INADDR_ANY.
>
> With commit f113db52 "Remove notify functionality from statd in
> favour of sm-notify" (Mar 20, 2007), the downcall socket is no longer
> used for sending requests to remote hosts. However, the downcall
> socket is still bound to INADDR_ANY.
>
> Thus a remote host can inject data on this socket since it is an
> unconnected UDP socket listening for RPC replies. Thanks to f113db52,
> the port number of this socket is no longer controlled by a command
> line option, making it difficult to firewall.
>
> We have demonstrated that data injection on this socket can result in
> a DoS by causing rpc.statd to consume CPU and log bandwidth, but so
> far we have not found a breach.
>
> To prevent unwanted data injection, bind this socket to the loopback
> address.
>
> BugLink: https://bugzilla.linux-nfs.org/show_bug.cgi?id=177
>
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Committed..
steved.
> ---
>
> Confirmed that reboot recovery still works, and that data injection
> is no longer possible. This is an updated and final version of this
> patch.
>
> utils/statd/rmtcall.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/utils/statd/rmtcall.c b/utils/statd/rmtcall.c
> index 0e52fe2..4ecb03c 100644
> --- a/utils/statd/rmtcall.c
> +++ b/utils/statd/rmtcall.c
> @@ -85,7 +85,7 @@ statd_get_socket(void)
>
> memset(&sin, 0, sizeof(sin));
> sin.sin_family = AF_INET;
> - sin.sin_addr.s_addr = INADDR_ANY;
> + sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
>
> if (bindresvport(sockfd, &sin) < 0) {
> xlog(D_GENERAL, "%s: can't bind to reserved port",
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] rpc.statd: Bind downcall socket to loopback address
2011-08-03 17:44 ` Steve Dickson
@ 2011-08-03 21:18 ` Chuck Lever
2011-08-03 22:54 ` Steve Dickson
0 siblings, 1 reply; 7+ messages in thread
From: Chuck Lever @ 2011-08-03 21:18 UTC (permalink / raw)
To: Steve Dickson; +Cc: Linux NFS Mailing list
On Aug 3, 2011, at 1:44 PM, Steve Dickson wrote:
>
>
> On 08/01/2011 04:13 PM, Chuck Lever wrote:
>> In the past, rpc.statd posted SM_NOTIFY requests using the same socket
>> it used for sending downcalls to the kernel. To receive replies from
>> remote hosts, the socket was bound to INADDR_ANY.
>>
>> With commit f113db52 "Remove notify functionality from statd in
>> favour of sm-notify" (Mar 20, 2007), the downcall socket is no longer
>> used for sending requests to remote hosts. However, the downcall
>> socket is still bound to INADDR_ANY.
>>
>> Thus a remote host can inject data on this socket since it is an
>> unconnected UDP socket listening for RPC replies. Thanks to f113db52,
>> the port number of this socket is no longer controlled by a command
>> line option, making it difficult to firewall.
>>
>> We have demonstrated that data injection on this socket can result in
>> a DoS by causing rpc.statd to consume CPU and log bandwidth, but so
>> far we have not found a breach.
>>
>> To prevent unwanted data injection, bind this socket to the loopback
>> address.
>>
>> BugLink: https://bugzilla.linux-nfs.org/show_bug.cgi?id=177
>>
>> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> Committed..
Do you want to close out bz 177, or shall I? Or we can wait for the next nfs-utils release (1.2.5?) to mark it FIXED.
> steved.
>
>> ---
>>
>> Confirmed that reboot recovery still works, and that data injection
>> is no longer possible. This is an updated and final version of this
>> patch.
