[PATCH] possible DoS attack using nfsservctl()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi.

Attached is a patch which addresses a possible DoS attack using the
nfsservctl() system call.  A user can use this system call to fill
up the file system which stores kernel messages, thus causing potential
problems and/or hiding more valuable messages.

This can happen because the arguments to the nfsservctl() system call
are versioned.  This is a good thing.  However, when a bad version is
detected, the kernel prints a message and then returns an error.  I
presume that this message was meant to be used to help to detect mis-
matches between the kernel and nfs-utils, but the message does not
really contain enough information to be useful in this fashion.

The solution is to remove the message and just return the error.  A
mis-match between the kernel and nfs-utils can be determined in other
ways, ways that don't lead to DoS attacks.

While I was there, I corrected some error handling on the compat
version of the nfsservctl() system.  It was detecting errors while
copying in the arguments from user space, but then attempting to use
the arguments anyway.  This didn't seem so good.

   Thanx...

      ps

Signed-off-by: Peter Staubach <[email protected]>
--- linux-2.6.15.x86_64/fs/nfsctl.c.org
+++ linux-2.6.15.x86_64/fs/nfsctl.c
@@ -98,10 +98,8 @@ asmlinkage sys_nfsservctl(int cmd, struc
 	if (copy_from_user(&version, &arg->ca_version, sizeof(int)))
 		return -EFAULT;
 
-	if (version != NFSCTL_VERSION) {
-		printk(KERN_WARNING "nfsd: incompatible version in syscall.\n");
+	if (version != NFSCTL_VERSION)
 		return -EINVAL;
-	}
 
 	if (cmd < 0 || cmd >= sizeof(map)/sizeof(map[0]) || !map[cmd].name)
 		return -EINVAL;
--- linux-2.6.15.x86_64/fs/compat.c.org
+++ linux-2.6.15.x86_64/fs/compat.c
@@ -2168,9 +2168,12 @@ asmlinkage long compat_sys_nfsservctl(in
 
 	default:
 		err = -EINVAL;
-		goto done;
+		break;
 	}
 
+	if (err)
+		goto done;
+
 	oldfs = get_fs();
 	set_fs(KERNEL_DS);
 	/* The __user pointer casts are valid because of the set_fs() */

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux