New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 737108 link

Starred by 2 users
Status: WontFix
Owner:
groeck@chromium.org
Closed: Jun 2017
Cc:
adityakali@google.com
dgreid@chromium.org
andreyu@google.com
chromeos-kernel-security-bug-access@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug-Security



Sign in to add a comment

CVE-2017-8797: Linux kernel NFSv4 server is vulnerable to a remote DioS attack

Project Member Reported by mnissler@chromium.org, Jun 27 2017 
Per http://www.openwall.com/lists/oss-security/2017/06/27/5:

The NFSv4 server in the Linux kernel does not properly validate layout type
when processing NFSv4 pNFS LAYOUTGET operand. The provided input
value is not properly validated and is used for array dereferencing. OOPS
is triggered which leads to DoS of knfsd and eventually to soft-lockup of
whole system.

In addition, on normal processing path there is a C undefined behavior
weakness that can lead to out of bounds array dereferencing.

The attack vector requires that the attack host is within host mask of exported
NFSv4 mount or source address spoofing is not properly mitigated in the network.
The attack payload fits to single one-way UDP packet. The kernel must be
compiled with CONFIG_NFSD_PNFS enabled, which seems to be the case
with many vendor kernels.

The issue has been verified to be reproducible at least with unpatched v4.4, v4.8
and v4.11 baselines.

Upstream patches in mainline: (available in stable releases, too)
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/nfsd?h=v4.12-rc7&id=b550a32e60a4941994b437a8d662432a486235a5
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/nfsd?h=v4.12-rc7&id=f961e3f2acae94b727380c0b74e2d3954d0edf79

The issue was found by Jani Tuovila from Synopsys Ltd with Synopsys Defensics fuzzer.


I think we don't use this code right now (i.e. CONFIG_NFSD is not set), however it might make sense to apply the fix should the containers folks decide they  want to enable the kernel NFS server.

Comment 1 by groeck@chromium.org, Jun 27 2017

Status: Assigned (was: Untriaged)
Summary: CVE-2017-8797: Linux kernel NFSv4 server is vulnerable to a remote DoS attack (was: Linux kernel NFSv4 server is vulnerable to a remote DoS attack)

Comment 2 by dgreid@chromium.org, Jun 27 2017

Summary: CVE-2017-8797: Linux kernel NFSv4 server is vulnerable to a remote DioS attack (was: CVE-2017-8797: Linux kernel NFSv4 server is vulnerable to a remote DoS attack)
I'd like to apply the fix to 4.4 and 4.9 at least.  We aren't planning on using the in-kernel NFS server for now but if the patch isn't likely to break anything else it would be nice to have in case we turn it on in a guest OS.

Comment 3 by groeck@chromium.org, Jun 27 2017 

#2: I usually apply all security fixes, unless they create substantial conflicts, even if the configuration is currently not enabled in our system. Better safe than sorry. Besides, CONFIG_NFSD_PNFS is enabled in Lakitu.

Comment 4 by groeck@chromium.org, Jun 27 2017

Status: WontFix (was: Assigned)
v4.4:
    b550a32e60a4 is not applicable (the problem was introduced with commit 8a4c3926889e which is not in v4.4).
    f961e3f2acae has already been applied with a stable merge.
v3.18:
    CONFIG_NFSD_PNFS is not supported.

Comment 5 by mnissler@chromium.org, Jun 27 2017

Cc: adityakali@google.com andreyu@google.com

Comment 6 by groeck@chromium.org, Jul 14 2017 

 Issue 742968  has been merged into this issue.

Sign in to add a comment