[CVE-2011-4324] BUG statement in default case of encode_share_access
Tim Gardner
rtg.canonical at gmail.com
Fri Feb 10 13:17:45 UTC 2012
On 02/10/2012 03:14 AM, Stefan Bader wrote:
> CVE-2011-4324:
> User can cause BUG on NFS4 mounted FS via mknod
>
> Fix has hit Lucid and later via mainline. The upstream patch
> for that is a bigger rewrite replacing access modes by the
> fmode_t which was not present before 2.6.28.
>
> Suggesting a minimal backport for Hardy.
>
> ---
>
> From af41fdc3d7c5d68ec75845d15f9ef4c77b31d110 Mon Sep 17 00:00:00 2001
> From: Stefan Bader<stefan.bader at canonical.com>
> Date: Fri, 10 Feb 2012 11:00:49 +0100
> Subject: [hardy CVE] UBUNTU: SAUCE: Return deny all as default in
> encode_share_access
>
> This used to be catched by BUG() which is not only unnecessary.
> It was changed as part of a bigger rewrite that depends on a
> typedef which does not exist before 2.6.28.
>
> CVE-2011-4324
> BugLink: http://bugs.launchpad.net/bugs/917829
>
> (very loosely backported from dc0b027dfadfcb8a5504f7d8052754bf8d501ab9)
> Signed-off-by: Stefan Bader<stefan.bader at canonical.com>
> ---
> fs/nfs/nfs4xdr.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
> index 51dd380..cc66519 100644
> --- a/fs/nfs/nfs4xdr.c
> +++ b/fs/nfs/nfs4xdr.c
> @@ -967,7 +967,7 @@ static void encode_share_access(struct xdr_stream *xdr, int open_flags)
> WRITE32(NFS4_SHARE_ACCESS_BOTH);
> break;
> default:
> - BUG();
> + WRITE32(0);
> }
> WRITE32(0); /* for linux, share_deny = 0 always */
> }
Why not WRITE32(NFS4_SHARE_DENY_BOTH) ?
Is this testable ?
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list