Linux Kernel nfs information leakage

2014.02.21
Credit: PJP
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2014-2038
CWE: CWE-20


CVSS Base Score: 3.7/10
Impact Subscore: 6.4/10
Exploitability Subscore: 1.9/10
Exploit range: Local
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Hello, Linux kernel build with the NFS file system(CONFIG_NFS_FS) along with the support for NFSv4 protocol(CONFIG_NFS_V4) is vulnerable to an information leakage flaw. It could occur while writing to a file wherein NFS server has offered write delegation to the client. Such delegation allows NFS client to perform the said operation locally without instant interaction with the server. A user/program could use this flaw to leak kernel memory bytes. Upstream fix: ------------- -> https://git.kernel.org/linus/263b4509ec4d47e0da3e753f85a39ea12d1eff24 We should always make sure the cached page is up-to-date when we're determining whether we can extend a write to cover the full page -- even if we've received a write delegation from the server. Commit c7559663 added logic to skip this check if we have a write delegation, which can lead to data corruption such as the following scenario if client B receives a write delegation from the NFS server: Client A: # echo 123456789 > /mnt/file Client B: # echo abcdefghi >> /mnt/file # cat /mnt/file 0�D0�abcdefghi Just because we hold a write delegation doesn't mean that we've read in the entire page contents. diff --git a/fs/nfs/write.c b/fs/nfs/write.c index 77a00c6..a44a872 100644 --- a/fs/nfs/write.c +++ b/fs/nfs/write.c @@ -922,19 +922,20 @@ out: * extend the write to cover the entire page in order to avoid fragmentation * inefficiencies. * - * If the file is opened for synchronous writes or if we have a write delegation - * from the server then we can just skip the rest of the checks. + * If the file is opened for synchronous writes then we can just skip the rest + * of the checks. */ static int nfs_can_extend_write(struct file *file, struct page *page, struct inode *inode) { if (file->f_flags & O_DSYNC) return 0; + if (!nfs_write_pageuptodate(page, inode)) + return 0; if (NFS_PROTO(inode)->have_delegation(inode, FMODE_WRITE)) return 1; - if (nfs_write_pageuptodate(page, inode) && (inode->i_flock == NULL || - (inode->i_flock->fl_start == 0 && + if (inode->i_flock == NULL || (inode->i_flock->fl_start == 0 && inode->i_flock->fl_end == OFFSET_MAX && - inode->i_flock->fl_type != F_RDLCK))) + inode->i_flock->fl_type != F_RDLCK)) return 1; return 0; } Reference: ---------- -> https://bugzilla.redhat.com/show_bug.cgi?id=1067341 Thank you. -- Prasad J Pandit / Red Hat Security Response Team

References:

https://git.kernel.org/linus/263b4509ec4d47e0da3e753f85a39ea12d1eff24
https://bugzilla.redhat.com/show_bug.cgi?id=1067341
http://seclists.org/oss-sec/2014/q1/412


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top