Bug#743984: kfreebsd-9: CVE-2014-1453: nfsserver denial of service

Tue, 08 Apr 2014 18:36:24 -0700 

Dear Security Team,
[I've also Cc'd Aurelien, who dealt with previous kfreebsd DSAs]

Please could we fix #743984 / CVE-2014-1453 in wheezy kfreebsd-9, with
the attached debdiff?  I'm currently building and testing it.

We don't likely want to fix this in sid because kfreebsd-9 is planned to
be removed sometime before the jessie freeze.

kfreebsd-10 has the same fix pending in SVN so will be fixed in sid
sometime.

For kfreebsd-8 the impact is minor;  normally a different, unaffected
NFS implementation would be used so there is little reason to try to
patch this;  perhaps later via a stable-proposed-updates, if it all.

Thanks,
Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org

diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog
--- kfreebsd-9-9.0/debian/changelog     2014-01-28 21:09:41.000000000 +0000
+++ kfreebsd-9-9.0/debian/changelog     2014-04-08 23:43:14.000000000 +0000
@@ -1,3 +1,11 @@
+kfreebsd-9 (9.0-10+deb70.7) wheezy-security; urgency=high
+
+  * Team upload.
+  * Pick SVN 264285 from FreeBSD 9-STABLE to fix SA-14:05 / CVE-2014-1453:
+    Deadlock in the NFS server
+
+ -- Steven Chamberlain <ste...@pyro.eu.org>  Tue, 08 Apr 2014 23:41:22 +0000
+
 kfreebsd-9 (9.0-10+deb70.6) stable; urgency=low
 
   * Disable VIA hardware RNG by default. Use hw.nehemiah_rng_enable
diff -Nru kfreebsd-9-9.0/debian/patches/SA-14_05.nfsserver.patch 
kfreebsd-9-9.0/debian/patches/SA-14_05.nfsserver.patch
--- kfreebsd-9-9.0/debian/patches/SA-14_05.nfsserver.patch      1970-01-01 
00:00:00.000000000 +0000
+++ kfreebsd-9-9.0/debian/patches/SA-14_05.nfsserver.patch      2014-04-08 
23:40:12.000000000 +0000
@@ -0,0 +1,75 @@
+Description:
+ Fix NFS deadlock vulnerability. [SA-14:05] (CVE-2014-1453)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-14:05/nfsserver.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-14:05.nfsserver.asc
+Bug-Debian: http://bugs.debian.org/743984
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=264285
+
+--- kfreebsd-9-9.0.orig/sys/fs/nfsserver/nfs_nfsdserv.c
++++ kfreebsd-9-9.0/sys/fs/nfsserver/nfs_nfsdserv.c
+@@ -1446,10 +1446,23 @@
+               nfsvno_relpathbuf(&fromnd);
+               goto out;
+       }
++      /*
++       * Unlock dp in this code section, so it is unlocked before
++       * tdp gets locked. This avoids a potential LOR if tdp is the
++       * parent directory of dp.
++       */
+       if (nd->nd_flag & ND_NFSV4) {
+               tdp = todp;
+               tnes = *toexp;
+-              tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred, p, 0);
++              if (dp != tdp) {
++                      NFSVOPUNLOCK(dp, 0);
++                      tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred,
++                          p, 0);      /* Might lock tdp. */
++              } else {
++                      tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred,
++                          p, 1);
++                      NFSVOPUNLOCK(dp, 0);
++              }
+       } else {
+               tfh.nfsrvfh_len = 0;
+               error = nfsrv_mtofh(nd, &tfh);
+@@ -1470,10 +1483,12 @@
+                       tnes = *exp;
+                       tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred,
+                           p, 1);
++                      NFSVOPUNLOCK(dp, 0);
+               } else {
++                      NFSVOPUNLOCK(dp, 0);
+                       nd->nd_cred->cr_uid = nd->nd_saveduid;
+                       nfsd_fhtovp(nd, &tfh, LK_EXCLUSIVE, &tdp, &tnes, NULL,
+-                          0, p);
++                          0, p);      /* Locks tdp. */
+                       if (tdp) {
+                               tdirfor_ret = nfsvno_getattr(tdp, &tdirfor,
+                                   nd->nd_cred, p, 1);
+@@ -1488,7 +1503,7 @@
+               if (error) {
+                       if (tdp)
+                               vrele(tdp);
+-                      vput(dp);
++                      vrele(dp);
+                       nfsvno_relpathbuf(&fromnd);
+                       nfsvno_relpathbuf(&tond);
+                       goto out;
+@@ -1503,7 +1518,7 @@
+               }
+               if (tdp)
+                       vrele(tdp);
+-              vput(dp);
++              vrele(dp);
+               nfsvno_relpathbuf(&fromnd);
+               nfsvno_relpathbuf(&tond);
+               goto out;
+@@ -1512,7 +1527,7 @@
+       /*
+        * Done parsing, now down to business.
+        */
+-      nd->nd_repstat = nfsvno_namei(nd, &fromnd, dp, 1, exp, p, &fdirp);
++      nd->nd_repstat = nfsvno_namei(nd, &fromnd, dp, 0, exp, p, &fdirp);
+       if (nd->nd_repstat) {
+               if (nd->nd_flag & ND_NFSV3) {
+                       nfsrv_wcc(nd, fdirfor_ret, &fdirfor, fdiraft_ret,
diff -Nru kfreebsd-9-9.0/debian/patches/series 
kfreebsd-9-9.0/debian/patches/series
--- kfreebsd-9-9.0/debian/patches/series        2014-01-22 22:15:54.000000000 
+0000
+++ kfreebsd-9-9.0/debian/patches/series        2014-04-08 23:34:37.000000000 
+0000
@@ -18,6 +18,7 @@
 disable_via_rng.diff
 EN-14_02.mmap.patch
 fix_lseek_zfs.diff
+SA-14_05.nfsserver.patch
 
 # Other patches that might or might not be mergeable
 001_misc.diff

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to