CVE-2011-2491
First published: Tue May 31 2011(Updated: )
Created <span class=""><a href="attachment.cgi?id=502027" name="attach_502027" title="dmesg output with NFS/NLM/RPC debug">attachment 502027</a> <a href="attachment.cgi?id=502027&action=edit" title="dmesg output with NFS/NLM/RPC debug">[details]</a></span> dmesg output with NFS/NLM/RPC debug btw. I'm reporting this issue to akpm@ and to Trond Myklebust because other vendors and upstream linux kernel is affected too. Description of problem: unprivileged user can use flock syscall for NFS share to trigger unlimited resource leak and this could cause node DoS. Details: flock on NFS calls nlmclnt_lock() function, where nlmclnt_call() executes synchronous RPC task NLMPROC_LOCK. Via several subcalls (call_bind) it successfully connects to NFS server and decodes its reply, however because server did not set up r_port rpcb_getport_done() returns -EACCES, and following rpc subcall call_bind_status() in this case repeats call_bind() after 3 sec timeout. It isn't a big problem, and this cycle could be broken by signal, however error path of nlmclnt_lock() executes identical asynchronous RPC call to unlock taken lock. Waiting of result of this call is also canceled by signal, however in this case RPC call is asynchronous, it cycles too and never finished. I would like to ask Trond to recheck my analyze and review my patch with fix of this issue or propose some better and more correct solution. My idea is to break cycle described above, return -EOPNOTSUPP to nlmclnt_lock(), check it on error path and do not execute NLMPROC_UNLOCK call because we already know that server does not support locking operations. PS. one more separate issue: NLMPROC_UNLOCK can be cycled in another place: nlmclnt_unlock_callback() restarts RPC task in case of any errors. Therefore we cannot execute NLMPROC_UNLOCK on error path in case of server errors. I did not reproduce this issue, however I believe it's possible. PPS. Also I've found similar cycles in other nlm callbacks, however I have no ideas is it possible to exploit it. However I would like to ask Trond to review this code too. Version-Release number of selected component (if applicable): 2.6.32-131.0.15.el6.x86_64 I've reproduced this issue on RHEL5, RHEL6, ubuntu 11.04 and upstream linux kernel 2.6.39. How reproducible: 100% Actual results: flock hangs, can be canceled by signal, as result one more rpc task leaks (FYI: sysctl -w sunrpc.rpc_debug=0 dumps status of active RPC taks) Expected results: no hangs, no leaks Additional info: dmesg output with NFS/NLM/RPC debug and concept of patch are attached. Because vendor-sec is no longer in use I'm preparing private report to akpm@ and to Trond Myklebust, probably they can propose some better solution
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Linux kernel | <3.0 | |
| Redhat Enterprise Linux Server | =5.0 | |
| Redhat Enterprise Linux Workstation | =5.0 | |
| Redhat Enterprise Linux Desktop | =5.0 | |
| debian/linux-2.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2011/06/23/6
- https://bugzilla.redhat.com/show_bug.cgi?id=709393
- http://ftp.osuosl.org/pub/linux/kernel/v3.0/ChangeLog-3.0
- https://github.com/torvalds/linux/commit/0b760113a3a155269a3fba93a409c640031dd68f
- http://rhn.redhat.com/errata/RHSA-2011-1212.html
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=0b760113a3a155269a3fba93a409c640031dd68f
- https://launchpad.net/bugs/cve/CVE-2011-2491
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=502027
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=502027&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=502030&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=502030&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=502142&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=502142&action=edit
- http://git.kernel.org/linus/0b760113a3a155269a3fba93a409c640031dd68f
- https://rhn.redhat.com/errata/RHSA-2011-1189.html
- https://rhn.redhat.com/errata/RHSA-2011-1253.html
- https://rhn.redhat.com/errata/RHSA-2011-1212.html
- https://rhn.redhat.com/errata/RHSA-2011-1813.html
- https://security-tracker.debian.org/tracker/CVE-2011-2491
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2491
- https://nvd.nist.gov/vuln/detail/CVE-2011-2491
- https://ubuntu.com/security/CVE-2011-2491
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-2491
- agent/author
- agent/softwarecombine
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/description
- agent/weakness
- agent/remedy
- agent/severity
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/tags
- collector/usn-cve
- source/Ubuntu
- vendor/linux
- canonical/linux linux kernel
- vendor/redhat
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/5.0
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/5.0
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/5.0
- package-manager/debian