>>
>> utils/statd/rmtcall.c | 2 +-
>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/utils/statd/rmtcall.c b/utils/statd/rmtcall.c
>> index 0e52fe2..4ecb03c 100644
>> --- a/utils/statd/rmtcall.c
>> +++ b/utils/statd/rmtcall.c
>> @@ -85,7 +85,7 @@ statd_get_socket(void)
>>
>> memset(&sin, 0, sizeof(sin));
>> sin.sin_family = AF_INET;
>> - sin.sin_addr.s_addr = INADDR_ANY;
>> + sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
>>
>> if (bindresvport(sockfd, &sin) < 0) {
>> xlog(D_GENERAL, "%s: can't bind to reserved port",
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] rpc.statd: Bind downcall socket to loopback address
2011-08-03 21:18 ` Chuck Lever
@ 2011-08-03 22:54 ` Steve Dickson
0 siblings, 0 replies; 7+ messages in thread
From: Steve Dickson @ 2011-08-03 22:54 UTC (permalink / raw)
To: Chuck Lever; +Cc: Linux NFS Mailing list
On 08/03/2011 05:18 PM, Chuck Lever wrote:
>
> On Aug 3, 2011, at 1:44 PM, Steve Dickson wrote:
>
>>
>>
>> On 08/01/2011 04:13 PM, Chuck Lever wrote:
>>> In the past, rpc.statd posted SM_NOTIFY requests using the same socket
>>> it used for sending downcalls to the kernel. To receive replies from
>>> remote hosts, the socket was bound to INADDR_ANY.
>>>
>>> With commit f113db52 "Remove notify functionality from statd in
>>> favour of sm-notify" (Mar 20, 2007), the downcall socket is no longer
>>> used for sending requests to remote hosts. However, the downcall
>>> socket is still bound to INADDR_ANY.
>>>
>>> Thus a remote host can inject data on this socket since it is an
>>> unconnected UDP socket listening for RPC replies. Thanks to f113db52,
>>> the port number of this socket is no longer controlled by a command
>>> line option, making it difficult to firewall.
>>>
>>> We have demonstrated that data injection on this socket can result in
>>> a DoS by causing rpc.statd to consume CPU and log bandwidth, but so
>>> far we have not found a breach.
>>>
>>> To prevent unwanted data injection, bind this socket to the loopback
>>> address.
>>>
>>> BugLink: https://bugzilla.linux-nfs.org/show_bug.cgi?id=177
>>>
>>> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
>> Committed..
>
> Do you want to close out bz 177, or shall I?
> Or we can wait for the next nfs-utils release (1.2.5?) to mark it FIXED.
Go ahead and close it out... It was all your hard work that got it
done! You might as well have the pleasure of closing it... ;-)
steved.
>
>> steved.
>>
>>> ---
>>>
>>> Confirmed that reboot recovery still works, and that data injection
>>> is no longer possible. This is an updated and final version of this
>>> patch.
>>>
>>> utils/statd/rmtcall.c | 2 +-
>>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/utils/statd/rmtcall.c b/utils/statd/rmtcall.c
>>> index 0e52fe2..4ecb03c 100644
>>> --- a/utils/statd/rmtcall.c
>>> +++ b/utils/statd/rmtcall.c
>>> @@ -85,7 +85,7 @@ statd_get_socket(void)
>>>
>>> memset(&sin, 0, sizeof(sin));
>>> sin.sin_family = AF_INET;
>>> - sin.sin_addr.s_addr = INADDR_ANY;
>>> + sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
>>>
>>> if (bindresvport(sockfd, &sin) < 0) {
>>> xlog(D_GENERAL, "%s: can't bind to reserved port",
>>>
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
> --
> Chuck Lever
> chuck[dot]lever[at]oracle[dot]com
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-08-03 22:55 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-30 22:43 [PATCH] rpc.statd: Bind downcall socket to loopback address Chuck Lever
[not found] ` <20110730224034.30227.2179.stgit-x+BlCsqV7M/wdl/1UfZZQIVfYA8g3rJ/@public.gmane.org>
2011-08-03 16:58 ` Steve Dickson
[not found] ` <4E397E2C.1040001-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2011-08-03 17:18 ` Steve Dickson
-- strict thread matches above, loose matches on Subject: below --
2011-08-01 20:13 Chuck Lever
2011-08-03 17:44 ` Steve Dickson
2011-08-03 21:18 ` Chuck Lever
2011-08-03 22:54 ` Steve Dickson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).