From: Peter Staubach <staubach@redhat.com>
To: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: [PATCH] possible DoS attack using nfsservctl()
Date: Fri, 03 Mar 2006 15:28:26 -0500 [thread overview]
Message-ID: <4408A6EA.70501@redhat.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 1180 bytes --]
Hi.
Attached is a patch which addresses a possible DoS attack using the
nfsservctl() system call. A user can use this system call to fill
up the file system which stores kernel messages, thus causing potential
problems and/or hiding more valuable messages.
This can happen because the arguments to the nfsservctl() system call
are versioned. This is a good thing. However, when a bad version is
detected, the kernel prints a message and then returns an error. I
presume that this message was meant to be used to help to detect mis-
matches between the kernel and nfs-utils, but the message does not
really contain enough information to be useful in this fashion.
The solution is to remove the message and just return the error. A
mis-match between the kernel and nfs-utils can be determined in other
ways, ways that don't lead to DoS attacks.
While I was there, I corrected some error handling on the compat
version of the nfsservctl() system. It was detecting errors while
copying in the arguments from user space, but then attempting to use
the arguments anyway. This didn't seem so good.
Thanx...
ps
Signed-off-by: Peter Staubach <staubach@redhat.com>
[-- Attachment #2: nfsservctl.devel --]
[-- Type: text/plain, Size: 806 bytes --]
--- linux-2.6.15.x86_64/fs/nfsctl.c.org
+++ linux-2.6.15.x86_64/fs/nfsctl.c
@@ -98,10 +98,8 @@ asmlinkage sys_nfsservctl(int cmd, struc
if (copy_from_user(&version, &arg->ca_version, sizeof(int)))
return -EFAULT;
- if (version != NFSCTL_VERSION) {
- printk(KERN_WARNING "nfsd: incompatible version in syscall.\n");
+ if (version != NFSCTL_VERSION)
return -EINVAL;
- }
if (cmd < 0 || cmd >= sizeof(map)/sizeof(map[0]) || !map[cmd].name)
return -EINVAL;
--- linux-2.6.15.x86_64/fs/compat.c.org
+++ linux-2.6.15.x86_64/fs/compat.c
@@ -2168,9 +2168,12 @@ asmlinkage long compat_sys_nfsservctl(in
default:
err = -EINVAL;
- goto done;
+ break;
}
+ if (err)
+ goto done;
+
oldfs = get_fs();
set_fs(KERNEL_DS);
/* The __user pointer casts are valid because of the set_fs() */
reply other threads:[~2006-03-03 20:28 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4408A6EA.70501@redhat.com \
--to=staubach@redhat.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox